🔎🦶Enumeration/Foothold
Before I begin each machine I kick off a full port scan with RustScan
and pipe the open ports found into NMAP
.
Found within the initial enumeration I see the following which shows a .git
directory has been found –
Navigating to the website after changing my host file (sudo mousepad /etc/hosts
) shows the following –
I use the git-dumper
tool available here GitHub – Git-Dumper to grab the websites source code.
Navigating to the directory I notice magick
right away which has been used on other boxes IslandDog – HTB Meta.
Reviewing the index.php
file I am able to confirm that the image magick
is being used with a convert
command.
I use the ./magick
command to grab the help menu and the -version
flag to get the current version:
A short Google later I find an Exploit DB – 51261 link which takes me over to GitHub – voidz0r/CVE-2022-44268. I used git clone
to grab the repo and begin running through the instructions. I hit a wall where cargo
was not working/compiling correctly so I pivoted and found this GitHub repo instead GitHub – kljunowsky/CVE-2022-44268. I took a screenshot of the Pilgrimage logo and used it as my notpoisoned.png
file.
I then uploaded the file and clicked Shrink. I ran the --url
command to successfully see data exfiltrated –
I then re-did the process to grab the database file to receive the Emily username/password. I saw the presence of the database file within the previously highlighted index.php
Of course because I’m in cursed in all and anything I do and received an error while decoding the image. I Googled around and found that if I fixed this following line on the file CVE-2022-44268.py
by replacing unicode_ut8
it worked as intended for my use case.
🔝Escalation to Root
With this information I logged into the box via SSH
. It took a second because of the formatting of the data received. Eventually I realized that it was combining the username/password.
Once on the box I tried sudo -l
for a quick win and was told that I couldn’t run sudo
on the box. Next I pulled LinPEAS to the box and ran a full scan.
During the scan process I noticed a malwarescan.sh
running which definitely was not normal:
Reviewing the code I could see that it was a script which read through the shrunk file it receives and depending on if a file is a Executable Script or Microsoft Executable it will terminate. I also see a reference to binkwalk
so I give it a Google and executed it on the local machine.
A short Google after finding the binwalk
version provided me with the following Exploit-DB – 51249. After downloading the python file to my machine I ran the following command:
I copied the file to the box and put it into the shrunk folder. I then renamed the file which executed the payload.