HackTheBox Writeup — Jarvis

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

The IP of this box is 10.10.10.143

Running masscan on it , we get

We see Port 22 , 80 and 64999 open , we put these on NMAP scan and check the results

We see that Port 22 is running OpenSSH and Port 80 , 64999 running Apache httpd web services , lets move on to enumeration part now

Checking the Web Services running on Port 80

We see that it is a website of a hotel

Checking the Web Service on the port 64999

We get a weird message that we have been banned for 90 seconds , even after reloading the page after 90 seconds , we get the same message again and again

Running Gobuster on the page , we get

We see one room.php , which was shown on the main page too , if we hover on there and click on the Rooms section , we get

We see that the link is something like /room.php?cod=something , we send this request to burp and then do some fuzzing

We tried LFI and SQLi on this , but no luck for me , so I went on to test Code Execution on this

We try some linux codes , but get no reply as expected , so I will try to ping back to my local machine through this and see if we get replies

Already set up tcpdump to listen on tun0 which is my local machine htb network interface

We click on go and see the result

We got reply from the machine back , so we now know its Blind Code Execution , so now we try to get reverse shell through it but unfortunately it doesnt work , maybe the ping back was a troll , so we now copy the request to a file named room.req and then use sqlmap on it

It looks like sqlmap found something , we wait more

So here the sqlmap scan ends , so we now move onto dumping the data

We got the credentials from the mysql database , from the gobuster scan we saw that we had phpmyadmin on the server and it runs the database of Mysql , so we will try these creds over there

We login with the creds and click on Go and see

We got in , since this is PhpMyAdmin 4.8.0 , it has a LFI to RCE vulnerability which I am gonna show you here

We Click on the SQL tab and then

We put our SELECT query following with php code for phpinfo and click on Go

We now take the cookies of this through Burp

Now its time to get the RCE

10.10.10.143/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_8bf7vf7v7r829q1g13m4nu5rptavliph

Pasting this query , we get

We see that we got the phpinfo through RCE , now we move on to getting reverse shell

We put our exec function on the php code along with the reverse shell code

And now we move on to getting the session cookie and then exploit it

Checking the netcat listener after few seconds , we see

Looking futher , we notice that the shell is unstable and dies soon

So we will try some other method

We create a database named “faisal” and see that the database is created , so we now select that table

We click on the SQL tab and enter the command which creates a GET request on a php page and lets it run system commands and then output it into the server location in linux as backdoor.php

We see that the Mysql query ran successfully with out any errors and now we are ready to access the backdoor.php

We ran the ls and we can see that it gave us the output we wanted , to we now run the simple bash one liner reverse shell command and get reverse shell

We are good to go and check the netcat listener

We got the reverse shell as www-data and running sudo -l command we see

We can run sudo as pepper user on /var/www/Admin-Utilities/simpler.py , which is a python script , checking the code

We see that its a script which runs a ping command on an IP , checking the ping section on the code

We see that it has forbidden some special chars and also it runs the ping command through the python os.system , we can try to manipulate this , but we need to escape the special characters , so all we do now is

We see that if we try to put any special characters , we get “Got You” as reply as shown in the code above , so we can use the bash $() method to run system commands in it which is also not blacklisted in that python code

We see that after using $(bash) , we escaped the filter and was able to get user as pepper but…

This shell doesnt return any output , so we use the same one liner bash reverse shell command and set up another netcat listener

We see that the shell has processed and checking the netcat session , we see

We got a perfect shell and can run commands on it as user pepper , now we move onto getting user flag

The user flag was located in the home folder of user Pepper , now its time for privilege escalation as root and also before that I put my public key here on the box and get a SSH Connection

Running the LinEnum.sh script , we see

The systemctl binary has SUID set and also pepper has group permissions on it for execution

So now we create our service file as shown below

I gave my reverse shell command on the ExecStart , we now save the file and send it to the pepper machine

We got the file to our box and now we do the main things , first we link the file

We created our symlink , now we enable the service and start the service

And now looking back to our netcat listener , we see

We got root !!! Now time to get the root flag

It was another wonderful box done and believe me I wasted 8 hours on root , everything was correct , it was all that it didnt worked on reverse shell , instead someone gave me hint for getting SSH Connection and then trying and it worked!!

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store