Precious is a live (as of writing) Hack The Box machine labelled easy and released on the 26th of November 2022 is a very basic box to crack having fewer technical requirements than most, with a sound methodology an attacker only needs to use basic Linux core utilities and some experience with poorly explained exploits. It’s also a Linux box worth 20 points.
Walk-through.
We begin scanning the machine using nmap with the flags “-sV” for service enumeration and “-oN quickNmap” to save the output to a file and then the IP address of the target machine which is “10.10.11.189”.
![](https://baston.uk/wp-content/uploads/2023/01/151540_initial_nmap-1024x299.png)
Attempting to go to the web sever on port 80 redirects us to http://precious.htb/. Since this doesn’t resolve we’ll need to add the IP and address to the “/etc/hosts” file on your host machine. I’m using neovim to edit the file, use the command “sudo nvim /etc/hosts” to open and add the line to the file.
![](https://baston.uk/wp-content/uploads/2023/01/152547_adding_to_resolve.png)
With that line added we’ll now be able to access the site at http://precious.htb/.
![](https://baston.uk/wp-content/uploads/2023/01/162359_website.png)
Taking a look at the site it converts web pages to a PDF document. We’ll test it out by hosting a python HTTP server using the command “python -m http.sever 9001” then on the website enter “http://<host ip>:9001/” where <host ip> is your hosts IP address.
![](https://baston.uk/wp-content/uploads/2023/01/162407_testing_the_converter.png)
Next, download the PDF document. We are going to analyse the PDF document that was created using exiftool.
![](https://baston.uk/wp-content/uploads/2023/01/163213_aftr_download_exiftool.png)
From the output of exiftool we can see that the application was generated by pdfkit version 0.8.6. The first result online for vulnerabilities takes to a GitHub repository named CVE-2022-25765-pdfkit-Exploit-Reverse-Shell which details an exploit that will lead to a reverse shell.
The first step to this exploit is to set up a listener for our shell. Use the command “nc -lnvp 9002” to do this.
![](https://baston.uk/wp-content/uploads/2023/01/164822_setup_listener.png)
Once the listener is up we’ll need to create a file named “?name=%20” and add into that file a ruby reverse shell one liner pointing to our listener
![](https://baston.uk/wp-content/uploads/2023/01/164840_create_ruby_file.png)
The last part of the setup is to set up a python web server to host the file so that the target can receive it.
![](https://baston.uk/wp-content/uploads/2023/01/164851_host_python_server.png)
Now to run the exploit. To do this there is a curl command on the GitHub repository where we need to enter a few specific details such as the target URL and local IPs and ports. Pay close attention to which port your listener is and where the web server is.
![](https://baston.uk/wp-content/uploads/2023/01/164904_run_curl_request.png)
Once that’s run you’ll have a low privilege reverse shell where you listener was as the user ruby.
![](https://baston.uk/wp-content/uploads/2023/01/164948_Im_in.png)
Taking a look in our home directory we can find a .bundle directory which usually contains configuration files. Reading the config file within gets us the credentials to the henry account on the system.
![](https://baston.uk/wp-content/uploads/2023/01/172703_found_creds.png)
On the henry account running “sudo -l” to list sudo priviliges we can see that this user can run ruby and “/opt/update_dependencies.rb” Taking an immediate look at the “update_dependencies.rb” script we can see that it just compares what is installed with those specified in “dependencies.yml”
![](https://baston.uk/wp-content/uploads/2023/01/184240_sudo_dash_l.png)
reading the sample dependencies file we can see that it’s using yaml version 0.1.1 and YAML.load to get the dependencies file which is vulnerable to a deserialization attack.
![](https://baston.uk/wp-content/uploads/2023/01/184306_ipdate_dependencies_file.png)
Taking a look at a blog post Blind Remote Code Execution through YAML Deserialization we can see how this attack works. Basically we replace the contents of the target file and replace it with a set script. Once that’s done the “git_set:” option needs to be changed from the example “sleep 600” to “chmod +s /bin/bash” which will set the suid bit to the bash prompt to give us root.
![](https://baston.uk/wp-content/uploads/2023/01/192801_changed_to_dependencies.png)
Once the change has been made run “sudo ruby /opt/update_dependencies.rb” then run “/bin/bash -p”
![](https://baston.uk/wp-content/uploads/2023/01/193950_got_root.png)
ROOT! Now we’ve got root we can read the flag and finish the box.
This was a brilliant introductory machine for getting started with Hack The Box, precious has been my first root on HTB and has will definitely not be the last.