In this write-up, I will demonstrate how to exploit a remote code execution (RCE) vulnerability in the popular ExifTool program. Then, we will capture the Windows security log and analyze the logs. Finally, we will use privilege escalation to reverse engineer a simple ELF file.
We will be attacking the Investigation training machine from the Hack The Box site. Its difficulty level is rated as medium.
Note: It is highly recommended to connect to machines on HTB only via a Virtual Private Network (VPN). Do not attempt this from a computer containing important data, as you will be connected to a shared network with other participants.
Intelligence Gathering
Port Scanning
Add the machine’s IP address to /etc/hosts:
10.10.11.197 investigation.htb
Then, run a port scan.
Port scanning is a standard first step in any attack. It allows the attacker to identify which services on the host are accepting connections. Based on this information, the attacker can select the next step to gain entry. The most well-known scanning tool is Nmap. You can improve its performance with the following script:
#!/bin/bash
ports=$(nmap -p- –min-rate=500 $1 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)
nmap -p $ports -A $1
It works in two steps. The first one performs a normal quick scan, the second one performs a more thorough scan using the available scripts (option -A).
According to the scan results, we have only three open ports:
22 – OpenSSH 8.2p1 service;
80 – Apache web server 2.4.41;
1234 – Python 3.8.10 web server.
It makes no sense to go to SSH, port 1234, apparently, was opened by another player in order to download files from the server, so it remains only to go to the web server on port 80. And there, as reflected in the http-title, a redirect is made to http://forenzics.htb. Add this domain to /etc/hosts and view the site.
10.10.11.197 investigation.htb forenzics.htb
Point of Entry
On the site, we find a service for image analysis and a form for uploading the analyzed file.
When attempting to upload a file other than an image, we get an error. This means that loading a PHP shell will not work right away. Then, we upload the image in PNG format and get a link to the finished report.
The report is the normal output of the ExifTool program.
However, we found out the version of the program – 12.37. This is already a good lead.
