HackTheBox — Meta write-up

Subhajit
5 min readJun 13, 2022
meta

Meta is a medium difficulty rated linux box. It is retired now but I solved it when it was active. Even though it is labeled as medium difficulty, I found it pretty straightforward. It requires exploiting one ExifTool vulnerability to get into the system and using another CVE to get the user’s ssh private key. Privilege escalation is pretty simple.

Recon

Machine IP is 10.10.11.140. As always, first I ran Nmap,

nmap -sC -sV -oN nmap 10.10.11.140

nmap result

It gave me results and it showed that we have two ports open, 22 for ssh and it says it is a Debian box. Port 80 for HTTP service was redirecting to http://artcorp.htb and indicated that it is running an Apache server.

I added artcorp.htb to my hosts config file.

Visiting the website (TCP port 80) is a simple static website. It is a simple apache page. At the bottom of the page, there are team members and their names which could be user names. Nothing else is interesting.

http://artcorp.htb

Ran gobuster to find directories, but the gobuster doesn’t seem to find anything interesting.

gobuster dir -u http://artcorp.htb -w ../wordlist/directory-list-2.3-medium.txt

gobuster result

At this point, I didn’t know what to do. So I thought of finding other subdomains which might lead to something. so I ran fuff to find subdomains and found one subdomain name- dev01

ffuf -w ../wordlists/SecLists/Discovery/subdomains-top1million-20000.txt -u http://artcorp.htb -H “Host: FUZZ.artcorp.htb" -mc 200

ffuf result/subdomain enumeration

I added subdomain dev01.artcorp.htb to my hosts config file and visited the subdomain, and discovered a file upload point where we can upload images and get metadata.

so I tried to upload a reverse shell script to get a reverse shell but only images are accepted. so I thought to put a reverse shell script in the image to get a reverse shell, but I noticed the output of the application -

I immediately recognized the output style, it is similar to the ExifTool output style. That means the application is taking the uploaded image and runs ExifTool on that and returns the output.

since I didn’t know any ExifTool vulnerability, I searched on google and it returned a lot of results related to CVE-2021–22204.

CVE-2021–22204

Opened the GitHub link and read the README to understand how to use the exploit. It was pretty straightforward.

Foothold

Cloned the Github repo. In the exploit.py file, changed the IP with my local machine’s IP and PORT with the port I want to get a shell on.

Then ran exploit.py and it updated the image.jpg.

setup a netcat listener on the port 1337

nc -lnvp 1337

then uploaded the image.jpg and we got a reverse shell on our netcat listener-

User

we got the reverse shell, but can’t read the user flag. we have to log into the machine as user thomas -

ran pspy as www-data and noticed that a shell script called convert_images.sh running as a cronjob.

It seemed an interesting file, so looked at the script— it goes into /var/www/dev01.artcorp.htb/convert_images/ directory and runs mogrify to convert all files into png files.

since it uses mogrify, searched for any possible vulnerabilities. after a little bit of google search, I found a CVE on their official website.

The way to exploit this vulnerability is to upload an SVG to the /dev/shm directory of the machine and then copy it to /var/www/dev01.artcorp.htb/convert_images/. That SVG will have a command to copy thomas ‘s ssh private key and put it in a file in /dev/shm directory.

poc.svg

after some time, got the id_rsa -

id_rsa

download it to my local machine, and ssh-ed into the machine as user thomas

ssh -i id_rsa thomas@10.10.11.140

Root

First thing first, typed sudo -l command to check sudo permission of the user. I saw thomas user can run neofetch as root.

sudo -l result

Also noticed that, $XDG_CONFIG_HOME was set. $XDG_CONFIG_HOMEdefines the base directory relative to which user-specific configuration files should be stored. So we can change the configuration file to escalate our privilege to root.

we can put our reverse shell script to config.conf which is in /home/thomas/.config/neofetch directory.

rev shell script in print_info()

then exported thomas user’s .config to the base config env path.

export XDG_CONFIG_HOME="$HOME/.config"

Now, when neofetch gets executed as root, the root user’s config won’t be used but instead will be used thomas user’s config.

setup a netcat lister at 8080 port

nc -lnvp 8080

then run the neofetch as root

sudo /usr/bin/neofetch \"\"

And, got a shell as root.

root shell

If you have any questions, you can ask them in the comment or you can DM me on Twitter.

I will be posting more write-ups for HackTheBox Linux boxes as soon as they retire. Until then, keep being awesome.

--

--

Subhajit

InfoSec researcher, and a little bit developer.