HackTheBox - Precious

00:00 - Introduction 01:00 - Start of nmap 02:00 - Checking out the web page and finding command injection in the URL 03:20 - Space appears to be a bad character with command injection. Normal tricks like brace expansion or IFS don't work. 07:20 - Trying IFS to be a space but the trailing character makes it difficult 12:00 - Taking a step back from the RCE, downloading the PDF to examine metadata and discovering it was made with pdfkit 0.8.6, which has public POC's against it 13:00 - The POC puts a space before the exploit which then removes the space being a bad character in our exploit 14:29 - Beyond Root/Edit: Using $- to terminate the $IFS, allowing us to bypass the need to prepend the space 20:30 - End of edit, shell as ruby, discovering credentials in a config file for henry 22:53 - Henry can run sudo, discover he can execute a ruby script 25:50 - Looking up a ruby deserialization exploit with YAML 27:35 - Finding a different payload and getting a root shell