Today I decide to create the HackTheBox Meta WriteUp, is a medium machine running Linux released on 22 Jan 2022.
sudo rustscan -a 10.129.17.37 --I’ve started scanning the machine using rustscan and detect two open ports, 22 and 80
Port 22 is running SSH I move on and start scanning port 80.
On port 80 we have a webserver and we can notice the domain used on title tag and add it to the /etc/hosts file.
echo '10.129.17.37 artcorp.htb' >> /etc/hostsOn the index page we have a simple website, and I found nothing investigating the source code.
Search Directories on Port 80
Searching for new directories result
dirsearch -u http://artcorp.htb
Enumerate Virtual Hosts
wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://artcorp.htb/" -H "Host: FUZZ.artcorp.htb" --hl 154
open http://dev01.artcorp.htb/metaview/
Get a Reverse Shell – CVE-2021-22204
After spending more than 20m thinking and analyzing the the page I notice the answer was in front of me! Metadata!
git clone https://github.com/convisolabs/CVE-2021-22204-exiftool.gitsudo apt install djvulibre-bin exiftool
Edit the exploit.py file and add your IP and Port from your listener.
Start your listener and run the exploit
rlwrap -cAr nc -lvnp 4430python3 exploit.pyEscalate Privileges to User
https://github.com/Hood3dRob1n/CVE-2016-3714
Escalate Privileges to R00t
$XDG_CONFIG_HOME defines the base directory relative to which user-specific configuration files should be stored.
Description
