Pilgrimage is a Linux machine hosting an image shrinker application that uses the ImageMagick software for image processing. However, the version of ImageMagick is vulnerable to local file inclusion (CVE-2022-44268). This vulnerability can be exploited by embedding the contents of arbitrary files on the server into an uploaded image, resulting in unauthorized access to the system. This LFI vulnerability can be used to gain SSH credentials and get the initial foothold on the system. System monitoring with pspy can lead to the discovery that binwalk is used to analyze embedded data within uploaded files, this can be leveraged to exploit an RCE vulnerability within binwalk (CVE-2022-4510) and get a root shell.
nmap scan:
Open ports:
- 22 (SSH)
- 80 (HTTP)
- git repository found
Browsing to the IP redirected to pilgrimage.htb so I added that to /etc/hosts. Visiting the webpage brought up an application that allows users to upload an image and shrink it:
Since the nmap results mentioned a .git repository, I used git-dumper to download it:
git-dumper http://pilgrimage.htb/.git website
After viewing the website files, the magick file seemed worth taking a closer look at:
magick was an executable for ImageMagick which is software used for editing and manipulating images. I did a google search for "imagemagick vulnerability" and found this PoC for CVE-2022-44268.
To run the exploit, first I installed the dependencies:
I ran pngcrush to specify an image to use for embedding the contents of /etc/passwd. This will set the textual chunk type (tEXt) to have the keyword of profile and value of /etc/passwd:
I confirmed that the newly generated pngout.png contained the correct textual chunk type (tEXt):
Then, I uploaded pngout.png to the website, visited link and saved the image on my machine so that I could view the embedded content.
identify allowed me to view the image metadata:
A hex dump was embedded within the metadata:
I saved the hex data in a file called etc-passwd.hex and used xxd and strings to extract printable strings. The output was the /etc/passwd file:
Within the application code I noticed a reference to a sqlite database file, /var/db/pilgrimage:
So, I repeated the exploit steps to read the contents of this file:
Uploaded the image to the application and saved it on my machine.
Ran identify to get image metadata:
Saved the hex dump into a file called var-db-pilgrimage.hex:
I used xxd and strings to extract printable strings:
The resulting output of /var/db/pilgrimage contained user credentials which I used to SSH into the system:
This is where the user flag can be found (/home/emily)
Next, I downloaded pspy onto the machine to check what processes ran as I interacted with the application:
After attempting to upload files of different types, I noticed a process that used binwalk when I attempted to upload a file named test.php.png. So, I did a google search for "binwalk vulnerability" which brought me to this article on snyk Vulnerability DB for CVE-2022-4510: Directory Traversal in binwalk
The article mentions an exploit for RCE which affects binwalk v2.3.2: CVE-2022-4510 Exploit Database
I checked the version running on the machine, confirming that it was vulnerable:
So, I ran the exploit which takes three arguments:
- Input image
- IP
- Port
Running the exploit.py script will generate a new image called binwalk_exploit.png with embedded code that will establish a reverse shell connection on the specified IP and port when the image is downloaded onto the target machine.
Next, I started a local python http server as well as a listener with netcat.
Downloaded binwalk_exploit.png onto the target machine within the /var/www/pilgrimage.htb/shrunk directory:
Once the image was downloaded, I caught a root shell:
