# JPGChat ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcpph-yEMsoS0xmg3cg%2F-McppnTLGNhtlsTnJx6u%2Fimage.png?alt=media\&token=e8bedac9-a695-464b-94b3-b1dc264c720c) ## Scanning Lets run some nmap scan to get information about the open ports and services on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McpposoxPobETBTJEr_%2F-McpqFrx7nXgtjOPPSTY%2Fimage.png?alt=media\&token=e89a4118-3535-428e-9821-e4c48e7ca278) ## Enumeration Lets visit port 3000 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McpposoxPobETBTJEr_%2F-McpqlQYraWntZ8WhmsJ%2Fimage.png?alt=media\&token=7ffdad70-6b13-475e-88d6-ecf0f6ed3a22) There is nothing of interest in the source code and nothing in the Developer tools, so lets go find the admins GitHub they talk about. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-Mcprp0AyFBs7ZXlrOPn%2Fimage.png?alt=media\&token=03d9a635-aef9-4cba-9ad2-385549ae201b) We have a file, lets copy it to our machine and check the code out. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-Mcps4C3BxVYZuUi6GpO%2Fimage.png?alt=media\&token=ab06e3e8-0c3f-4e39-92b9-2916a3e7463c) Looking at the code, we can see that the os.system is used to echo the input from \[REPORT] to a text file. There is no sanitization of input, we can exploit this by using `';` to close the echo command and then we can run any command followed by a `#` ## Exploitation Lets connect to the web app on port 3000 using netcat so that we can interact with the chat service. Lets first start a netcat listener and then execute the commands to get a reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpuSbPxdzn96daYnMq%2Fimage.png?alt=media\&token=87f79888-c7db-4885-b3eb-3d47995ab6bb) Now lets run the commands by choosing the `REPORT` option ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpuZH-7i-HlL6ROjP6%2Fimage.png?alt=media\&token=8d17b163-2a4c-4449-af80-5839fae5b292) After running these commands, you should get a reverse shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpumLMuMLOn8fkcOdh%2Fimage.png?alt=media\&token=4957fb9b-e25e-4fe2-b8fe-bda6467a5887) Lets stabilize the shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-Mcpuy_KLwlZITmyQeYq%2Fimage.png?alt=media\&token=caf10fb3-2175-49ed-954e-5630189d3b39) Lets read the user flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpvK65nx2yHFBiLrkZ%2Fimage.png?alt=media\&token=54cc16d1-50b1-4e6c-b4e1-1c8a38ff4b1e) ## Privilege Escalation Lets run `sudo -l` to see what we can run as other users. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpvaBdW5TA6K8YLEQ0%2Fimage.png?alt=media\&token=03868f93-9194-49c3-b0f2-a56b66863f61) Looks like we can run this file, lets check what it contains and also the permissions of the file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpwBOrWE1UZMNPA69X%2Fimage.png?alt=media\&token=2bb8fb3e-f096-4624-b58c-021d23a178b9) Looks like we are importing the compare module. So what we can do is change the `Environment variable` and set it to our own `compare.py` file with a root shell spawn and then run the file which will run our file and give us a root shell. Lets first create our compare.py file and add the script that will give us a root shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpyMM8uzGtYerMyqO0%2Fimage.png?alt=media\&token=e94699fd-b3ce-417d-ab57-336f7f913e1b) Lets now force python to load our module file instead of any other and run the `test_module.py` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McprcB2kwxuu9YRpB5f%2F-McpyXi7CW5uYfhh2xBq%2Fimage.png?alt=media\&token=365359cc-2d0e-4ea4-b16a-43c575728e69) We are now root. We can read the root flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McpybyW9NSEeQc2m_9C%2F-Mcpyo1WtNlwgoC1CkHV%2Fimage.png?alt=media\&token=a4c38318-72d7-4588-a174-3e05cae79a9a)