Machine difficulty: Easy
Setting up the environment
Refer the blog on the machine MEOW to configure and connect to the HTB VPN.
Cracking PRECIOUS
STEP 1: Launch the machine
In order to use the machine, we must first launch an instance of it. However, connecting to the VPN is necessary before the machine can be spawned. If you're unsure where to begin, take a look at my Meow walkthrough where I already discussed on the topic. You will be granted an IP address once you have joined and created a machine.
STEP 2: Check its status
We can use the ping tool to test if the machine responds to our ICMP messages in order to verify that we can interact with it. You may do this from the terminal by entering ping followed by the device's IP address as shown in the image above.
STEP 3: Enumeration
Using nmap we enumerate that ports 80 and 22 are open and he port. On trying the default passwords for port 22(ssh) there were no successful results. On opening port 80 on the browser the name allotted for the port is http://precious.htb. Once viewed add it to the /etc/hosts to access the functionality. This can be done by the command: sudo vim/etc/hosts and the enter the ip along with the domain name and save the file.
On adding it to the /etc/hosts file we will be able to view the website as below:
On viewing this we can make out that the website converts a web page into a pdf file. Let us test out the functionality. To proceed we have to run the server on port 80 and we use the below given command to run the server:
Return to precious.htb after your server has started up, input the IP address and port number it is using, and press the submit button. You should expect to download a PDF file to your computer. My appearance is as follows:
Download the pdf file onto your system by using the save option.
Once downloaded we can check the metadata present on it using exiftool.
The fact that pdfkit v0.8.6, a library for creating PDF documents, generated the file intrigues us in this instance. We discover CVE-2022-25765, which indicates that this version of pdfkit is susceptible to command injections, after quickly searching Google for any known vulnerabilities. The CVE may be viewed in further detail at https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795.
The fact that the file was created using the PDF document generating library pdfkit v0.8.6. is what interests us in this instance. Looking through Google for any known vulnerabilities, we quickly discover CVE-2022-25765, which indicates that this version of pdfkit is susceptible to command injection."If the provided parameter happens to contain a URL encoded character and a shell command substitution string, it will be included in the command that PDFKit executes to render the PDF," the CVE states. "An application could be vulnerable if it tries to render a URL that contains query string parameters with user input." There must be a defect in the application for this to exist.
Using a Python template from revshells.com and the CVE as a guide, we can create our reverse shell. ensuring that your computer is running a Netcat listener in order to receive the connection.
Enter the payload in the input field as follows:
Once entered we use netcat and as shown below we establish a connection:
STEP 4: Flag capture
We were able to access the server as Ruby. Two directories are visible when we navigate to the /home directory. Henry, a user, and our Ruby user each have one each. A file named user.txt is visible in Henry's directory. Our first user flag must be that. We are not able to access it at this time. We still have the root flag to find to pwn the machine.
Upon additional inspection, we discover a file named config in the /home/ruby/.bundle directory. The password for user Henry can be found by displaying the contents of config:
Let us try using the credentials for henry on port 22 i.e SSH.
As seen above we were successfully able to gain the user flag. Now to obtain the root flag we have to escalate our privileges further.
STEP 4: Privilege Escalation
On authenticating ourself as Henry lets list the contents inside by using sudo -l and find out what we could run.
We discover that the file update_dependencies.yml could be run as root. By the command cat let us view the file:
We figure out that the above file (YAML.load) is vulnerable to a python deserialization attack. The code is as shown below along with the reference of the file from where it’s taken (https://github.com/DevComputaria/KnowledgeBase/blob/master/pentesting-web/deserialization/python-yaml-deserialization.md):
To ensure the successful execution of our remote code execution, we must create a payload within a dependency.yml file. The git_set is changed to id and the file is produced below on the server using the link above.
The command cat > is used to merge content. Once done run the file:
We successfully executed our code remotely. This time, let's try to increase our rights by changing the /bin/bash directory's permissions. To alter the permissions of /bin/bash, edit your update_dependencies.rb file.
Run the update_dependencies.yml again.
We have obtained the root flag and hence pwned the machine.
Bình luận