HackTheBox - Meta

00:00 - Introduction
00:55 - Start of nmap
03:10 - Running a VHOST enumeration scan
04:00 - Discovering the Metaview application which is an image upload
04:50 - Attempting to exploit the file upload, uploading non images.
07:00 - Editing the exif metadata to put PHP tags in the image, still failing to get code execution but find XSS
09:00 - Looking for public exploits against exiftool
10:10 - Creating a malicious image with CVE-2021-22204 against ExifTool, DjVu exploit
15:00 - Reverse shell returned, examining the application
18:30 - Discovering Convert_images directory, using grep to find out if anything uses it and finding a script
20:30 - Finding the convert_images script uses an old copy of mogrify which uses image magic and has a vulnerability
21:30 - Exploiting CVE-2020-29599 in mogrify/image magic
28:50 - Our user can run neofetch with sudo, and XDG_CONFIG_HOME is preserved. Exploiting it by putting a malicious config

Support the originator by clicking the read the rest link below.