Pyrat | TryHackMe | Write Up

https://tryhackme.com/room/pyrat

Pyrat receives a curious response from an HTTP server, which leads to a potential Python code execution vulnerability. With a cleverly crafted payload, it is possible to gain a shell on the machine. Delving into the directories, the author uncovers a well-known folder that provides a user with access to credentials. A subsequent exploration yields valuable insights into the application's older version. Exploring possible endpoints using a custom script, the user can discover a special endpoint and ingeniously expand their exploration by fuzzing passwords. The script unveils a password, ultimately granting access to the root.

ping Target machine

┌──(kali㉿kali)-[~]
└─$ ping -c 4 10.10.102.115
PING 10.10.102.115 (10.10.102.115) 56(84) bytes of data.
64 bytes from 10.10.102.115: icmp_seq=1 ttl=63 time=58.3 ms
64 bytes from 10.10.102.115: icmp_seq=2 ttl=63 time=49.7 ms
64 bytes from 10.10.102.115: icmp_seq=3 ttl=63 time=33.9 ms
64 bytes from 10.10.102.115: icmp_seq=4 ttl=63 time=20.0 ms

--- 10.10.102.115 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3011ms
rtt min/avg/max/mdev = 20.019/40.485/58.304/14.696 ms

Use 10.10.102.115 in browser - No result

nmap -sC -sV 10.10.102.115

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.10.102.115

Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-04-23 09:28 EDT
Nmap scan report for 10.10.102.115
Host is up (0.021s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
8000/tcp open  http-alt SimpleHTTP/0.6 Python/3.11.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: SimpleHTTP/0.6 Python/3.11.2
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, JavaRMI, LANDesk-RC, NotesRPC, Socks4, X11Probe, afp, giop: 
|     source code string cannot contain null bytes
|   FourOhFourRequest, LPDString, SIPOptions: 
|     invalid syntax (<string>, line 1)
|   GetRequest: 
|     name 'GET' is not defined
|   HTTPOptions, RTSPRequest: 
|     name 'OPTIONS' is not defined
|   Help: 
|_    name 'HELP' is not defined
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port8000-TCP:V=7.95%I=7%D=4/23%Time=6808EB1E%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,1,"\\n")%r(GetRequest,1A,"name\\x20'GET'\\x20is\\x20not\\x20defin
SF:ed\\n")%r(X11Probe,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20
SF:null\\x20bytes\\n")%r(FourOhFourRequest,22,"invalid\\x20syntax\\x20\\(<strin
SF:g>,\\x20line\\x201\\)\\n")%r(Socks4,2D,"source\\x20code\\x20string\\x20cannot\\
SF:x20contain\\x20null\\x20bytes\\n")%r(HTTPOptions,1E,"name\\x20'OPTIONS'\\x20
SF:is\\x20not\\x20defined\\n")%r(RTSPRequest,1E,"name\\x20'OPTIONS'\\x20is\\x20n
SF:ot\\x20defined\\n")%r(DNSVersionBindReqTCP,2D,"source\\x20code\\x20string\\x
SF:20cannot\\x20contain\\x20null\\x20bytes\\n")%r(DNSStatusRequestTCP,2D,"sour
SF:ce\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\n")%r(Help,1
SF:B,"name\\x20'HELP'\\x20is\\x20not\\x20defined\\n")%r(LPDString,22,"invalid\\x
SF:20syntax\\x20\\(<string>,\\x20line\\x201\\)\\n")%r(SIPOptions,22,"invalid\\x20
SF:syntax\\x20\\(<string>,\\x20line\\x201\\)\\n")%r(LANDesk-RC,2D,"source\\x20cod
SF:e\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\n")%r(NotesRPC,2D,"so
SF:urce\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\n")%r(Java
SF:RMI,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20bytes\\
SF:n")%r(afp,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20null\\x20
SF:bytes\\n")%r(giop,2D,"source\\x20code\\x20string\\x20cannot\\x20contain\\x20n
SF:ull\\x20bytes\\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 178.70 seconds

Key take-aways:

22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_  256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
8000/tcp open  http-alt SimpleHTTP/0.6 Python/3.11.2

SSH and http 8000 are open

We can now try port 8000 on the web browser

SSH is not worth attacking yet - no credentials. Too risky to brute force without any hints.