HackTheBox - Meta

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Introduction 00:55 - Start of nmap 03:10 - Running a VHOST enumeration scan 04:00 - Discovering the Metaview application which is an image upload 04:50 - Attempting to exploit the file upload, uploading non images. 07:00 - Editing the exif metadata to put PHP tags in the image, still failing to get code execution but find XSS 09:00 - Looking for public exploits against exiftool 10:10 - Creating a malicious image with CVE-2021-22204 against ExifTool, DjVu exploit 15:00 - Reverse shell returned, examining the application 18:30 - Discovering Convert_images directory, using grep to find out if anything uses it and finding a script 20:30 - Finding the convert_images script uses an old copy of mogrify which uses image magic and has a vulnerability 21:30 - Exploiting CVE-2020-29599 in mogrify/image magic 28:50 - Our user can run neofetch with sudo, and XDG_CONFIG_HOME is preserved. Exploiting it by putting a malicious config

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

Related AI Lessons

How Modern Anti-Bot Systems Detect Automation Before HTML Loads

Learn how modern anti-bot systems detect automation before HTML loads and why it matters for web security

Dev.to · Annabelle

Best Proxy Providers for Businesses and Developers

Learn how to choose the best proxy provider for your business or development needs based on key factors like IP quality and scalability

Medium · Cybersecurity

SOC as a Service: A Smarter Approach to Cybersecurity

Learn about SOC as a Service, a smarter approach to cybersecurity that helps businesses stay ahead of threats

Medium · Cybersecurity

Can You Be Hacked in Just 5 Minutes? - NareshIT

Learn how to protect yourself from cyberattacks that can happen in just 5 minutes and why cybersecurity matters

Medium · Cybersecurity

Chapters (13)

Introduction

0:55 Start of nmap

3:10 Running a VHOST enumeration scan

4:00 Discovering the Metaview application which is an image upload

4:50 Attempting to exploit the file upload, uploading non images.

7:00 Editing the exif metadata to put PHP tags in the image, still failing to get c

9:00 Looking for public exploits against exiftool

10:10 Creating a malicious image with CVE-2021-22204 against ExifTool, DjVu exploit

15:00 Reverse shell returned, examining the application

18:30 Discovering Convert_images directory, using grep to find out if anything uses

20:30 Finding the convert_images script uses an old copy of mogrify which uses image

21:30 Exploiting CVE-2020-29599 in mogrify/image magic

28:50 Our user can run neofetch with sudo, and XDG_CONFIG_HOME is preserved. Exploit

I Built an AI Cybersecurity Research Factory (for CTFs & Vulnerabilities)