Pilgrimage Notes

Pilgrimage Report

---

Information gathering

---

Scope: 10.10.11.219/32 (Linux)

Open ports:

22/ssh (Secure shell protocol):

• Banner grabbing:
  • netcat: OpenSSH_8.4p1 Debian-5+deb11u1

80/http (Hypertext transfer protocol)

• Banner grabbing:
  • netcat:
    • Server: nginx/1.18.0
  • whatweb:
    • RedirectLocation [http://pilgrimage.htb/]
  • curl:
• Firefox: “A free online image shrinker. Create an account to save your images!”
  • Interesting path:
    • href=”login.php”
    • href=”logout.php”
    • href=”register.php”
  • Account created:
    • Username: marss123
    • Password: marss123
    • Save image function:
      • Name: (Probably hash generated by upload time)
        • http://pilgrimage.htb/shrunk/64cebf “2ea9b1f.jpeg”
        • http://pilgrimage.htb/shrunk/64cebf “d9543a9.jpeg”
  • Directory Fuzzing:
    • .git (403 forbidden):
      • /config
      • Download git folder: Not permissions
      • Fuzzing
    • Manual enumeration:
      • Locate last commit of proyect: (HEAD)
      • Examine the current commit:
        • Ruby
          • Reverse: (sha1sum)
        • Python
        • Author: emily@pilgrimage.htb (probably system user)
        • Content:
        • Git modes: https://krishnabiradar.com/blogs/deconstructing-a-git-commit/
          • 100644 for a normal file
          • 100755 for an executable file
          • 040000 for a directory
          • 120000 for a symbolic link
        • Download required files to create a valid git repository (.git)
          • HEAD
          • Head object and respective tree
          • master branch
          • We can reconstruct more git objects with same process:
            • Then we can extract objects content with bash:
          • With python we can extract hash of tree object, only we need to convert some ascii to hexadecimal: (compare with previous image)
    • Automate process
      • Gitdumper.sh https://github.com/internetwache/GitTools/tree/master/Dumper

Vulnerability assessment

---

• File magick(executable) on git enumeration:
  • Used for?
    • Use the magick program to convert between image formats
  • Used on current web server: http://10.10.11.219:80
• Magick file (CVE-2022-44268):
  • Hackerone https://hackerone.com/reports/1858574
  • PoC https://www.vicarius.io/blog/cve-2022-44268-arbitrary-remote-leak-in-imagemagick

Exploitation

---

• Python script: (CVE-2022-44268)
  • references: https://stackoverflow.com/questions/9036152/insert-a-text-chunk-into-a-png-image/51058689?noredirect=1#comment93319814_51058689
• Search interesting files to read:
  • dashboard.php, index.php, login.php (database file path)
  • Sqlite db dump with previous script to read files and download too:
    • Credentials: emily:abigchonkyboi123

Post-exploitation

---

• Initial persistence: SSH key-pair generation (~/.ssh/authorized_keys)
• Vulnerable version Binwalk binary (CVE-2022-4510):
  • Research: https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk/
  • Plugin creation binkwalk:https://github.com/ReFirmLabs/binwalk/wiki/Creating-Custom-Plugins#plugin-activation
• Monitor script: /usr/sbin/malwarescan.sh
  • /usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/: this command listen for events when a file/dir is created on specific path (only files CREATED: IMPORTANT)
• To exploit process:
  • create image with malicious plugin and download on target path: /var/www/pilgrimage.htb/shrunk/

Lateral movement

---

Proof of concept

---

---