search

Image

hashtag
Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.158.178
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-11 12:53 +08
Nmap scan report for 192.168.158.178
Host is up (0.0061s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: ImageMagick Identifier
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.66 seconds

hashtag
Initial Access

hashtag
Port 80

There is a website that is running on port 80.

If we upload the any image file, it will return us the version of ImageMagick.

hashtag
RCE vulnerability

After some searching online, there is an exploit that is tied to that version.

LogoRCE (shell command injection) vulnerability in `OpenBlob` with `--enable-pipes` configured · Issue #6339 · ImageMagick/ImageMagickGitHubchevron-right

We will first encode the payload into base64.

Then we will use the base64 decoding to get our reverse shell

LogoReverse Shells | Pentest Bookpentestbook.six2dez.comchevron-right

Finally, we will set the listener and upload the image file to trigger the reverse shell.

hashtag
Privilege Escalation

hashtag
SUID for strace

When we are searching for strace, we can see that there is a SUID bit enabled for the binary called strace.

Upon further searching, there is a privilege escalation vector with this binary.

Logostrace | GTFOBinsgtfobins.github.iochevron-right

Following the steps there, we are able to get root shell.

PreviousHubNextLaw

Last updated