RubyDome Proving Grounds Write-Up
SUMMARY
This write-up covers the RubyDome machine from Offsec’s Proving Grounds, a Linux machine where a PDF conversion error message exposed the underlying library.
Port 3000 hosted a web application with a “convert to PDF” feature. Triggering an error by pointing it to an unavailable host leaked the service name PDFKit in the error output. Researching PDFKit vulnerabilities led to a public exploit that required the correct URL parameter name (found via Burp Suite interception). Running the script achieved RCE and a reverse shell was received as user andrew.
sudo -l revealed andrew could run a specific Ruby script as root. Listing the script’s permissions showed andrew was the owner with write access. The script was replaced with a Ruby reverse shell payload, and running it via sudo returned a shell as root.
PATH TO FOLLOW
- Reconnaissance & PDF Service Discovery on Port 3000
- PDFKit Version Leak via Error Message
- PDFKit RCE Exploit (URL Parameter Identification via Burp)
- Reverse Shell as
andrew - Sudo Ruby Script — Owner Write Access Identification
- Ruby Reverse Shell Injection & Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.