PC
HackTheBox PC writeup by Thamizhiniyan C S
Last updated
HackTheBox PC writeup by Thamizhiniyan C S
Last updated
Greetings everyone,
In this write-up, we will tackle PC from HackTheBox.
Machine link: PC
Difficulty Level: Easy
Let's Begin 🙌
Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.
Once connected to the VPN service, click on "Join Machine" to access the machine's IP.
Upon joining the machine, you will be able to view the IP address of the target machine.
rustscan -a 10.10.11.214
nmap -A -T4 -p 22,50051 -Pn <IP>
From the results of rustscan, we can see that two ports are open. One is SSH and the other is unknown.
| Port | Service | Version/Technology |
|---|---|---|
22 | SSH | OpenSSH 8.2p1 |
50051 | - | - |
If we take a look at port 50051, it returns some data, which is unrecognised. On further research about port 50051, found the following: https://grpc.io/. Port 50051 , is running the gRPC service, a Remote Procedure Call (RPC) framework developed by google.
On further looking out for exploits for this service, I found this writeup:
from which I found the following tool:
After installing the tool, run the following command: grpcui -plaintext 10.10.11.214:50051
And also from the above write-up, I inferred that this service might be vulnerable to SQL Injection.
Now visit the grpcui Web UI hosted at [http://127.0.0.1:43021](http://127.0.0.1:43021) [ Note: The port number might differ in your case ]
We can see that the gRPC service is a SimpleApp with register, login and getinfo features.
I first registered a new user.
username: something
password: something
Successfully created a user with the name something
Next I tried to login with the created user.
Successfully logged in!!! We got the id and the token for the user something. Note the id and token.
Now I tried the getinfo feature. I used the id and token that we noted in the previous step.
My Request was successful, but there was no details in the response, instead it was an empty object.
Now we are able to successfully send request to the getInfo feature. The id value in the getinfo tab might be vulnerable to SQL injection. So I again tried the getInfo function, but this time I captured the request with burpsuite and I saved the request as a file.
Now using the saved request file, I used sqlmap to check out for SQL Injection using the following command:
From the output of sqlmap, we can see that the id parameter is vulnerable to SQL Injection and from the output we can see that the database used by the gRPC service is sqlite.
Now we can dump the database using the following command:
From the results of sqlmap, we have found a new credential:
username: sau
password: HereIsYourPassWord1431
I tried to login via SSH using the above credentials and got in.
I listed out the current directory and found the user flag.
And also, in the current directory, found the following tools:
chisel - A fast TCP tunnel over HTTP.
linpeas.sh - it is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.
I first ran [linpeas.sh](http://linpeas.sh) , looking out for privilege escalation vectors.
From the output of linpeas.sh, we can see that the /usr/bin/bash has a SUID bit set on it.
If you check GTFObins https://gtfobins.github.io/gtfobins/bash/#suid , we can use the command bash -p to escalate our privileges as root.
To learn more about SUID, check out: https://thamizhiniyancs.notion.site/SUID-3f467c4031c44d7d926eef3e1bff60fb?pvs=4
We have successfully escalated our privileges.
From the output of linpeas.sh, we can see that a service is running on port 8000 locally on the target machine.
We can use chisel to create a proxy/tunnel to access this service on our local machine/attack box.
To do that we have to have the same version of chisel on both attacking and target machine.
First lets check the chisel version available in the target machine.
The target machine has chisel version 1.8.1.
Download the same version of chisel on your attacking machine.
Now from the attacking machine run the following command to create the chisel sever:
chisel server -p 9001 --reverse
Next on the target machine run the following command to setup the client and also to port forward the internal service:
chisel client <HTB_tunnel_IP>:9001 R:5000:localhost:8000
Once you run the above command, if you check the server, you can see that the connection is established.
Now in the attack machine, go to localhost:5000 to take a look at the service running on the target machine.
You can see that, pyload is running on the target machine on port 8000 internally.
From another terminal, I logged in via SSH to the target machine as sau to check the version of pyload running.
The version of pyload running is 0.5.0. On searching exploits for this version of payload, found the following website: https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad , which showcased the RCE vulnerability on this version of pyload.
We have found the exploit. Now we can modify it to our needs and run the exploit.
Note: The above exploit can execute only one command at a time. Don’t try to chain a series of commands, it won’t work. Run the commands one by one.
First we are going to create a [reverse.sh](http://reverse.sh) shell file on the target machine in any directory, in this case we are using the /tmp directory. To do this run the following modified exploit:
If we run the above exploit, we can see that an error is thrown.
But if we open another terminal and login to the target machine via SSH as sau and check the /tmp directory we can see that a rev.sh file is created with root permissions.
Now we have to provide permissions to all the users to read, write and execute, since the owner of the file is root. To do this use the following exploit:
After executing the above command, if check the file permissions of the [rev.sh](http://rev.sh) file, you can see that all users have all permissions.
Now we can edit the [rev.sh](http://rev.sh) file. Add the following content to the rev.sh file to create a reverse shell.
Don’t try to execute the reverse shell from the target machine, as you will get the reverse shell only with the privileges of sau , as the rev.sh file is executed by that user.
Before executing the reverse shell, start a netcat listener on the attacking machine.
Now run the following command to execute the reverse shell as root:
After executing the above command, check the netcat listener that you created.
We have successfully obtained the reverse shell with root privileges.
And we have successfully obtained the root flag.
Thank You……
