Hack The Box - Precious

Author: Sangsoo Jeong (c0nstant)
Date: 15 Dec 2022

Architecture: Linux
Environment: SSH, HTTP 

Trial or Error

[1] Hard to understand the logic
        [-> First of all, I misunderstood the logic was related to directory traversal] 
        [-> When I get a PDF file, I tried to compare which sections were different from a sample PDF on the internet] 
[2] A typo about the reverse shell grammar
        [-> I spent time at least 20 mins.] 
[3] Could not get a session via a pwncat-cs 
        [-> So, I decided to use netcat instead ]

Methodology

Basically, If you want to explore the environment, you should check the port with NMAP(port scanning).
This machine has two ports. HTTP and SSH. When you try to access the HTTP web-page via an IP directly, your PC doesn't recognise this IP. That's why you need to map with a domain. In this case, the domain is 'precious.htb'. 

If you access the web-page, you can see an input box. You must set some data with 'http' schema. 

After that, you can download a PDF file. The PDF file is based on your URL's contents. Please remember. you should not use a remote server.  
For instance, if you type 'https://google.com', you can see the alert message.
The alert message is "Cannot load remote URL!".   

You do not need to purchase a server for testing. We can use a simple HTTP server with python. 

If you insert data to fit the concept required by the server, you can get a PDF file. 

The PDF file is key-point in this challenge. You can check the characteristic of the PDF with exiftool. 

If you recognise the PDF module, you can realise the vulnerability. 

[BONUS]: The vulnerability is related to command injection

Next, you should think about how can we access another user. 
You can access SSH without SSH's vulnerability. 

Sometimes, the user has a mistake when handling the computer or server. 

If you find a misconfiguration, you can access another user. 

After that, you can check which part does not require a password with ROOT. 
This part is also related to misconfiguration. If you will be discovered, you can get a root shell.