# Proving grounds Practice: RubyDome

Proving grounds Practice - RubyDome CTF writeup.

### Nmap

```sh
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9bc8f013f855df95cd9fbb615a01e74 (ECDSA)
|_  256 53d97f3d228afd5798fe6b1a4cac7967 (ED25519)
3000/tcp open  http    WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
|_http-title: RubyDome HTML to PDF
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### Web

![img](/files/3vWINqPO260tqR4V8pQR)

WEBrick 1.7.0 is vulnerable to Command injection and as per the above screenshot the application gets the URL and converts the page content into pdf. Passing malicious inputs or invalid URL resulted in server error with exception shown in the web page.

![img](/files/ddaSzb5829ndKQiNsH1u)

The PDFKit is used to convert the contents to pdf. The PDFkit used in the application is vulnerable to [Command Injection](https://www.exploit-db.com/exploits/51293).

![img](/files/FT5IhheZZJDGoQssrUBt)

**Initial Foothold Obtained**

### Privilege Escalation

Check the system user executable permissions.

![img](/files/POoYmO40blHqtc4PvDzi)

As per the above image the user `andrew` can run the file `app.rb` using ruby as sudo user without password.

Add the below content to the `app.rb` file and execute the file using `/usr/bin/ruby` as super user.

```sh
echo 'exec "/bin/bash"' > app.rb
```

![img](/files/sVA9gB0r55SdsQQJvfPE)

**Root Obtained**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-08-27-proving_grounds_practice-rubydome.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.