Post

HTB Linux Easy: Pilgrimage

Pilgrimage is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Pilgrimage

Nmap

Pasted image 20240715110721.png

Initial foothold

The site redirects to pilgrimage.htb, add the domain to the hosts file. Pasted image 20240715110714.png

Website: Pasted image 20240715110710.png

In the Nmap scan we find a .git repository, we can retrieve the content in the.git directory using git-dumper. Pasted image 20240715110706.png

Looking through the files we find an outdated version of ImageMagick that is being used to convert the images. This version of ImageMagick is vulnerable to LFI (local file inclusion) CVE-2022-44268. Pasted image 20240715110701.png

In login.php we find a file location that is being used for database credentials /var/db/pilgrimage, using our previously mentioned exploit we can retrieve this file and get some credentials. Pasted image 20240715110656.png

Create the payload. Pasted image 20240715110651.png

Upload and retrieve the file and use the identify command to get more information. Pasted image 20240715110645.png

Convert hex found in “Raw profile type” to utf8: emily:abigchonkyboi123. Pasted image 20240715110638.png

SSH as emily: Pasted image 20240715110635.png

Priv Esc

Linpeas: Pasted image 20240715110631.png

The malware.sh script uses a deprecated and vulnerable version of binwalk. Pasted image 20240715110626.png

Create payload

Use the Python script to generate a payload image. Pasted image 20240715110619.png

Gain shell

Setup a nc listener and transfer the payload into the /shrunk folder on the target host. Pasted image 20240715110615.png

You should now have a shell as the root user. Pasted image 20240715110611.png

User.txt

Pasted image 20240715110607.png

Root.txt

Pasted image 20240715110603.png

Pwned

Pasted image 20240715110558.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.