JPGChat

Scanning

Lets run some nmap scan to get information about the open ports and services on the machine

Enumeration

Lets visit port 3000

There is nothing of interest in the source code and nothing in the Developer tools, so lets go find the admins GitHub they talk about.

We have a file, lets copy it to our machine and check the code out.

Looking at the code, we can see that the os.system is used to echo the input from [REPORT] to a text file. There is no sanitization of input, we can exploit this by using '; to close the echo command and then we can run any command followed by a #

Exploitation

Lets connect to the web app on port 3000 using netcat so that we can interact with the chat service.

Lets first start a netcat listener and then execute the commands to get a reverse shell

Now lets run the commands by choosing the REPORT option

After running these commands, you should get a reverse shell

Lets stabilize the shell.

Lets read the user flag

Privilege Escalation

Lets run sudo -l to see what we can run as other users.

Looks like we can run this file, lets check what it contains and also the permissions of the file.

Looks like we are importing the compare module. So what we can do is change the Environment variable and set it to our own compare.py file with a root shell spawn and then run the file which will run our file and give us a root shell.

Lets first create our compare.py file and add the script that will give us a root shell.

Lets now force python to load our module file instead of any other and run the test_module.py file

We are now root. We can read the root flag

Last updated