🔎🦶Enumeration/Foothold

Meta from HTB and created by Nauten is a Medium machine with a focus on CVE-2021-22204. You start the box by finding a hidden ‘development’ sub-domain dev01 that has an exploitable exiftoolapplication. You use CVE-2021-22204 for a shell on the box. Once on the box you exploit mogrify to elevate to the local user and a neofetch config for root.

Navigating to 10.10.11.140 on Port 80 shows a redirect to domain artcorp.htb so I add it into my host file:

Copy

On the artcorp.htb website I see a mention of Development and ‘testing phase’.

Website shows Development and 'testing phase'.

Website shows Development and 'testing phase'.

I kick off ffuf to scan for possible sub-domains and gobuster for a VHOST scan. ffuf comes back with a hit:

Copy

I add the sub-domain into my hosts file and navigate over. I see a MetaView application mentioning about uploading files to view the metadata:

Mentions displaying metadata and JPG/PNG requirement.

Mentions displaying metadata and JPG/PNG requirement.

⚠ Attack Machine

Copy

I change lines 6-7 on the exploit to create the malicious image file and upload it to the host:

The shell coming back on the malicious exploit.

The shell coming back on the malicious exploit.

🔝Escalation to Thomas

Once on the host I use LinPEAS with extended extended flags showing convert_images.sh running as a cron:

⚠ Attack Machine

Copy

🎯Victim Machine

Copy

Reviewing the script it shows that Script shows mogrify is running and its taking a file from the covert_images directory:

Checking the mogrify version I can see that is indeed vulnerable:

Copy

Using Imagemagick – Shell Injection as a reference I create a malicious .SVG and pull the users id_rsa:

⚠ Attack Machine

Copy

🎯Victim Machine

Copy

🔝Escalation to root

The key received had some formatting issues so I cleaned it up and logged into the box:

⚠ Attack Machine

Copy

Once on the box I ran sudo -l to see that neofetch could be ran as root. Reviewing the neofetch documentation on neofetch – Config I tried adding a bash reverse-shell to the config file and executing as root:

🎯Victim Machine

Copy

⚠ Attack Machine

Copy

The shell came back and we had root:

Copy

Rooted

Published On: June 8th, 2022 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment