The box starts with a Remote Code Execution on the website, possible for a vulnerability of pdfkit which has an exploitable version 0.8.6. Thanks to this vulnerability we will be able to generate a reverse shell. Once this is done, we just have to read a file in the ruby user's home folder that contains the credentials to access via SSH as henry, so we will get the user's flag. The privesc root takes advantage of deserialization of YAML files to execute arbitrary commands.
14 December, 2022 00:00 CET