Precious HTB - Writeup
i have now moved on from AD to regular boxes. personally, these feel harder than AD... and my privesc is very weak. today, we take a look at precious, which first has a very interesting website
if you place a valid url (this can be done by hosting a python web server and just giving a dummy file), it will turn it into a pdf. examining the pdf it generates in exiftool shows that the pdf is made in pdfkit, which has a command injection exploit
the exploit allows me to upload a payload and get a shell as ruby!
inside ruby, you'll find a config file (highlighted by linpeas) containing henry's credentials. then you can just su and grab the user.txt
after running linpeas again on henry (or just sudo -l, it is just the first step) you can see that henry is allowed to run a ruby file
this allows us to abuse the insecure deserialization
i change the linked yaml code to this one by adding this in henry's home and ran it, which gave root privs
