Pilgrimage
Last updated
Last updated
Let's run port scanning using Nmap:
Nmap indicates that port 22 with the SSH service is open, and that port 80 with the Nginx HTTP server is open. The HTTP response shows redirection to the domain http://pilgrimage.htb/. Let's add the following line to the file /etc/hosts:
The information on the website indicates that this webpage allows you to shrink uploaded images. Additionally, it also allows you to register to log in. Before we create an account, let's test the file upload option
After uploading the image file and clicking the Shrink button, we receive a link where we can get the shrunken image:
After creating an account and logging in, we only get a dashboard with information about the files we have uploaded and shrunken:
Let's use the Gobuster to enumerate hidden directories and files:
The information returned by the Gobuster shows that there is a .git directory in which the HEAD file is located. The ability to access the contents of the HEAD file indicates that we probably have access to the entire git repository. Additionally, a status code 200 for the query regarding /index.php proves that this website uses PHP.
Let's try to clone the git repository to our attack machine:
An attempt to download the repository fails because we are asked for a password that we do not know. Let's look for another option that would allow us to dump the contents of the repository. Internet search results indicate that the git-dumper tool may enable us to do this:
Let's install the contents of git-dumper repository:
Let's execute the following command to download the contents of the repository to a catalog called pilgrimage:
The contents of the repository show that it mainly contains source codes in PHP and assets:
There is also a binary in this repository called magick. We can check its version using the following command:
This code snippet also shows that an SQLite database is used and is created from the /var/db/pilgrimage file. Due to the fact we have the version of the ImageMagick software used, let's check if there are any vulnerabilities in this software.
A malicious actor could craft a PNG or use an existing one and add a textual chunk type (e.g., tEXt). These types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile, then the attacker can download the resized image which will come with the content of a remote file.
The cited article also indicated that the possibility of embedding an arbitrary file in a PNG file depends on whether binary magick has the right to read it.
Since we know the location of the file storing the database (/var/db/pilgrimage), we would like to download its contents. This exploit should allow us to prepare a malicious PNG file, which should allow us to get file content:
Let's download the generate.py script from the repository. We can generate a malicious.png image via the following command:
In the created image we can see that a payload has been added, which can allow us to read the file from the target:
We will use them to obtain detailed information about the downloaded image and save it to a file malicious_data.txt:
According to the information contained in the repository, if the database file was read, its content should be in the Raw profile type field. The content of this field in the malicious_data.txt file is not empty:
Now let's try to read it. However, let's first remove the remaining fields storing information about the file, leaving only the contents of the Raw profile type field. The beginning of the malicious_data.txt file should look as follows:
The data in the file is in hexadecimal malicious_data.txt format. So let's prepare a short script in Python that will remove the newline in the file, convert the hexadecimal format into binary, and save data in this format to the database file. The content of the prepared hex_to_binary.py script in Python is as follows:
Then let's execute the prepared script to obtain the pilgrimage.sqlite file containing the database. The file command recognizes the pilgrimage.sqlite file as a SQLite 3.x database:
We will then open the database using DB Browser for SQLite. In the users table we find credentials for user the user emily:
Let's try to log in using these credentials via SSH:
We have successfully logged in as a user emily.
The user flag can be obtained from /home/emily/user.txt.
We will use LinPEAS to find possible permission escalation paths:
Then, on the target machine use curl to download the contents of the file and execute it using the bash shell:
The results returned by LinPEAS contain information about the existence of a nonstandard malwarescan.sh script:
This script is running as root:
Let's analyze the content of this script:
This script uses inotifywait to check for changes to files in the /var/www/pilgrimage.htb/shrunk/ directory. If a new file is created in this directory, its name is extracted using tail and sed. Then, information about the file is extracted using binwalk. If this information contains Executable script or Microsoft executable strings, this file is removed. Let's check the version of binwalk used on this machine:
Let's check if the returned binwalk version has any vulnerabilities.
Due to the fact the malwarescan.sh script runs as root and binwalk with option -e is run in this script, when passing a malicious file to binwalk containing a payload enabling code execution, the code contained in this file should also be executed with root rights. An Internet search for how to exploit the CVE-2022-4510 vulnerability leads us to the following repository:
The code in this repository should allow us to generate a PNG image containing the reverse shell code. After uploading the malicious image to the /var/www/pilgrimage.htb/shrunk/ directory, this file should be checked by the malwarescan.sh script, that is by binwalk. Executing the binwalk with the malicious image should allow us to get a reverse shell as root.
Clone the contents of the repository:
Let's go to the directory containing the repository. To use the exploit, let's prepare an example PNG file, in our case it will be penguin.png. Then run the walkingpath.py script providing the reverse option, the prepared PNG image, the IP address of the attacking machine, and the port number on which we will listen:
After executing the script, a file binwalk_exploit.png should appear in this directory, containing a malicious payload that allows you to obtain a reverse shell. A payload to enable reverse shell has been added at the end of the image:
Let's run the listener on the port set in the malicious PNG file:
Let's prepare the Python HTTP server for download binwalk_exploit.png from the attacking machine:
Then let's download the file to the target machine:
In the listener, we get a reverse shell:
Let's upgrade our reverse shell:
We got a reverse shell as root:
The previous steps lead us to the root user. The root flag can be obtained at /root/root.txt.
From the information available on we know that ImageMagick is a free open-source software for displaying, converting, and editing (including shrinking) raster image and vector image files. The content of the source code in the index.php file shows that this software is used to shrink the image:
Vulnerability search results for ImageMagick 7.1.0-49 indicate a vulnerability classified as , which leads to an arbitrary file read. From the article describing this vulnerability, available , we learn that:
Now let's upload the malicious.png file to the website, then go to the preview of the shrunken image and download it. Let's save the shrunken image as malicious-shrunken.png. The magick shows that the identify program describes the format and characteristics of the image file and using the -verbose option gives more information about the file.
In the repository, on the page, you will find the linpeas.sh file. Let's download it to the attacking machine and then start the Python HTTP server on the selected port:
The version of Binwalk on our target appears to be vulnerable to . Path traversal vulnerability exists in Binwalk 2.1.2b to 2.3.3 version. Exploitation of this vulnerability may lead to remote code execution. This vulnerability can be exploited if binwalk uses the -e option, i.e. extraction mode.
