Read my writeup to Precious on:
TL;DR
To solve this machine, we start by using nmap
to enumerate open services and find ports 22
, and 80
.
User 1: By executing the exiftool
command on the generated PDF file, we were able to extract information about the PDF generation. It was determined that the PDF was generated using pdfkit v0.8.6
, which is known to contain a Remote Code Execution (RCE) exploit. Leveraging this RCE exploit, we successfully obtained a reverse shell with the execution context of the ruby programming language. This reverse shell provides us with an interactive session that allows us to execute commands and interact with the system from the perspective of the ruby
user.
User 2: During our investigation, we discovered the credentials of the user henry
within the file /.home/ruby/.bundle/config
.
Root: After executing the command sudo -l
, we discovered that we have the ability to run /opt/update_dependencies.rb
as the root
user. Upon reviewing the code of this script, we identified that it utilizes YAML, which is susceptible to deserialization attacks. Leveraging this vulnerability, we crafted a payload to exploit the deserialization vulnerability and obtain the /bin/bash
file with the Set User ID (SUID) permission. By achieving this, we gain the capability to execute /bin/bash
with elevated privileges, allowing us to perform actions as the root
user.