Read my writeup to Precious on:
TL;DR
To solve this machine, we start by using nmap to enumerate open services and find ports 22, and 80.
User 1: By executing the exiftool command on the generated PDF file, we were able to extract information about the PDF generation. It was determined that the PDF was generated using pdfkit v0.8.6, which is known to contain a Remote Code Execution (RCE) exploit. Leveraging this RCE exploit, we successfully obtained a reverse shell with the execution context of the ruby programming language. This reverse shell provides us with an interactive session that allows us to execute commands and interact with the system from the perspective of the ruby user.
User 2: During our investigation, we discovered the credentials of the user henry within the file /.home/ruby/.bundle/config.
Root: After executing the command sudo -l, we discovered that we have the ability to run /opt/update_dependencies.rb as the root user. Upon reviewing the code of this script, we identified that it utilizes YAML, which is susceptible to deserialization attacks. Leveraging this vulnerability, we crafted a payload to exploit the deserialization vulnerability and obtain the /bin/bash file with the Set User ID (SUID) permission. By achieving this, we gain the capability to execute /bin/bash with elevated privileges, allowing us to perform actions as the root user.