InfoSec LAB

Exfiltrated_Cron

Created: 2 min read

Cron

A cronjob has been identified and its execution flow was captured

www-data@exfiltrated:/opt$ ll
total 16K
4.0K drwxr-xr-x  3 root root 4.0K Jun 10  2021 .
4.0K -rwxr-xr-x  1 root root  437 Jun 10  2021 image-exif.sh
4.0K drwxr-xr-x  2 root root 4.0K Jun 10  2021 metadata
4.0K drwxr-xr-x 20 root root 4.0K Jan  7  2021 ..

Alongside a directory, metadata, there is the bash script; image-exif.sh

image-exif.sh

www-data@exfiltrated:/opt$ cat image-exif.sh
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata 
 
echo -ne "\\n metadata directory cleaned! \\n\\n"
 
 
IMAGES='/var/www/html/subrion/uploads'
 
META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"
 
echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename; 
do 
    exiftool "$IMAGES/$filename" >> $LOGFILE 
done
 
echo -ne "\\n\\n Processing is finished! \\n\\n\\n"

This is a simple Bash script to collect metadata. It does that by;

  • pulling JPG files from the /var/www/html/subrion/uploads directory
  • running exiftool on each JPG file
  • renaming the JPG file by generating 5 bytes of random hex characters
  • saving them in the /opt/metadata directory

exiftool

www-data@exfiltrated:/opt$ exiftool -ver
11.88

The installed exiftool instance is version 11.88

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ searchsploit exiftool
------------------------------------------ ---------------------------------
 Exploit Title                            |  Path
------------------------------------------ ---------------------------------
ExifTool 12.23 - Arbitrary Code Execution | linux/local/50911.py
------------------------------------------ ---------------------------------
Shellcodes: No Results
------------------------------------------ ---------------------------------
 Paper Title                              |  Path
------------------------------------------ ---------------------------------
ExifTool Djvu Code Execution - Paper      | docs/english/49881-exiftool-djvu
------------------------------------------ ---------------------------------

There is a RCE exploit for exiftool 12.23 Given the target exiftool instance is older, the exploit might still be viable

Interactive Graph View

Backlinks