Prepared by: dongani
P.S:This writeup is also available in russian:
This writeup explores the effects of exploiting critical command injection vulnerability (CVE-2022-25765) in pdfkit. Pdfkit - Ruby “gem” that creates PDF’s using plain old HTML+CSS. This box will show you how to exploit pdfkit vulnerability, and get remote connection to the server via reverse shell. And it all finishes with unique horizontal privelege escalation.
Always first thing to do is scan the target IP address with Nmap to check what ports are open. But i personally prefer threader3000(clickable link)
It’s just scans ports very fast, and then puts open ports to nmap for detailed scan(-sC for default scripts and -sV to enumerate versions)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 845e13a8e31e20661d235550f63047d2 (RSA)
| 256 a2ef7b9665ce4161c467ee4e96c7c892 (ECDSA)
|_ 256 33053dcd7ab798458239e7ae3c91a658 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Convert Web Page to PDF
| http-server-header:
| nginx/1.18.0
|_ nginx/1.18.0 + Phusion Passenger(R) 6.0.15
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Aand we see 2 ports open, port 80 will the the priority.