🔎🦶Enumeration/Foothold

Before I begin each machine I kick off a full port scan with RustScan and pipe the open ports found into NMAP.

Copy

Found within the initial enumeration I see the following which shows a .git directory has been found –

Navigating to the website after changing my host file (sudo mousepad /etc/hosts) shows the following –

Pilgrimage website showing a image shrinker.

Pilgrimage website showing a image shrinker.

I use the git-dumper tool available here GitHub – Git-Dumper to grab the websites source code.

Copy

Navigating to the directory I notice magick right away which has been used on other boxes IslandDog – HTB Meta.

Copy

Reviewing the index.php file I am able to confirm that the image magick is being used with a convert command.

I use the ./magick command to grab the help menu and the -version flag to get the current version:

Copy

A short Google later I find an Exploit DB – 51261 link which takes me over to GitHub – voidz0r/CVE-2022-44268. I used git clone to grab the repo and begin running through the instructions. I hit a wall where cargo was not working/compiling correctly so I pivoted and found this GitHub repo instead GitHub – kljunowsky/CVE-2022-44268. I took a screenshot of the Pilgrimage logo and used it as my notpoisoned.png file.

Copy

I then uploaded the file and clicked Shrink. I ran the --url command to successfully see data exfiltrated –

Copy

I then re-did the process to grab the database file to receive the Emily username/password. I saw the presence of the database file within the previously highlighted index.php

Copy

Of course because I’m in cursed in all and anything I do and received an error while decoding the image. I Googled around and found that if I fixed this following line on the file CVE-2022-44268.py by replacing unicode_ut8 it worked as intended for my use case.

Copy

🔝Escalation to Root

With this information I logged into the box via SSH. It took a second because of the formatting of the data received. Eventually I realized that it was combining the username/password.

Copy

Once on the box I tried sudo -l for a quick win and was told that I couldn’t run sudo on the box. Next I pulled LinPEAS to the box and ran a full scan.

Copy

During the scan process I noticed a malwarescan.sh running which definitely was not normal:

Reviewing the code I could see that it was a script which read through the shrunk file it receives and depending on if a file is a Executable Script or Microsoft Executable it will terminate. I also see a reference to binkwalk so I give it a Google and executed it on the local machine.

Copy
Copy

A short Google after finding the binwalk version provided me with the following Exploit-DB – 51249. After downloading the python file to my machine I ran the following command:

Copy

I copied the file to the box and put it into the shrunk folder. I then renamed the file which executed the payload.

Copy
Copy
Copy

Rooted.

Published On: April 3rd, 2024 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment