Image - Proving Grounds Practice

Enumeration

Initial Nmap scan revealed SSH, HTTP ports were open.

Visiting the website revealed ImageMagick application.

01 - web

And I uploaded a random image file, which revealed the version of ImageMagick, 6.9.6-4

02 - version

A vulnerability was found in ImageMagick. This security flaw cause a remote code execution vulnerability in OpenBlob with –enable-pipes configured.

Searching this version revealed this CVE number. Further searching showed that there was an exploit available.

03 - exploit

I simply run the exploit. It created a malicious PNG file.

04 - exploiting

And uploading it gave us www-data shell.

05 - shell

And I simply got the local flag in /var/www

06 - local flag

Running SUID checks with the below command revealed strace had SUID privileges.

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

07 - strace suid

So I simply followed the steps given in gtfobins and got the root.

08 - root flag