Meta was a Medium difficulty Linux box created by Nauten. Initial foothold on the box was to find RCE in exiftool and uploading the modified image with payload to get a shell we get a shell as www-data. Running pspy we see an cron running every minute with a script running we upload a modified svg and we get a shell as user. Rooting the box was pretty simple with just modifying the XDF_CONFIG_HOME and running neofetch with sudo and we get a shell as root.
Running nmap we find
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
# Nmap 7.92 scan initiated Sun Jan 23 08:30:42 2022 as: nmap -sC -sV -oN nmap/meta 10.129.140.72 Nmap scan reportformeta.htb (10.129.140.72) Host is up (0.31s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA) | 256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA) |_ 256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519) 80/tcp open http Apache httpd |_http-title: Did not follow redirect to http://artcorp.htb |_http-server-header: Apache Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jan 23 08:31:03 2022 -- 1 IP address (1 host up) scanned in 20.56 seconds