Pre-Foothold

Ok! My previous walkthroughs were based on machines from the Proving Grounds by OffSec. This one will be my first from Hack-The-Box, also known as htb!

Starting with an all port scan, we get two pretty standard ports.

Description of image

Let’s enumerate versions and pay a visit to the site using EyeWitness. Description of image

Ok so there is an issue with connecting. I’m going to guess its a hostname issue. Let’s curl the page to see.

Description of image

Called it. Looking at the location I can see I’ll need to update my host file for this ip to point to that hostname. I’ll do that then try to use eyewitness again.

Description of image Description of image

Ok let’s check out EyeWitness now. Description of image

Ah, now this looks more promising. We have some info here on what is powering the webserver and what it might be doing. Converting a web page to pdf. I check the source code and don’t find anything interesting or useful.

My next steps are a few things:

  • Gobuster - directory enumeration
  • Nikto - webserver vuln check
  • Burp Suite - Capture traffic while interacting with the page

Let’s get started, but first, a deep_scan came back, so we have a little bit more information.

Description of image

While gobuster and nikto are running I decide to capture the traffic in Burp Suite and see how I can manipulate the data being sent.

Description of image

If you notice towards the bottom you will see “Cannot load remote URL!”. So it seems like it won’t communicate outside of the ctf network which is understandable. I need to get this server to give me a good response. So I decide to use python to host a simple helloworld file locally then insert that file into the url field to see if it processes the file. Description of image

I didn’t get a response here but I know why. The program reaching out for a url is expecting a specific filetype, html I suppose. I tried that and…

Description of image

I got an output. This tells me that it processed the .html file. I wonder if it will do the same for php but then I realize this server is not running php. Then I thought, what exactly is this web app using to convert the pages into a pdf? I downloaded the pdf file that was generated and ran exiftool on it to find out what generated it.

Description of image

pdfkit v.0.8.6 . That looks vulnerable. I know that may seem difficult to determine right now, but in understanding software development you have to expect there is some sort of vuln in software that hasn’t reached v1 yet. That could be a blanket statement but in my experience that is almost always the case.

Description of image

Bingo. A little googling and a visit to gihub gives us a PoC.

Essentially the shell being sent out is URL encoded in a request via curl. Let’s give it a shot. First we need to setup an http server and a listener, then make the request with curl and…

Description of image Description of image Description of image

Foothold complete, but this user is pretty limited. We need to find a way to escalate further. While searching for the user flag I find a user named henry, that is our next target.

Description of image

I find a hidden folder named .bundle in ruby’s directory which has a file in it called config. I open that file to find what looks like henry’s password. Let’s try to ssh in using henry.

Description of image

Description of image

We are in! Foothold complete! Grab the flag and move forward!

Post-Foothold

First things first, let’s see what sudo privileges our guy henry has.

Description of image

Ok! Looks like we’ve got nopasswd sudo access to this file. Now, I’ll admit I got stuck here and had to look around for help, but essentially what’s going on here is called YAML deserialization.

This crafted dependencies.yml file takes advantage of a YAML.load() function in the ruby script to execute code on the system. I initially tested it with whoami as the command on the git_set line and got code exec! I then added the suid bit to /bin/bash then used the -p (priviliged) flag to get a root shell, effectively owning the system :)

Description of image

Description of image

Thanks for reading! Drop me a follow here on medium and twitter as well!