JPGChat
Scanning
Lets run some nmap scan to get information about the open ports and services on the machine
Enumeration
Lets visit port 3000
There is nothing of interest in the source code and nothing in the Developer tools, so lets go find the admins GitHub they talk about.
We have a file, lets copy it to our machine and check the code out.
Looking at the code, we can see that the os.system is used to echo the input from [REPORT] to a text file. There is no sanitization of input, we can exploit this by using ';
to close the echo command and then we can run any command followed by a #
Exploitation
Lets connect to the web app on port 3000 using netcat so that we can interact with the chat service.
Lets first start a netcat listener and then execute the commands to get a reverse shell
Now lets run the commands by choosing the REPORT
option
After running these commands, you should get a reverse shell
Lets stabilize the shell.
Lets read the user flag
Privilege Escalation
Lets run sudo -l
to see what we can run as other users.
Looks like we can run this file, lets check what it contains and also the permissions of the file.
Looks like we are importing the compare module. So what we can do is change the Environment variable
and set it to our own compare.py
file with a root shell spawn and then run the file which will run our file and give us a root shell.
Lets first create our compare.py file and add the script that will give us a root shell.
Lets now force python to load our module file instead of any other and run the test_module.py
file
We are now root. We can read the root flag
Last updated