PC

Summary

PC is an easy machine from HackTheBox which you need to explore a gRPC server with a method vulnerable to SQL injection to get the sau password. On the machine, you need to enumerate the processes and discover a pyload with a version vulnerable to unathenticated RCE running as root and exploit it with a public exploit.

Recon

Port scanning

f69@pr0l4ps0 ~/Documents/ctf/htb/pc $ rustscan -a 10.10.11.214 --ulimit 5000 -- -Pn -sC --min-rate=400 -oN '{{ip}}.txt'

# Nmap 7.94 scan initiated Sun Jul  2 02:32:07 2023 as: nmap -vvv -p 22,50051 -Pn -sC -sV --min-rate=400 -oN 10.10.11.214.txt 10.10.11.214
Nmap scan report for 10.10.11.214
Host is up, received user-set (0.13s latency).
Scanned at 2023-07-02 02:32:20 -03 for 19s

PORT      STATE SERVICE REASON  VERSION
22/tcp    open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChKXbRHNGTarynUVI8hN9pa0L2IvoasvTgCN80atXySpKMerjyMlVhG9QrJr62jtGg4J39fqxW06LmUCWBa0IxGF0thl2JCw3zyCqq0y8+hHZk0S3Wk9IdNcvd2Idt7SBv7v7x+u/zuDEryDy8aiL1AoqU86YYyiZBl4d2J9HfrlhSBpwxInPjXTXcQHhLBU2a2NA4pDrE9TxVQNh75sq3+G9BdPDcwSx9Iz60oWlxiyLcoLxz7xNyBb3PiGT2lMDehJiWbKNEOb+JYp4jIs90QcDsZTXUh3thK4BDjYT+XMmUOvinEeDFmDpeLOH2M42Zob0LtqtpDhZC+dKQkYSLeVAov2dclhIpiG12IzUCgcf+8h8rgJLDdWjkw+flh3yYnQKiDYvVC+gwXZdFMay7Ht9ciTBVtDnXpWHVVBpv4C7efdGGDShWIVZCIsLboVC+zx1/RfiAI5/O7qJkJVOQgHH/2Y2xqD/PX4T6XOQz1wtBw1893ofX3DhVokvy+nM=
|   256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqhx1OUw1d98irA5Ii8PbhDG3KVbt59Om5InU2cjGNLHATQoSJZtm9DvtKZ+NRXNuQY/rARHH3BnnkiCSyWWJc=
|   256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBG1KtV14ibJtSel8BP4JJntNT3hYMtFkmOgOVtyzX/R
50051/tcp open  unknown syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  2 02:32:39 2023 -- 1 IP address (1 host up) scanned in 32.44 seconds

Running a TCP port scan with rustscan and trying to get the versions of the running services on the machine, we got besides the SSH port the unrecognized port by nmap 50051.

Trying to connect to this port with netcat and waiting a while, we got multiple unprintable characters followed by a error message about HTTP/2:

Searching about this error message, I got to an issue page on gRPC GitHub repository.

So, assuming that port is a gRPC server, I started to search about gRPC clients.

Shell as sau

Exploring gRPC

With a list of gRPC clients I decided to use the gRPCUi client.

Downloading the client and starting it to use the port 50051 of the server, the client started to listen on a port on my machine and redirected me to it.

It seems it got the methods on the machine and listed it to me.

It has a method called LoginUser, trying to fill it with admin:admin credentials it gave to me an ID and a JWT token.

Trying to get info with the method getInfo about the ID with the tokens I adquire it sends to me a Will update soon. message.

SQL Injection

Intercepting the request of my client with Burp Suite, saving it to a file and using sqlmap to find a SQL injection flaw, we got a SQLite union based sql injection.

As our attack is union based, we can dump all the database quickly with --dump-all flag.

After dump the database, I got the credentials sau:HereIsYourPassWord1431. We can connect on the machine with SSH with that credentials;

c881023c606ae365bdeca8f81c274233.png

Shell as root

Enumeration

After I did a complete enumeration with linpeas, I saw the root is executing pyload (a download manager made with python).

Checking the version, I discovered it is 0.5.0.

sau@pc:~$ pyload --version
pyLoad 0.5.0

Searching about this pyload version, I discover it is vunerable to RCE and a public exploit is avaiable.

RCE via the exploit

Forwarding the pyload port (8000) to my local machine, and using the exploit to download and execute my reverse shell, I could to execute commands on the machine as root.

f69@pr0l4ps0 ~/Documents/ctf/htb/pc $ ssh -fN -L 127.0.0.1:8001:127.0.0.1:8000 sau@10.10.11.214