![](/htb/machines/retired/pc/HkUDfJLS2.png)
![](/htb/machines/retired/pc/Skb1l7vS3.png)
Using gRPC reflection to get server Methods
![](/htb/machines/retired/pc/B1wi57vH3.png)
Using Register and Login to get access to the Service
![](/htb/machines/retired/pc/SkbVsQwSn.png)
But Calling getInfo
![](/htb/machines/retired/pc/rkxIc97wHh.png)
1 | ERROR: |
In the gRPC we see we also need to pass id
in the request which get us
![](/htb/machines/retired/pc/BkWN07wrh.png)
![](/htb/machines/retired/pc/SJQG0QDBn.png)
Trying with id as 1 we see we get
![](/htb/machines/retired/pc/H16pCQDBh.png)
I moved to grpcui
to proxy my requests to the grpc server
Trying union injection we see we have union injection and the DBMS seem to be sqlite
![](/htb/machines/retired/pc/HkMROVPBn.png)
![](/htb/machines/retired/pc/HJCUuVPH3.png)
Using sqlmap on id
parameter we get the SQLInjection
and can dump the DB
![](/htb/machines/retired/pc/rkiNuVDHh.png)
Privilege Escalation
1 | sshpass -p 'HereIsYourPassWord1431' ssh sau@pc.htb |
![](/htb/machines/retired/pc/rJemtEDH2.png)
![](/htb/machines/retired/pc/rkjAcVPHn.png)
Portforwarding and checking we see
![](/htb/machines/retired/pc/HkzcqNPS2.png)
using metasploit we can get root
![](/htb/machines/retired/pc/Hk40ervr3.png)
and we get root