Precious

TARGET IP: 10.10.11.189

HOST IP: 10.10.16.10

Recon

NMAP

HTTP

  • First start by adding the URL to the associated target IP Address by adding it to the hosts file.

  • I tried adding a URL to see what happens but it looks like it does not have web access to view page.

  • I tried http://precious.htb/ and that still didn't work.

  • It does look like it will return credentials back depending on what you put in.

Enumeration

Gobuster

Exploit

  • It looks like none of my notes from last night got saved for some stupid fucking reason. I need to learn how to better use this fucking site or this is going to drive me fucking nuts.

  • Long story but I created different file extension payloads. It seems like the machine filters out .php and .rb file extensions and will make a pdf file of any other file type I load into it.

  • I did this by starting up a python web server on my host machine and plugging the URL into the input box on the web server and opening up a netcat listener to see if I could get something to stick.

  • I'm still not positive on the backend code being used but am making the assumption that it is either php or ruby.

JAVA

  • I started trying out java reverse shells and got something interesting when I used a java one liner with the file extension .xml.

PDF

  • I finally downloaded one of the pdfs that I created and opened it in exiftool to take a look at the properties.

  • It looks like the Creator's name is pdfkit V0.8.6

  • Let's go take a look at how I can possibly exploit this.

CVE-2022-25765

  • Looks like this tool has a vulnerability that allows for Command Injection. Let's see if we can exploit this.

  • Set up a netcat listener

  • I found a tool on Github that uses a curl command and forms a reverse shell that exploits the vulnerability.

  • The data being sent is a URL-encoded Ruby reverse shell that connects back to the netcat listener I have set up.

  • Let's get a more interactive shell to work with.

  • On host machine, reopen the terminal and ignore the echo.

  • Let's go look for the user flag.

  • Looks like the file is unreadable due to permissions. Let's see what we can do about that.

  • I now know we have at least 3 users on the system:

    • henry

    • ruby

    • root

  • We can confirm this in the /ect/passwd file.

  • I tired sudo -l but needed a password to use it. I also spent some time digging around to try find some other useful information. In the end, I went ahead and uploaded linpeas and ran that to see what was available.

  • I used the same python web server I already had running.

  • I wasn't getting anywhere there so I started browsing around a bit more. in the directory /home/ruby/.bundle/config I found some juicy info.

  • Looks like possible credentials for henry.

  • I'll now SSH into the machine with henry's credentials and it works.

  • Now let's get that user file.

  • Next step is to see what priveleges I have as Henry.

  • We have sudo privileges to run the update/dependencies.rb file. If we cat that file we can see that it calls back to a dependencies.yml file.

  • With this information, we should be able to craft a new dependencies.yml file with malicious code that it will call back to as sudo.

  • In the /home/henry directory we will create a new dependencies.yml file and use this code snippet I got online.

  • You'll notice that the git_set is set to chmod +s /bin/bash.

  • This sets SUID to the that file which means we should be able to exploit it and escalate out privileges.

  • In the same directory that you created the dependencies.yml file, run the following:

  • This will execute file and end up changing the /bin/bash file privileges.

  • After this is done, we can use a privilege escalation technique from GTFOBins to escalate our privileges.

  • Check to see who are with whoami and you should now be root.

PreviousBlueNextOptimum

Last updated