Box name- Precious

Box Creator- Nauten.

Box Rating- Easy

Hey gang!! Did you miss me?

Welcome to a walkthrough of a box I spent an entire day solving, so forgive me but this was not an easy box for me. I’d say it was medium.

As usual, first things first, enumeration.

So we have two open ports, let’s see what lives at port 80.

Head to your favorite browser and type in the Ip address. You shouldn’t see anything but play with the /etc/hosts file after which you should see a site.

So our site takes a web page and converts it into a PDF. After trying out some URLs, I got a couple of errors.

"Enter a valid URL or Cannot load remote URL"

I did some googling and got a hint to supply the site with a local URL.

Of course, I tried localhost but it still threw an error. So I went back to Google and got more hints.

So what if we spin up our lil old python web server from a directory of our choice? Our machine and the machine hosting the server should be on the same network through the tun interface so if we supply our IP, it should take the page being hosted by our python server and convert it to a PDF right?

Let's try it out and be on the lookout for the responses from our server.

Awesome! We got status code 200 meaning that the page was requested and loaded by the application running on the server. And sure enough, we got a pdf of our site(check out your browser-> it's automatic)

We want to know the application performing this function but it's not being flagged by Wappalyzer. Darn!!

I went back to my friend, google and htb's discussion forum where I got the hint to get the PDF's metadata.

Let's download the PDF and run the ExifTool on it and see the results.

We discover the application and its version number. (pdfkit v0.8.6)

Nice!!

More googling, ha!

I came upon this vulnerability affecting all 0.0.0 where they are vulnerable to Command Injection where the URL is not properly sanitized. - CVE-2022-25765.

Luckily enough, there was a PoC of an exploit which I read and tried the exploit on our application.

Head on over to this link for more detailed information. => ctfiot.com/84447.html

Make sure you understand what’s going on behind the scenes and how we are going to leverage command injection to get a reverse shell. And now for the usual stuff, setting up a Netcat listener and what not, (nc -lvnp <port of your choice>)

And now for the payload to be crafted. (Replace the values in capital with your values, i.e IP address, listening port and remote address).

And voila!!

Call me a shell collector because I caught a shell, ha ha ha!

Upgraded to a more stable shell (I prefer using python)

I found henry's password in home/ruby/.bundle.

Used the creds to ssh into the server as the user henry

Now it’s time to escalate our privileges, since I’ve not seen any other user on this machine, I’m guessing if there’s a Privilege escalation vector, it’s going to make us the root user on this machine.

Let’s try some manual enumeration after which we can use the automated approach if we don’t find anything helpful.

I discovered that the user henry can run /usr/bin/ruby and /opt/update_dependencies.rb as root. I went ahead and looked into the dependencies file to see what it does.

So it seems there’s a dependencies.yml file being read by the YAML.load function. This file is what we have control over. After a lot of research on how to use the acquired info for privilege escalation, I found this article.=> blog.stratumsecurity.com/2021/06/09/blind-r..

Basically, we will be leveraging the vulnerability of the yaml.load to blind RCE and use something called gadget chain (learn more about it here=> elttam.com/blog/ruby-deserialization/#content).

We are going to create a dependencies.yml file and add the payload to the file.

After running the /opt/update_dependencies.rb file, we confirmed that we can achieve command injection. Let's change the command to set the permission of /bin/bash binary to SUID bit set.

We will then run this command with the -p to make the current user persistent in order to obtain the root prompt.

Now you can change to the /root directory to get the root flag and you’ll have successfully pwned this box!! I hope you learned something. Happy hacking peeps.