Hack The Box - Jarvis

Quick Summary

Hey guys, today Jarvis retired and here’s my write-up about it. It was a nice easy box with a web application vulnerable to SQL injection, a python script vulnerable to command injection and a setuid binary that could be abused to get a root shell. It’s a medium box and its ip is 10.10.10.143, I added it to /etc/hosts as jarvis.htb. Let’s jump right in!

Nmap

As always we will start with nmap to scan for open ports and services:

We got ssh on port 22 and http on port 80. Let’s take a look at the web service.

Web Enumeration

By visiting http://jarvis.htb/ we get a website for a hotel called Stark Hotel:

I ran gobuster to check for any sub directories and the only interesting thing I found was /phpmyadmin:

http://jarvis.htb/phpmyadmin

phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users, permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement. -phpmyadmin.net

That can be useful later if we could find the credentials, but for now let’s concentrate on the web application.

SQLi in room.php

Back to the “Rooms & Suites” section in the main page, clicking on any of these rooms requests /room.php with a parameter called cod that holds the room number:

I tried replacing the number with a single quote ' and I got a weird response:

So I ran sqlmap but I got a 404 response:

I checked the page again and saw a message indicating that I got banned for 90 seconds:

I assumed that it checks for the user-agent because the ban happened immediately, so I added the --user-agent option and used Firefox user-agent, that was enough to bypass the filter:

RCE –> Shell as www-data

I could get RCE in 2 different ways.

First way:

By using the os-shell option in sqlmap:

From here we can simply execute a reverse shell command and get a shell.

Second way:

I used the --passwords option to dump the users’ password hashes:

I got the password hash for DBadmin, I cracked it with crackstation:

Then I tried these credentials (DBadmin : imissyou) with phpmyadmin and I got in:

From the SQL console we can write a web shell:

I used the netcat openbsd reverse shell payload from PayloadsAllTheThings to get a reverse shell, I had to url-encode it first:

Now we have a shell as www-data:

Command Injection in simpler.py –> Shell as pepper –> User Flag

I checked the home directory and there was a user called pepper, I couldn’t read the user flag as www-data:

By running sudo -l I saw that I can run /var/www/Admin-Utilities/simpler.py as pepper without a password:

Let’s take a look at that script:

The most interesting function in this script is exec_ping:

It takes our input (it assumes that it’s an ip) and executes ping on it, to prevent command injection it checks for these characters:

However, It doesn’t check for the dollar sign ($), the dollar sign can be used to execute commands like this: $(command)
So for example if we do ping -c 1 $(echo 127.0.0.1), echo 127.0.0.1 will be executed first then the ping command will be executed: ping -c 1$(whoami) will result in an error message because it will try to ping root which is not a valid hostname:

So we can simply do \$(bash) and we’ll get a shell:

When I ran commands I didn’t get any output:

So I executed a reverse shell command (I used the same payload I used before) and got a reverse shell as pepper:

We owned user.

Systemctl: suid –> Root Shell –> Root Flag

When I checked the suid binaries I saw systemctl:

systemctl may be used to introspect and control the state of the “systemd” system and service manager. -man7.org

To verify that it can be abused I checked gtfobins and found a page for it.
We need to create a service that executes a file of our choice when it starts, then we’ll use systemctl to enable and start it and the file will get executed as root.
I created a service that executes /dev/shm/root.sh:

And I created /dev/shm/root.sh which echoes:

to /etc/passwd to enable us to su as root with the credentials rooot : AAAA. (Check Ghoul).

I enabled the service and started it:

Now if we check /etc/passwd we’ll see that it has been modified:

And we owned root !
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Haystack
Next Hack The Box write-up : Hack The Box - Networked