HackTheBox Investigation is a Linux machine rated Medium and discovered to be flawed with vulnerable and outdated components(A06:2021), injection(A03:2021) and insecure design(A04:2021).
Attack Chain: The attack on this machine begins with identifying a vulnerable tool plagued with command injection. Then the attacker combed around to find a stored file that lead to the discovery of a login credential. The privilege escalation was caused by a poorly implemented binary program written in C.
Initialization
|
|
Enumeration
|
|
|
|
|
|
Exploration
Explored the site and visited the discovered web paths. /upload.php
hints at image upload functionality but seems broken even when we have not uploaded any image yet. However, the service.html
had the upload button. Select any png or jpg image of choice and upload. The site analyses the image and returns an ExifTool report of the image’s metadata.
A Google search for ’exiftool 12.37 exploit’ returned this result. The idea here is to make an image with the file name ending in |
to get a shell payload we host on the attacking machine.
Exploitation
|
|
Open evolution click on ‘New’ attach the .eml file and ‘Save as Draft’. Then click on ‘Drafts’ to read the contents. You can now download the evtx-logs.zip.
|
|
Escalation
|
|
Click ‘New Project’ -> Select ‘Non-Shared Project’ -> Enter a project Name -> Click ‘Finish’. Navigate to File and Click ‘Import File…’ to import the binary. Double-click the filename and Click ‘Yes’ and ‘Analyze’ to start analyzing.Now on the left pane Double Click on ‘Functions’ from the ‘Symbol Tree’ section, then locate and Click ‘main’.This is a C code whose main function takes in two parameters, an integer “param_1” and a long “param_2”. The program exits if “param_1” is not equal to 3, the user’s UID (obtained using the getuid() function) is not equal to 0, or the value at memory location “param_2 + 0x10” is not equal to “lDnxUysaQn”. If all the checks pass, the program runs the command “curl_easy_perform(uVar3)” which opens the specified URL resource and runs it using ‘perl’ before deleting it. decompiled binary
|
|
A detailed look at the code:
- Terminate execution if the program’s arguments is not equal to three, the user running the binary is not root, and the param_2 value does not equal ’lDnxUysaQn’
- Open with “fopen” function, a file at memory location “param_2 + 0x10” in “wb” (write in binary) mode and assign the resulting file stream to
__stream
. - Initializes a cURL session using “curl_easy_init()” and assign the resulting handle to the variable “uVar3”. Set the cURL options “CURLOPT_URL” to the value at memory location “param_2 + 8” using
curl_easy_setopt(uVar3,0x2712,*(undefined8 *)(param_2 + 8))
, “CURLOPT_WRITEDATA” to the file stream__stream
usingcurl_easy_setopt(uVar3,0x2711,__stream)
, “CURLOPT_FOLLOWLOCATION” to 1 usingcurl_easy_setopt(uVar3,0x2d,1)
and performs the cURL session usingcurl_easy_perform(uVar3)
and assign the return code to the variable “iVar2”. - If the code is 0, indicating success, it uses
snprintf
to write the filename at memory location “param_2 + 0x10” to a null-terminated string, allocating memory for the string (__s
) usingmalloc
and the command to executeperl ./filename
to another null-terminated string, allocating memory for the string (__s_00
) using malloc. - Closes the file stream using
fclose(__stream)
, cleans up the cURL session usingcurl_easy_cleanup(uVar3)
, sets the user ID to 0 usingsetuid(0)
, runs the commands “perl ./filename” usingsystem(__s_00)
and “rm -f ./lDnxUysaQn” usingsystem("rm -f ./lDnxUysaQn")
to delete the file and finally returns 0. If the return code is not 0, indicating failure, it prints the message “Exiting… " and terminates the program.
|
|
Exfiltration
Let’s exfiltrate the source code and investigate the flaws of the code.
|
|
Remediation
Fixing the Foothold Vector
Staying in the context of the app we will just upgrade the ExifTool to the patched version.
|
|
Fixing the Privilege Escalation Vector
I am not sure there would be a realistic scenario where such binary is coded for use in a system. I am not an expert yet in binary reverse engineering and remediation. I however included lots of resources herein for further consultations.
References
Binary Reverse Engineering - Pwn College, Reverse Engineering Pwn College Youtube, Introduction to Reverse Engineering - objdump and onlinedisassembler.com - Paladin Group, LLC, Functions - Perl Doc, How to Run a Shell Script from a Perl Program - Stackoverflow, cURL setopt - Louisiana University, Pwn Zero To Hero
I build secure and reliable infrastructures, hunt for flaws in insecure systems and remediate them to meet compliance. Book a consultation session.