📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
      • Random
Powered by GitBook
On this page
  • Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

JPGChat

PreviousJack-of-All-TradesNextBlueprint

Last updated 3 years ago

Was this helpful?

Scanning

Lets run some nmap scan to get information about the open ports and services on the machine

Enumeration

Lets visit port 3000

There is nothing of interest in the source code and nothing in the Developer tools, so lets go find the admins GitHub they talk about.

We have a file, lets copy it to our machine and check the code out.

Looking at the code, we can see that the os.system is used to echo the input from [REPORT] to a text file. There is no sanitization of input, we can exploit this by using '; to close the echo command and then we can run any command followed by a #

Exploitation

Lets connect to the web app on port 3000 using netcat so that we can interact with the chat service.

Lets first start a netcat listener and then execute the commands to get a reverse shell

Now lets run the commands by choosing the REPORT option

After running these commands, you should get a reverse shell

Lets stabilize the shell.

Lets read the user flag

Privilege Escalation

Lets run sudo -l to see what we can run as other users.

Looks like we can run this file, lets check what it contains and also the permissions of the file.

Looks like we are importing the compare module. So what we can do is change the Environment variable and set it to our own compare.py file with a root shell spawn and then run the file which will run our file and give us a root shell.

Lets first create our compare.py file and add the script that will give us a root shell.

Lets now force python to load our module file instead of any other and run the test_module.py file

We are now root. We can read the root flag