Post

HTB Linux Easy: Precious

Precious is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Precious

Nmap

Pasted image 20240715104504.png

Edit the hosts file, add the precious.htb domain. Pasted image 20240715104458.png

Initial Foothold

Enumerating HTTP (Port 80)

Pasted image 20240715104453.png

After generating a pdf we can use exiftool to take a look at the metadata, pdf’s are generated by pdfkit v0.8.6. Pasted image 20240715104447.png

Obtain shell

Start a webserver and a nc listener, afterwards run the following curl command to obtain a reverse shell. Pasted image 20240715104442.png

Python server. Pasted image 20240715104438.png

We gained a shell connection as the ruby user. Pasted image 20240715104432.png

Lateral Movement

We find the password of henry while enumerating files: henry:Q3c1AqGHtoI0aXAYFH. Pasted image 20240715104426.png

SSH into the box as henry. Pasted image 20240715104422.png

Priv Esc

Sudo -l reveals a possible attack vector. Pasted image 20240715104418.png

Looks like we might be able to put a reverse shell payload in a dependencies.yml file. Pasted image 20240715104413.png

Source code reveals a vulnerable function used to open the dependenciesy.yml file: YAML.load(). Pasted image 20240715104407.png

Create a dependencies.yml file with a bash reverse shell. Pasted image 20240715104402.png

Script hangs after running. Pasted image 20240715104358.png

The nc listener turned into a root shell. Pasted image 20240715104353.png

User.txt

Pasted image 20240715104349.png

Root.txt

Pasted image 20240715104345.png

You have PWNED

Pasted image 20240715104339.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.