JPGChat
Exploiting poorly made custom chatting service written in a certain language…
The picture attached with this new room is the Python symbol, so I think we can guess what the language might be.
Ports
SSH and port 3000. What’s that?
3000
Let’s try telnet:
Oooooookkkkk.
Netcat:
Netcat it is then.
If we send [REPORT], we get this:
this report will be read by Mozzie-jpg
Let’s assume this is our admin, and we want to look at the source code on Github.
Google says:
No results found for “Mozzie-jpg” site:github.com.
Let’s go there directly: https://github.com/Mozzie-jpg/
Bingo. We want this.
We can see that the report is vulnerable to command injection. Like so:
For some reason this doesn’t want to give me a very nice shell, so I just use it to send myself a better one:
A better shell
We better have a look at that script then:
Not much to it. Let’s go!