This box consist of several vulnerabilities:

  • Command Injection - Used a vulnerability in exiftool that allowed me to run arbitrary code.
  • Leaked Credentials - Then we found the .msg file which contained an event logs from a Windows machine where we found the credentials for user smorton. I wasted a lot of time an effort to figure that one out, so don’t be discouraged when you can’t find it in the first 5 mins.
  • Sudo commands - We then found the mysterious /usr/bin/binary file that we could use sudo with and that led us to analyze it further where we found that it accepts 2 arguments, and it downloads a file, saves it with a specific name and runs it using perl.