Pilgrimage is an EASY machine from the Hack The Box platform. In it we will discover a exposed git folder in the http server. By examining the web page and the repository files, we will find a way to exploit a vulnerability in a binary used by the web to perform an LFI and thus view the contents of a database. In it we will find the credentials of a user that we will use to gain access to the system. Finally we will use a known vulnerability for a binary that is called by a process executed by root to elevate our privileges.

Enumeration

Let’s start by scanning with nmap the TCP ports of the target machine:

nmap -p- -sS --min-rate 5000 10.10.11.219 -n -Pn -vvv -oG allPorts

nmap reports that ports 22(ssh) and 80(http) of the target machine are open.

Let’s perform a more exhaustive scan of these ports to see if we can find out the service and version running on each of them:

nmap -p22,80 -sCV 10.10.11.219 -oN targeted

It appears that the OpenSSH service is running on port 22. If we look up the version on Launchpad, it looks like we are looking at Ubuntu 21.04 Hirsute Hippo.

On the other hand, port 80 is running the nginx service (version 1.18.0). In addition, the scan has reported the existence of the domain http://pilgrimage.htb. Let’s add it to our /etc/hosts file:

We will repeat the exhaustive scan, as it can sometimes yield extra information if the necessary domains are added.

Well indeed, the scan now reports the .git directory, something that can become quite critical. Let’s use the git-dumper utility to download all the files from this exposed repository:

git-dumper http://pilgrimage.htb/ git

So far we have downloaded the files, but we don’t really know what we are dealing with, so it’s about time to list the http service a bit:

whatweb http://pilgrimage.htb

The whatweb tool has not provided us with any remarkable information, so we are going to view the page using the web browser.

At first glance we see what looks like a form to upload files. And the content gives us to understand that it is an image hosting page.
In the source code of the page we found nothing useful. Let’s navigate through the different sections of the page:

Let’s register a user:

Apparently now we have at our disposal a Dashboard where, presumably, the images we upload will appear.

Let’s do an upload test:

Will it let us upload any type of file? Let’s try uploading a php file that returns a reverse shell:

Well no, it seems that it only works by uploading images.

It is possible that the repository we downloaded earlier contains the files from this web page. If so, we could see why it is not letting us upload the .php file and, thus, we may find a way to force the upload.

From what we can see in the code of the index.php file, a command using the magick binary is being executed. Let’s try it and see what it is:

Apparently it is the binary of a program called ImageMagick and the version is 7.1.0-49. We will look to see if there are any known exploits for this version of this binary:

We see that there is a vulnerability registered for this version of ImageMagick. Let’s take a look at the PoC instructions:

https://github.com/voidz0r/CVE-2022-44268

Let’s follow the steps below to see if we can extract the information from /etc/passwd on the target machine:

Yes, we have succeeded. We can see that there are two users with a bash: root and emily.

If we investigate in the rest of the files, we see that in the dashboard.php there is a mention of a Sqlite database located in /var/db/pilgrimage.
If we perform the same steps, but this time to reveal the contents of this database we can see the following: