/tags/ctf-walkthroughs/ Recent content in CTF Walkthroughs on HomeBrewedHacker /images/papermod-cover.png /images/papermod-cover.png Hugo -- 0.151.0 en PaperMod Contributors Tue, 20 Jun 2023 10:48:02 -0700 /posts/htb-precious/ Tue, 20 Jun 2023 10:48:02 -0700 /posts/htb-precious/ <h2 id="introduction">Introduction</h2> <p>Welcome to my first Hack The Box machine walkthrough. This system is one that I had the privilege of doing live and am now going to post my process of popping root since the machine has since retired. Here is a quick overview of the machine as stated directly from <a href="https://app.hackthebox.com/machines/Precious/information">HTB</a>.</p> <blockquote> <p><em>Precious is an Easy Difficulty Linux machine, that focuses on the <code>Ruby</code> language. It hosts a custom <code>Ruby</code> web application, using an outdated library, namely pdfkit, which is vulnerable to <code>CVE-2022-25765</code>, leading to an initial shell on the target machine. After a pivot using plaintext credentials that are found in a Gem repository <code>config</code> file, the box concludes with an insecure deserialization attack on a custom, outdated, <code>Ruby</code> script.</em></p>