HTB CDSA
Certified Defensive Security Analyst by Academy. Get started now!
Machine Synopsis
Meta is a medium difficulty Linux machine that focuses on two different CVEs ([CVE-2021-22204](https://nvd.nist.gov/vuln/detail/cve-2021-22204) and [CVE-2020-29599](https://nvd.nist.gov/vuln/detail/CVE-2020-29599)) in ExifTool and ImageMagick, which can be exploited at different stages. Foothold is obtained by uploading a maliciously crafted file to a web application that reads image metadata, in order to trigger Remote Command Execution in ExifTool. Command injection in ImageMagick is then exploited to move laterally to a second user. Finally, privileges can be escalated due to an `env_keep` setting in `sudo` that allows attackers to run arbitrary commands as `root` by setting a custom configuration directory in an environment variable.
Machine Matrix