Unbaked Pie is a vulnerable machine from
TryHackMe that is rated as medium difficulty.
As always we'll start with an nmap scan to discover open ports.
Command: nmap -sC -sV $IP
Looks like we have only one open port:
5003. Let's check it.
Let's do a gobuster scan maybe we'll find something that can help us.
Command: gobuster dir -u $IP -w /path/to/wordlist/ -x php,txt
Looks like that gobuster didn't found nothing that we can take a look at. We can try to create a account but that won't help us much.
The next step here (the actual vulnerability) is to use the
search function from the website, because this website is vulnerable to
pickle deserializtion. For this vulnerability I've found the next blog post
https://davidhamann.de/2020/04/05/exploiting-python-pickle/, that explain the vulnerability and has everything we need to continue with this box.
First we'll use the script from the blog post to create a base64 encoded pickle byte stream.
All we need to do is to save the script and the run it using python3. This script will generate a base64 encoded string.
Now go on the website, use the
search bar and intercept the request with
BurpSuite.
If we send the request using Burp Repeater, we'll see that the server will give back serialized object, search_cookie, that's what we need to exploit.
Now we need to change the request method from a POST to a GET and send our own serialized object that we've generated using the script.
All we have to do now is to start a
netcat listener and send the
GET request and we'll have a root shell.
We can safely assume that we are inside a
docker container, one of the signs being the hostname name. If we use
linpeas.sh we'll find out that there is another IP that we can "talk" to.
To make sure that we can "talk" to this IP we can use
netcat to grab the
banner from port 22 which is
SSH.
If there is a SSH service, it means that there should be a
username which we can use to connect via SSH. If we check the
.bash_history file from
/root, we'll see that indeed there is a username:
ramsey, and we can see that he use SSH.
But there is a problem. If we keep reading the .bash_history file. we'll see that root uninstalled the SSH service from our docker. To be able to access the SSH service we need to use a tool called
chisel.
Using chisel we can port forward port 22.
On our machine start chisel as a server:
Command: ./chisel server -p 9001 --reverseOn the client's machine (the one that we have a shell on) start chisel as a client:
Command: ./chisel client 10.8.0.116:9001 R:127.0.0.1:9002:172.17.0.1:22Now we can access the other docker’s ssh from our machine. But before we connect to port 22 let's brute force the password for user
ramsey because we don't know what is it.
Command: hydra -l ramsey -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 9002
Now that we have the password we can access the other docker machine as user ramsey.
Command: ssh ramsey@127.0.0.1 -p 9002If we check ramsey's privileges on the box, we can see that we are able to run
/home/ramsey/vuln.py as user
oliver.
The vuln.py is owned by root and user ramsey, but we can't write to the file. To exploit this we just have to
move the file (move command (
mv) will basically change the name of the file) to another file.
And now we create our own vuln.py with the desired content, which I've chose to add a python reverse shell.
Start a netcat listener and execute the command bellow and we'll have a shell as user
oliver.
Command: sudo -u oliver python /home/ramsey/vuln.py
If we check the privileges on the box for user
oliver, we'll see that we can run another python script, but this time we have
SETENV which means when we use sudo we can set
environment variables.
Checking the
dockerScript.py file we can see that it import the
docker module.
We can exploit this by creating a file inside
/dev/shm called
docker.py with the following content.
To make use of the file that we've create run the command below. Just start a netcat listener an we'll have a root shell.
Command: sudo PYTHONPATH=/dev/shm/ python /opt/dockerScript.py
This was a fun box to solve, with a lot of methods to escalate.
On the client's machine (the one that we have a shell on) start chisel as a client:
Now we can access the other docker’s ssh from our machine. But before we connect to port 22 let's brute force the password for user ramsey because we don't know what is it.
If we check ramsey's privileges on the box, we can see that we are able to run /home/ramsey/vuln.py as user oliver.
The vuln.py is owned by root and user ramsey, but we can't write to the file. To exploit this we just have to move the file (move command (mv) will basically change the name of the file) to another file.
And now we create our own vuln.py with the desired content, which I've chose to add a python reverse shell.
Comments
Post a Comment