Initial foothold
After running our normal scan: `scanit $(boxip)` we get two ports open.
The custom chat program looks interesting, let’s netcat to it.
We get presented with a usage prompt. Let’s try the [REPORT] function first.

Hmm, interesting, Mozzie-jpg, let’s search for that git user to see the code as mentioned.
We find this repo: https://github.com/Mozzie-jpg/JPChat in there a single python file with two interesting lines of code.
Both look injectible.
I sent a random string for good measure, a command, then echo to complete the line as it is in the code, this might not be necessary but I do it just in case so I don’t break anything.
Here I tried one command on the name and another on the report, both worked.

User
We got command execution. Let’s get a shell.


Shell popped. We can grab user.txt flag.
Root
sudo -l Is the first thing I try.

We can do something with the PYTHONPATH environment variable, interesting.
Python module hijacking is explained here.
Creating a minimal class named compare:
class compare:
def Str(self, x, y,):
import os
os.system('/bin/bash -p')
We should get a root terminal when a string is compared.
So lets try:

Bingo.