🔎🦶Enumeration/Foothold
Meta from HTB and created by Nauten is a Medium machine with a focus on CVE-2021-22204. You start the box by finding a hidden ‘development’ sub-domain dev01
that has an exploitable exiftool
application. You use CVE-2021-22204 for a shell on the box. Once on the box you exploit mogrify
to elevate to the local user and a neofetch
config for root.
Navigating to 10.10.11.140 on Port 80
shows a redirect to domain artcorp.htb
so I add it into my host file:
On the artcorp.htb
website I see a mention of Development and ‘testing phase’.

Website shows Development and 'testing phase'.
I kick off ffuf
to scan for possible sub-domains and gobuster
for a VHOST
scan. ffuf
comes back with a hit:
I add the sub-domain into my hosts file and navigate over. I see a MetaView application mentioning about uploading files to view the metadata:

Mentions displaying metadata and JPG/PNG requirement.
⚠ Attack Machine
I change lines 6-7 on the exploit to create the malicious image file and upload it to the host:

The shell coming back on the malicious exploit.
🔝Escalation to Thomas
Once on the host I use LinPEAS with extended extended flags showing convert_images.sh
running as a cron
:
⚠ Attack Machine
🎯Victim Machine
Reviewing the script it shows that Script shows mogrify
is running and its taking a file from the covert_images directory:
Checking the mogrify
version I can see that is indeed vulnerable:
Using Imagemagick – Shell Injection as a reference I create a malicious .SVG and pull the users id_rsa
:
⚠ Attack Machine
🎯Victim Machine
🔝Escalation to root
The key received had some formatting issues so I cleaned it up and logged into the box:
⚠ Attack Machine
Once on the box I ran sudo -l
to see that neofetch
could be ran as root. Reviewing the neofetch
documentation on neofetch – Config I tried adding a bash
reverse-shell to the config file and executing as root:
🎯Victim Machine
⚠ Attack Machine
The shell came back and we had root: