In this post, I would like to share a walkthrough of the Meta Machine from Hack the Box
This room will be considered as a medium machine on Hack The box
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-28-at-09.51.26.png)
What will you gain from Meta machine?
For the user flag, you will need to abuse the ExifTool exploit so that we can upload images to the machine.
As for the root flag, you need to abuse neofetch to obtain a root shell on the machine
Information Gathering on Meta Machine
Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-24-at-12.19.06-1024x492.png)
From the nmap result, there’s two open port such as ssh and http.
Let’s access the website interface
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-24-at-12.18.38-1024x524.png)
Sadly, the website is showing an error “page not found“
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-24-at-12.20.53-1024x557.png)
After we have whitelisted the domain into our /etc/hosts, we finally got a proper website interface.
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-24-at-12.21.04-1024x448.png)
However, we didn’t get any interesting that we can make use of within the website.
Let’s enumerate the website by using gobuster
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-08.37.07-1024x699.png)
There’s nothing been highlighted on the gobuster result
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-08.36.46-1024x406.png)
Let’s look for a subdomain that has been stored within the website
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-08.32.43-1024x360.png)
We found a simple page within dev01.artcorp.htb website interface but there’s a link been displayed on the interface that stated “MetaView“
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-08.32.51-1024x539.png)
When we have successfully accessed the MetaView, we are presenting with an upload page
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.20.28-1024x411.png)
Gaining Privilges Access on Meta Machine
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.20.22-1024x607.png)
Sadly, the activity is a failure where it also allowed only jpg/png
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.23.32-1024x628.png)
The output is things that I have recently seen when I’m doing some forensic activity before
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.24.25-1024x434.png)
The screenshot above shows the output of the ExifTool
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-08.18.25-1024x595.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-08.19.24-1024x840.png)
We can download the exploit by using the git clone https://github.com/convisolabs/CVE-2021-22204-exiftool.git command
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-28-at-18.26.58-1024x470.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.42.35-1024x174.png)
We should execute the python file from the GitHub website before
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.42.55-1024x114.png)
The process will be creating an image file which we are required to upload later on
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.43.12-1024x186.png)
Let’s start our nc listener on our own attacker’s machine
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.43.34-1024x625.png)
We should be uploading the image.jpg that has been created by the python file previously
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.44.18-1024x301.png)
Therefore, we should be able to retrieve the reverse shell connection back to us
Establish a proper shell
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.44.44-1024x102.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.44.55-1024x139.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.45.25-1024x71.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.45.39-1024x142.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.45.53-1024x82.png)
The screenshot above shows the step of how to obtain a proper shell
Maintaining the Priviliges Access
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.46.23-1024x146.png)
While roaming inside the server, i have noticed that there’s a folder on the /var/www/dev01.artcorp.htb called convert_images
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.47.07-1024x183.png)
There is a sh file that looks weird to me at least.
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-09.47.21-1024x123.png)
From the script, I notice that there’s a method that we can take advantage of with this file.
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-10.01.48-1024x190.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.05.55-1024x230.png)
The content of the file will something as shown above.
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-10.03.05-1024x62.png)
Let’s cp the file into /var/www/dev01.artcorp.htb/convert_images/
Then, let’s wait for a while because the cron job will proceed with the rest. However, it will take a few minutes and you can obtain the ssh id_rsa on the /dev/shm
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.15.00-1024x319.png)
We successfully access the machine via ssh service using the ssh id_rsa that we obtain on the previous activity
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.15.09.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.15.17.png)
We can read the user flag by running the command “cat user.txt“
Escalate to Root Privileges Access
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.15.29-1024x122.png)
As usual, we can run the command “sudo -l” to see if any SUID file that we can abuse
Sadly, I have no knowledge of some of the commands shown above, and let’s do some research on it
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-08.21.31-1024x741.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-08.22.56-1024x593.png)
I managed to find some information about XDG which I have some directory such as highlighted above
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-09.04.06-1024x595.png)
I found some information that related to neofetch as mentioned above
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-09.02.27-1024x407.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-09.02.36.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-09.02.44.png)
Some information has stored inside /home/thomas/.config/neofetch
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-27-at-09.03.11-1024x949.png)
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.17.43-1024x527.png)
We run those commands above trying to obtain a root shell but it goes down as a failure
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.20.42-1024x556.png)
My bad! We need “sudo” so that it can execute properly
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.20.50.png)
Uwu! We have finally obtained a root shell
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.21.02.png)
We can read the root flag by running the command “cat root.txt“
-THE END-
Happy Learning Guys!
Extra Information on Meta machine
We can go to /etc/shadow so that we can unlock and read the write-up
![](https://threatninja.net/wp-content/uploads/2022/01/Screenshot-2022-01-25-at-14.21.28-1024x466.png)
No responses yet