Pre-Foothold

Started with an all port scan and got this

Description of image

Deep scan brought back this. Interested to see what 50051 is

Description of image

tried visiting the port via web browser and got this

Description of image

OpenSSH may be outdated with the current version at 9.4. But I poked around and didn’t find anything that would get me anywhere. Next I started looking for what 50051 could be and found some technology called gRPC

Description of image

My understanding is it’s sort of like an API which means we can interact with it! I find there is a tool called grpcurl that I can use to curl data into and out of this endpoint, but I decide to go with GRPcui, a web based user interface.

After working on a few golang issues I finally get it running!

Description of image

Visitng the page gets me a request form

Description of image

I click through some of the menus and the method names stand out.

Description of image

I tried to register a simple user, admin:admin, and get a suprising response.

Description of image

So I go to login and…

Description of image

So next I try to run getInfo which requests my id and token

Description of image

I have no idea what this means, but I know it worked lol

Description of image

I fumble around for a bit trying to understand what’s going on here. I know I am sending a request with credentials, so maybe there is a database to interact with? Let’s ask burpsuite.

Description of image

Now I’m not going to lie to you here, I knew what I was looking at, but I didn’t know what I was looking at.. Eventually I remember that with this being a SQLite database, there maybe an SQL vulnerability here.

I am a bit of noob when it comes to sql vulnerabilities, so after thinking it through and catching a nudge I remember I can use sqlmap to try to attack this box. What I end up doing is using the request itself via sqlmap and it finds a POST injection vulnerability in the id parameter!

So I let it run to see if it will dump some tables, and I get usernames and passwords!

Description of image

Description of image

Foothold Complete!

Post-Foothold

Ok so I floundered around for a bit here, checked sudo privileges, running processes, writeable files and directories, and lastly SUID bits. Came up with nothing until I checked what ports were open and listening.

Description of image

This port seems…odd. But I can’t access it unless I create a proxy tunnel to the machine. I choose ligolo-ng to get this done. I’ll transfer the agent to the machine after setting up a python3 simple http server

Description of image

Agent gets in, agent is launched, connection is established

Description of image

Description of image