CVE-2021-22204

June 11, 2022

Meta – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec CVE-2021-22204, exiftool, Gobuster, GTFObins, HackTheBox, HTB, htb-meta, ImageMagick, Infosec, Linux Box, mogrify, pspy, vhost, Writeup 0

Machine Name: Meta
IP: 10.10.11.140
Difficulty: Medium

Summary

Meta is a machine that involves finding a virtual host and then exploiting a vulnerability in the web application. Once exploited, it gives us a limited shell as www-data. To obtain user, we enumerate further into background processes and how they’re being run. Exploiting another vulnerability in the application, we gain access to files that would otherwise be unreadble. With that sensitive information, we gain access to the user shell and process to escalate privileges through a SUDO misconfiguration. It involves understand how the SUDO allowed binary runs and how an environment variable could be used to leverage the binary’s functionality to gain root privileges.