search

PC

hashtag
1. Initial recon

hashtag
1.1. nmap

nmap -p- 10.10.11.214 -Pn

PORT      STATE SERVICE
22/tcp    open  ssh
50051/tcp open  unknown

hashtag
2. user.txt

hashtag
2.1. gRPC

A google search for port 50051 reveals that this port is generally used for gRPC.

Following thisarrow-up-right blog post I can start to find out how to enumerate gRPC.

Using grpcurlarrow-up-right we can see that there is a service called SimpleApp running

./grpcurl --plaintext 10.10.11.214:50051 list
SimpleApp
grpc.reflection.v1alpha.ServerReflection

and that the app has 3 pages.

now let's use grpcuiarrow-up-right to have a web ui for the application

If we try to use the getInfo option we get the following output

so, we may need to use the RegisterUser and then LoginUser functions to get our token

if we try to make a user with the name admin we get an error saying that the user already exists, however, we can use the credentials admin:admin with the LoginUser function and generate a token. taking note of the id and token we are given, let's use them with the getInfo function and see what we get

let's try some other numbers like, 1

time to do some research

hashtag
2.2. SQLmap

This medium articlearrow-up-right talks about how SQLi might be a vulnerability when dealing with gRPC, so let's capture a request to a call to the getInfo function using BurpSuite and see if sqlmap can do anything for us.

sqlmap -r req.txt -dbs --batch

sqlmap -r req.txt --tables --batch

sqlmap -r req.txt -T accounts --batch --dump

We can use the credentials sau:HereIsYourPassWord1431 to ssh into the machine for the user flag

hashtag
3. root.txt

Running a command to check for SUID binaries: find / -type f -perm -04000 -ls 2>/dev/null we can see that bash is there. so simply run /usr/bin/bash -p for root!

PreviousOptimumNextReturn