Precious

Enumeration

Nmap result shows two open ports 80 ans 22. since 80 indicates a webpage I decided to use nikto to get more information about the web service. As seen below the ip address of the machine redirects to http://precious.htb so I had to add this entry to my /etc/hosts file to be able to avcess the webpage.

The webpage seems to be an app that converts URLs to PDF. All URLs entered returns one form of error or another so I decided to send the request to Burpsuite.

I sent the packet to repeater in Burp and got what seems like an error message but it also include a golden information of the software version running, pdfkit v0.8.6.

A few minutes Googling and I found this report  by Snyk

I don't want the connection to be delayed by sleep though, I want a reverse shell so I used revshell to generate a python reverse shell payload.

So, I got a shell as ruby...

...I checked the home directory as seem below and there is a user "henry" so I need to enumerate further and escalate my privilege to this user.

User

Listing the directories on /home/ruby, I found an odd hidden file, .bundle which contains henry's credentials.

With the newly found credential, I was able login into henry's account via ssh and grab the User flag

Privilege Escalation

To see what privilege we have as sudo, I used the command sudo -l

Viewing the file /opt/update_dependencies.rb we see that we it reads a file called dependencies.yml, so, we can create our own rogue dependencies.yml file to escalate our privilege. For more information see this.

with our dependencies.yml we add our exploit in this case set the SUID bit in /bin/bash and run the ruby command with sudo