PyEXP – Vulnhub CTF Walkthrough

Enumeration:

Started enumeration with FULL PORT scan to find the open ports and services using nmap.

From the full scan result, I found that only two ports are open and running waste and mysql services.

1337 – Waste – OpenSSH service

3306 – mysql – MySQL service

Now, I tried to find if any exploit is present for the above service versions, but nothing was found.

So, I ran hydra to brute force the SSH service.

But I was unsuccessful there.

For MySQL, I have used the root user and rockyou.txt library for the password to brute force MySQL credentials.

Wow, now I have mysql credentials. Login into mysql using the below command and then check the databases present.

mysql -u root -h 192.168.64.118 -p

To check the databases: show databases;

Used database data (command: use data;), Inside this I found one table fernet and dumped all the data present inside the fernet table. I got two columns cred and keyy

Cred: gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys=

Keyy: UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0=

First I thought to encode it with base64 and MD5 but nothing was found. After all these tries I did some research for fernet and found that it is an encryption technique and to decrypt we need hash and key. To decode I have used the online portal: https://asecuritysite.com/encryption/ferdecode

Decoded data: lucy:wJ9`”Lemdv9[FEw-

Used the decoded data to login via SSH into the target server. And after successful login, I found one of the flag (local.txt).

After local.txt, with the help of wget I have downloaded two scripts les.pl (to check for the kernel exploit) and lse.sh ( shell script to show the relevant information about the security of the Linux system, helps to escalate the privilege).

No kernel exploit found for the current version.

Now, ran lse.sh and found something helpful.

lucy can run sudo /usr/bin/python2 /opt/exp.py without password.

Now I checked for the file permission of exp.py and found that lucy can only read file.

I found the following code under exp.py

uinput = raw_input(‘how are you?’)

exec(uinput)

I searched for the exec function and after some research, I was successfully able to run the following code to read another flag.

Leave a Reply

Your email address will not be published. Required fields are marked *