6 minutes
HackTheBox :: PC
Creator: sau123
Machine URL: https://app.hackthebox.com/machines/PC
Difficulty: Easy
Initial enumeration
We start with an nmap
scan:
Just two ports are open:
- TCP 22 for OpenSSH
- TCP 50051 is an unknown service
There is not much of a choice here on how to proceed. Let’s identify the service running on 50051.
Identifying the service on TCP 50051
First, we attempt to communicate with the server with netcat
:
The server doesn’t send us any human-readable information.
Let’s hex-dump the data we get.
A quick Google search for TCP "00 00 18 04"
gives us a bunch of gRPC errors.
gRPC client
I will use grpc-client-cli but any client should be fine.
We can communicate with the server now.
Exploring SimpleApp
Available methods:
RegisterUser
We can register with the app.
LoginUser
On login we get the id
in the response (286 in this case) and what looks like a JWT token in the trailers.
getInfo
Let’s add the token that we received from LoginUser
to the token
header.
Poking around
Now that we have seen and interacted with every functionality that SimpleApp offers us, we can attempt to find some unusual behavior.
We have an admin ID of 1.
ID 2 doesn’t seem to exist.
ID 2-1 returns the entry for ID 1.
This might be a sign of a SQL Injection…
And it is one!
SQLite Injection in SimpleApp/getInfo
After attempting to identify the DBMS with various payloads we find that it’s SQLite:
Enumerating tables
Getting usernames and passwords
We get the credentials for user sau. The password is reused and we can SSH with it.
Foothold as sau
Grab the flag in user.txt located in sau’s home directory.
Enumeration
Let’s check the listening TCP ports:
Interesting ports – 8000 and 9666
pyLoad is running on both ports.
Let’s get the version of pyLoad and search for known vulnerabilities.
After a quick search, we find a Code Injection CVE-2023-0297 advisory on pyLoad’s GitHub.
Privilege Escalation to root – CVE-2023-0297
The advisory also contains a link to Proof of Concept: https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/
Payload
We will just add a SUID bit to bash
binary.
URL Ecnoded:
Exploitation
Success!
Get root by executing bash -p
and get the root.txt.