![](/content/images/2019/11/image-32.png)
Jarvis was a medium rated box that involved SQL injection for the initial foothold followed by bash manipulation and service abuse to gain root.
Nmap scan:
![](/content/images/2019/11/image-33.png)
I checked out 64999 first:
![](/content/images/2019/11/image-34.png)
There didn't appear to be anything else there so checked port 80 and found a site for 'Stark Hotel'
![](/content/images/2019/11/image-35.png)
While clicking around, I see that the 'rooms' pages could be vulnerable:
![](/content/images/2019/11/image-36.png)
I tried some LFI but didn't have any luck with that so I fired up sqlmap with sqlmap -u http://jarvis.htb/room.php?cod=2 --os-shell
and got a shell as www-data:
![](/content/images/2019/11/image-37.png)
Next I started a python http server on my machine and downloaded netcat to Jarvis:
![](/content/images/2019/11/image-38.png)
Used netcat to get a reverse shell:
![](/content/images/2019/11/image-42.png)
![](/content/images/2019/11/image-41.png)
sudo -l
is one of the first things I do when getting a shell. Here we see that for some reason, www-data can run simpler.py as the user 'pepper'
![](/content/images/2019/11/image-43.png)
Let's see what it does:
![](/content/images/2019/11/image-44.png)
Ok, let's try to ping myself:
![](/content/images/2019/11/image-45.png)
Of course when I hit control-C to stop the pings, it killed my reverse shell :/
I reconnected and tried the old trick of using an & to append a new command:
![](/content/images/2019/11/image-46.png)
A look at the source of simpler.py shows why this didn't work:
![](/content/images/2019/11/image-47.png)
After some thought and experimentation, I created a shell script and made it executable:
![](/content/images/2019/11/image-50.png)
Make netcat executable as well:
![](/content/images/2019/11/image-52.png)
Finally, run simpler.py as 'pepper' and enter $(/tmp/cmd)
at the prompt:
![](/content/images/2019/11/image-53.png)
Note that you have to enter the full path of simpler.py as that's what listed in sudo -l
. The reason $(/tmp/cmd)
works is that bash will execute anything inside the $(). Here's a simple example:
![](/content/images/2019/11/image-54.png)
Anyway, with a netcat listener I get a reverse shell as pepper:
![](/content/images/2019/11/image-56.png)
The user flag:
![](/content/images/2019/11/image-57.png)
I wanted a more stable shell so I generated a ssh key:
![](/content/images/2019/11/image-58.png)
Then appended the contents of id_rsa.pub to /home/pepper/.ssh/authorized_keys:
![](/content/images/2019/11/image-59.png)
Now we have ssh access:
![](/content/images/2019/11/image-60.png)
I ran linuxprivchecker and saw this:
![](/content/images/2019/11/image-61.png)
'systemctl' controls services on the system and pepper has permissions to edit sqli-defender.service:
![](/content/images/2019/11/image-62.png)
Let's take a look at it:
![](/content/images/2019/11/image-63.png)
Edit it by running systemctl edit --ful sqli-defender.service
and changing the 'ExecStart' value:
![](/content/images/2019/11/image-64.png)
Restart the service and with a netcat listener, we get a root shell:
![](/content/images/2019/11/image-65.png)
![](/content/images/2019/11/image-66.png)
Root flag:
![](/content/images/2019/11/image-67.png)