Executive Summary
Target: Precious (Hack The Box) OS: Linux Difficulty: Easy Attack Vectors: Web Application (Command Injection) -> Configuration Mismanagement -> Insecure Deserialization.
This assessment targeted “Precious,” a Linux-based machine hosting a “Web-to-PDF” converter service. The initial foothold was gained by identifying an outdated underlying dependency (pdfkit v0.8.6) via metadata analysis. This vulnerability (CVE-2022-25765) allowed for Remote Code Execution (RCE), granting access as the ruby user.
Lateral movement to the user henry was achieved by discovering hardcoded credentials left inside a hidden Ruby Bundler configuration file. Finally, Root privilege escalation was accomplished by exploiting a custom Ruby script with sudo permissions that utilized the insecure YAML.load method, allowing for a deserialization attack that compromised the entire system.
Press enter or click to view image in full size
1.0 Initial Foothold
1.1 Reconnaissance and Enumeration
1.1.1 Scanning the Target: The assessment began with a full TCP port scan using Nmap to identify all open services and gather version information on the target 10.10.11.189.