Close
Menu

Meta – HackTheBox Writeup

, , , , , , , , , , , , , , 0

Meta

Machine Name: Meta
IP: 10.10.11.140
Difficulty: Medium

Summary

Meta is a machine that involves finding a virtual host and then exploiting a vulnerability in the web application. Once exploited, it gives us a limited shell as www-data. To obtain user, we enumerate further into background processes and how they’re being run. Exploiting another vulnerability in the application, we gain access to files that would otherwise be unreadble. With that sensitive information, we gain access to the user shell and process to escalate privileges through a SUDO misconfiguration. It involves understand how the SUDO allowed binary runs and how an environment variable could be used to leverage the binary’s functionality to gain root privileges.

Information Gathering

I started by adding meta.htb to the hosts file and then performed an Nmap scan.

The SSH port is open and an Apache server is running on port 80.

The webpage at “http://meta.htb/” was redirecting to “http://artcorp.htb”. It would not open unless I add “artcorp.htb” to the hosts file.

No leads in the webpage. I checked the source and even ran gobuster but didn’t find anything useful. Next, I ran gobuster to look for VHosts and I found “dev01.artcorp.htb”. I added that to my hosts file and went ahead to check the webpage.

It presented with a page directing to an application called “MetaView”.

This page takes an image and returns the metadata. I uploaded an image and it returned the following output.

This looks very similar to the output of exiftool.

It is exactly the same! There must be a way to get the application to execute our code. A quick google search on “exiftool exploit” pointed me to this github repository.

All I did was edit the IP to attacker’s IP and changed the port. After execution, it returns an image and when I uploaded that image, it gave me reverse shell on my netcat listener.

I was stuck here at www-data. I kept looking for information but couldn’t find anything useful. Then, I uploaded pspy64 to check the processes running.

The “/usr/local/bin/convert_images.sh” script runs every one minute. Taking a closer look at the “convert_images.sh” script, it is understood that it executes a binary called “mogrify” to convert images to png format..

I checked the mogrify application and looked at it’s version, hoping for it to be vulnerable.

Gaining User Shell

The version of ImageMagick is 7.0.10-36. A google search for “imagemagick mogrify 7.0.10-36 exploit” resulted in a few PoCs but the link that helped was this. Since the SSH port was open, I will obtain the private key and try to login as thomas.

#poc.svg
<image authenticate='ff" `cat /home/thomas/.ssh/id_rsa > /dev/shm/key`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

I followed the PoC and created a file “poc.svg” and moved it to “/var/www/dev01.artcorp.htb/convert_images/”.

After a few attempts, waiting for the convert_images.sh script to execute, the payload worked and I got the private key of user Thomas.

Next, I used this key to login as Thomas and obtain the user flag.

chmod 600 key
ssh thomas@10.10.11.140 -i key

Privilege Escalation

First thing I always do is “sudo -l” or “uname -a”, and then run linpeas.

Thomas is allowed to run neofetch binary as root. If we look closely, “XDG_CONFIG_HOME” is set as an environment variable. Google points me to the documentation that tells me, XDG_CONFIG_HOME stores the location of a user-specific configuration file. If it is either empty or not set, it uses the default equal to $HOME/.config.

How do we exploit this?

Since we can write files in Thomas’s home directory and edit the config file, we could place a reverse shell payload in the config file present in Thomas’s home directory and run neofetch with sudo such that shell obtained is root.

echo "/bin/bash" >> /home/thomas/.config/neofetch/config.conf
export XDG_CONFIG_HOME="$HOME/.config"
sudo /usr/bin/neofetch \"\"

Pwned!

Thoviti Siddharth

I'm passionate about cybersecurity, machine learning, machine vision, web development. ​Welcome to my website! I write about my computer science experiments and thoughts that drive me to write.

→ Thoviti Siddharth

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *