Precious
Last updated
Last updated
First start by adding the URL to the associated target IP Address by adding it to the hosts file.
I tried adding a URL to see what happens but it looks like it does not have web access to view page.
I tried http://precious.htb/ and that still didn't work.
It does look like it will return credentials back depending on what you put in.
It looks like none of my notes from last night got saved for some stupid fucking reason. I need to learn how to better use this fucking site or this is going to drive me fucking nuts.
Long story but I created different file extension payloads. It seems like the machine filters out .php and .rb file extensions and will make a pdf file of any other file type I load into it.
I did this by starting up a python web server on my host machine and plugging the URL into the input box on the web server and opening up a netcat listener to see if I could get something to stick.
I'm still not positive on the backend code being used but am making the assumption that it is either php or ruby.
I started trying out java reverse shells and got something interesting when I used a java one liner with the file extension .xml.
I finally downloaded one of the pdfs that I created and opened it in exiftool to take a look at the properties.
It looks like the Creator's name is pdfkit V0.8.6
Let's go take a look at how I can possibly exploit this.
Looks like this tool has a vulnerability that allows for Command Injection. Let's see if we can exploit this.
Set up a netcat listener
I found a tool on Github that uses a curl command and forms a reverse shell that exploits the vulnerability.
The data being sent is a URL-encoded Ruby reverse shell that connects back to the netcat listener I have set up.
Let's get a more interactive shell to work with.
On host machine, reopen the terminal and ignore the echo.
Let's go look for the user flag.
Looks like the file is unreadable due to permissions. Let's see what we can do about that.
I now know we have at least 3 users on the system:
henry
ruby
root
We can confirm this in the /ect/passwd file.
I tired sudo -l but needed a password to use it. I also spent some time digging around to try find some other useful information. In the end, I went ahead and uploaded linpeas and ran that to see what was available.
I used the same python web server I already had running.
I wasn't getting anywhere there so I started browsing around a bit more. in the directory /home/ruby/.bundle/config I found some juicy info.
Looks like possible credentials for henry.
I'll now SSH into the machine with henry's credentials and it works.
Now let's get that user file.
Next step is to see what priveleges I have as Henry.
We have sudo privileges to run the update/dependencies.rb file. If we cat that file we can see that it calls back to a dependencies.yml file.
With this information, we should be able to craft a new dependencies.yml file with malicious code that it will call back to as sudo.
In the /home/henry directory we will create a new dependencies.yml file and use this code snippet I got online.
You'll notice that the git_set is set to chmod +s /bin/bash.
This sets SUID to the that file which means we should be able to exploit it and escalate out privileges.
In the same directory that you created the dependencies.yml file, run the following:
This will execute file and end up changing the /bin/bash file privileges.
After this is done, we can use a privilege escalation technique from GTFOBins to escalate our privileges.
Check to see who are with whoami and you should now be root.
