Meta from HTB and created by Nauten is a Medium machine with a focus on CVE-2021-22204. You start the box by finding a hidden ‘development’ sub-domain dev01 that has an exploitable exiftoolapplication. You use CVE-2021-22204 for a shell on the box. Once on the box you exploit mogrify to elevate to the local user and a neofetch config for root.

Navigating to 10.10.11.140 on Port 80 shows a redirect to domain artcorp.htb so I add it into my host file:

On the artcorp.htb website I see a mention of Development and ‘testing phase’.

I kick off ffuf to scan for possible sub-domains and gobuster for a VHOST scan. ffuf comes back with a hit:

I add the sub-domain into my hosts file and navigate over. I see a MetaView application mentioning about uploading files to view the metadata:

I change lines 6-7 on the exploit to create the malicious image file and upload it to the host:

Once on the host I use LinPEAS with extended extended flags showing convert_images.sh running as a cron:

Reviewing the script it shows that Script shows mogrify is running and its taking a file from the covert_images directory:

Checking the mogrify version I can see that is indeed vulnerable:

Using Imagemagick – Shell Injection as a reference I create a malicious .SVG and pull the users id_rsa:

The key received had some formatting issues so I cleaned it up and logged into the box:

Once on the box I ran sudo -l to see that neofetch could be ran as root. Reviewing the neofetch documentation on neofetch – Config I tried adding a bash reverse-shell to the config file and executing as root:

The shell came back and we had root: