# JPGChat ![](/files/-McppnTLGNhtlsTnJx6u) ## Scanning Lets run some nmap scan to get information about the open ports and services on the machine ![](/files/-McpqFrx7nXgtjOPPSTY) ## Enumeration Lets visit port 3000 ![](/files/-McpqlQYraWntZ8WhmsJ) There is nothing of interest in the source code and nothing in the Developer tools, so lets go find the admins GitHub they talk about. ![](/files/-Mcprp0AyFBs7ZXlrOPn) We have a file, lets copy it to our machine and check the code out. ![](/files/-Mcps4C3BxVYZuUi6GpO) Looking at the code, we can see that the os.system is used to echo the input from \[REPORT] to a text file. There is no sanitization of input, we can exploit this by using `';` to close the echo command and then we can run any command followed by a `#` ## Exploitation Lets connect to the web app on port 3000 using netcat so that we can interact with the chat service. Lets first start a netcat listener and then execute the commands to get a reverse shell ![](/files/-McpuSbPxdzn96daYnMq) Now lets run the commands by choosing the `REPORT` option ![](/files/-McpuZH-7i-HlL6ROjP6) After running these commands, you should get a reverse shell ![](/files/-McpumLMuMLOn8fkcOdh) Lets stabilize the shell. ![](/files/-Mcpuy_KLwlZITmyQeYq) Lets read the user flag ![](/files/-McpvK65nx2yHFBiLrkZ) ## Privilege Escalation Lets run `sudo -l` to see what we can run as other users. ![](/files/-McpvaBdW5TA6K8YLEQ0) Looks like we can run this file, lets check what it contains and also the permissions of the file. ![](/files/-McpwBOrWE1UZMNPA69X) Looks like we are importing the compare module. So what we can do is change the `Environment variable` and set it to our own `compare.py` file with a root shell spawn and then run the file which will run our file and give us a root shell. Lets first create our compare.py file and add the script that will give us a root shell. ![](/files/-McpyMM8uzGtYerMyqO0) Lets now force python to load our module file instead of any other and run the `test_module.py` file ![](/files/-McpyXi7CW5uYfhh2xBq) We are now root. We can read the root flag ![](/files/-Mcpyo1WtNlwgoC1CkHV) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/jpgchat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.