OSCP PREPROTİONS – HTB Meta

Meta machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, 22/tcp ssh OpenSSH 7.9p1, 80/tcp http Apache ports are open.
Since there is no vulnerability on the ssh port, we provide enumeration on port 80.

We have looked through source code, wep analyzer, what web, developer mode, we did not get any information. We did not get any information on the web.
We are scanning files and directories with Gobuster.

We are running a subdomain scan with Wfuzz with no results in the file and directory scan.

We found the subdomain dev01, save it in /etc/hosts and access it via browser.

We provide enumeration via dev01.artcorp.htb.

Click on Metaview.

Here we see the metadata information of the files with MetaView

We received an error when we tried to upload the file like txt,php. The error received was “File not allowed (only jpg/png).”
Here it shows the metadata information of the image files. Let’s change this metadata information and see how it will react as php code.

We didn’t see the comment part here.

Then it takes this and uses it within itself.

We saw it in the comments section.
Let’s see if there is a vulnerability with Exiftool.

Download the code from Github and run it on our machine

Upload the updated file to the opposite machine and run it

As you can see, the ls command worked, we are writing the code that will give us the Shell.

We created the file and uploaded it to the target machine, but we couldn’t get Shell because there was no interaction, so we need to run a command to trigger Shell.
First let’s see where wget is

Then we wrote the command to communicate, but we didn’t get it. Let’s look at the exploits for this on Github.

We run this script. We upload our target png file to the other side.

We got Shell.

We provide local enumeration because we have limited authorizations.

Here we read the contents of the /usr/local/bin/convert_images.sh bash file. We understand that it uses mogrify (mogrify: a Linux tool for resizing, blurring, cropping an image).

Let’s see if there’s a vulnerability in this version.

We create the poc.svg file found at https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html on our machine.

As you can see, it created a file named muhammed under the /dev/shm folder. Then let’s tell this poc.svg file to take the ssh key of user Thomas and write it under the dev/shm folder.

To get this file

We changed the part and uploaded it again to the target machine.

We got our ssh key, let’s immediately get our id_rsa file and provide ssh connection
(additional information Here we take the -‘s at the beginning and end of the ssh key and place them in the subset and this is how we were able to connect. Here we got an error while connecting)

This way we got Shell and got our user flag
Since we do not have root authorization, we provide local enumeration.

Let’s gtfo see how we can root on Neofetch.

When we try to use sudo authorization here, it asks us for a password and we don’t know the password.

Therefore, when we run sudo -l, env_keep+=XDG_CONFIG_HOME

Let’s try to manipulate the config.conf file, that is, create a file and call it config file.

Aynı formatta bir conf dosyası yolu olurştduk içreisinde bash reverhsell yazdık.

Followed by
XDG_CONFIG_HOME=/tmp/.myconfig sudo neofetch and we were able to get Shell with root privileges.

Comments

  1. sklep online

    May I just say what a comfort to find someone who genuinely knows what they are discussing online.
    You certainly know how to bring an issue to light and
    make it important. More and more people really need to look at this and understand this side of the story.

    I was surprised that you’re not more popular because you most certainly have the gift.
    I saw similar here: Sklep

  2. dobry sklep

    Hey! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my blog
    to rank for some targeted keywords but I’m not seeing very good
    results. If you know of any please share. Cheers! You can read similar text here:
    Dobry sklep

  3. Rastrear Teléfono Celular

    ¿Qué debo hacer si tengo dudas sobre mi pareja, como monitorear el teléfono móvil de la pareja? Con la popularidad de los teléfonos inteligentes, ahora existen formas más convenientes. A través del software de monitoreo de teléfonos móviles, puede tomar fotografías, monitorear, grabar, tomar capturas de pantalla en tiempo real, voz en tiempo real y ver pantallas de teléfonos móviles de forma remota.

  4. List of Backlinks

    Hello there! Do you know if they make any plugins to help with
    Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good success.
    If you know of any please share. Kudos! You can read similar art here: Backlink Portfolio

  5. tlover tonet

    Thanks , I have just been searching for info about this subject for ages and yours is the greatest I have discovered till now. But, what about the bottom line? Are you sure about the source?

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir