HTB: Precious - OSCP Prep Write-up
A PDF converter hiding a command injection CVE, credentials buried in a Ruby config file, and a YAML deserialization gadget to finish it off - Precious stacks three clean techniques on top of each other. Machine info Name Precious Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app converts URLs to PDFs using pdfkit v0.8.6, which is vulnerable to CVE-2022-25765 (command injection) Initial shell as ruby, Bundler config at ~/.bundle/config leaks credentials for user henry Henry can run a Ruby script as root with sudo; the script uses YAML.load - exploitable via deserialization to get a root shell Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.228.98 ...