This is PYLINGTON: 1 from Vulnhub. It doesn’t have a rating but I’m going to say it was easy.
Ports
SSH and HTTP, and running on Arch Linux. That’s interesting, isn’t it? No? Whatever.
Web
We have an online python interpreter but in order to use it we are supposed to register; but registration has been disabled. robots.txt points us to /zbir7mn240soxhicso2z, which contains some credentials, and we can use that to login. Once logged in, we get a page where we can enter a python program, give it input and see the output.
We are also told:
This online IDE is protected with NoImportOS™, an unescapable™ sandbox. NoImportOS™ is secure because of its simplicity; it’s only 9 lines of code (available here)
What does that code look like?
So it’s literally looking for the strings ‘os’, ‘import’ and ‘open’. Should be easy, yes?
Here’s my reverse shell - there are other ways of doing this, but this was mine:
Does it work? Of course!
PY and root
Getting to user (py) was very simple with an SUID binary:
Well, that was easy. The source code for the typing binary was provided too.
Now, for root we have another SUID binary:
What can we do with this? The trick is that the output directory has to start with/srv/backups; but it doesn’t have to end there.