LenaFollowSystem Weakness--ListenShareThis blog post contains my writeup for HackTheBox’s Precious. This box was about Ruby, Pdfkit, and YAML. This was an active box at the time of Pwning.I started by checking the connection to the box using,$ ping 10.10.11.189I was connected to 10.10.11.189, so I went on with a Nmap Scan using$ nmap -sC -sV 10.10.11.89The Nmap scan showed port 22 with SSH, and port 80 with HTTP.On the address bar, I typed 10.10.11.189 ,When I pressed enter, it automatically brought me to http://precious.htb ,I added the entry 10.10.11.189 precious.htb to /etc/hosts using,$ echo “10.10.11.189 precious.htb” | sudo tee -a /etc/hostsWhen I reloaded http://precious.htb , it showed a page to “Convert Web Page to PDF”. The “Enter URL to fetch” bar allowed user input.I tried to look for interesting directories using dirb and gobuster , however, there was nothing interesting.I also looked at the source code, but there was nothing interesting.I inputted some URL to a text file into the input bar for testing. Here I used https://example-files.online-convert.com/document/txt/example.txtWhen I pressed “Submit”, it showed “Cannot load remote URL!”. It seems like the files had to be from a local address.I created a text file called hello.txt with the contents “hello world” using,$ echo “hello world” >> hello.txtIn this current directory, I set up an HTTP server in Python using,$ python3 -m http.server 80I inputted http://10.10.14.62/hello.txt into the bar,After pressing “Submit”, it showed a PDF with the contents from hello.txt ,I downloaded this PDF file,I checked the PDF’s information using Exiftool,$ exif svdhsh78xllklh5vpva3fmey5bz7sytd.pdfExiftool showed that the creator was Generated by pdfkit v0.8.6 . I did some research on pdfkit v0.8.6 , and found that it had a Command Injection vulnerability CVE-2022–25765. The description was,A ruby gem pdfkit is commonly used for converting websites or HTML to PDF documents. Vulnerable versions (