Pre-Foothold
Started with an all port scan and got this

Deep scan brought back this. Interested to see what 50051 is

tried visiting the port via web browser and got this

OpenSSH may be outdated with the current version at 9.4. But I poked around and didn’t find anything that would get me anywhere. Next I started looking for what 50051 could be and found some technology called gRPC

My understanding is it’s sort of like an API which means we can interact with it! I find there is a tool called grpcurl that I can use to curl data into and out of this endpoint, but I decide to go with GRPcui, a web based user interface.
After working on a few golang issues I finally get it running!

Visitng the page gets me a request form

I click through some of the menus and the method names stand out.

I tried to register a simple user, admin:admin, and get a suprising response.

So I go to login and…

So next I try to run getInfo which requests my id and token

I have no idea what this means, but I know it worked lol

I fumble around for a bit trying to understand what’s going on here. I know I am sending a request with credentials, so maybe there is a database to interact with? Let’s ask burpsuite.

Now I’m not going to lie to you here, I knew what I was looking at, but I didn’t know what I was looking at.. Eventually I remember that with this being a SQLite database, there maybe an SQL vulnerability here.
I am a bit of noob when it comes to sql vulnerabilities, so after thinking it through and catching a nudge I remember I can use sqlmap to try to attack this box. What I end up doing is using the request itself via sqlmap and it finds a POST injection vulnerability in the id parameter!
So I let it run to see if it will dump some tables, and I get usernames and passwords!


Foothold Complete!
Post-Foothold
Ok so I floundered around for a bit here, checked sudo privileges, running processes, writeable files and directories, and lastly SUID bits. Came up with nothing until I checked what ports were open and listening.

This port seems…odd. But I can’t access it unless I create a proxy tunnel to the machine. I choose ligolo-ng to get this done. I’ll transfer the agent to the machine after setting up a python3 simple http server

Agent gets in, agent is launched, connection is established

