It is one of these projects that make the world better by providing online & free education to people. If you are new to programming and want to learn some Python, I'd suggest you visit groklearning.com site and take some (why not all) of the courses they have!
I've been using groklearning.com myself and have been telling friends about it who wish to learn Python, but don't know where to start from.
Using groklearning.com you can write your Python script, which in turn is executed and result is displayed back to the user. This is very cool, because you don't have to bring Python with you all the time and simply use it from your browser, but this also comes with a risk...
What if someone manages to make the system serve a different purpose..? What if someone manages to turn this into a weapon..?
In this post we are going to explore the security of groklearning.com by trying to get shell access to the systems.
DISCLAIMER: The information provided here is for educational purposes only! Any unauthorized attempts to use this information for malicious acts may be disclosed to law enforcement authorities and result in criminal prosecution!
This post was published with the permission and agreement of the Security Team at groklearning.com.
First thing I did is to choose a target. I've chosen the Eliza course and continued from there.
NOTE: Any other course would also work as long as it provides you with a window where you could write your Python script.
The first Python script I've ran was to get a list of all active processes on the system. This would later allow me to identify any weak spots that I could use for my attack.
This is the script I've used:
From the output of the above script I was able to identify a number of things about the system, such as OS, Virtualization technology being used, etc..
It was time to have a look around and see what we've got on this system. I've started checking what's in
/usr/bin, and other directories in order to
identify anything that could be used as a weapon.
The system running my Python script was stripped down a bit, so you won't find all the UNIX/Linux tools you usually find on a default installation of a GNU/Linux system for example.
I've used this script to get what's in the different directories.
Okay, first thing noticed was that
/bin/bash was there... Thought I'd give it try and see if I could start it...
I've quickly loaded my next Python script and executed it:
I wasn't really hoping much for anything to happen, but then I got result back which was:
Okay, now I knew I could start a shell on the remote system, but I couldn't do much with it... at least for now...
Time to check if outbound traffic is allowed. If outbound traffic was allowed I could write up a Python script which would spawn a reverse shell for me and grant me access.. Only if outbound traffic is allowed..
So, I've used this script to verify that outbound HTTP traffic is allowed.
I've loaded this script in Eliza and hit the run button. And the result was:
The result from the script confirmed that outbound HTTP traffic is allowed, so I was ready to launch my first attack.
I've created a listener on my machine on port 80 using netcat which I would later use for my reverse shell:
Next thing I had to do is load a reverse shell script in Python to groklearning.com. This the script I've used for my Python reserve shell:
As soon as I fired up the Python reverse shell I was able to see the shell prompt on my netcat listener:
Then I tried executing some shell commands:
Unfortunately, I wasn't able to do much with my reverse shell, as it seems there were some limits in place, so I went further into checking things on the target machine.
Next thing I did is to check the limits on the target system. I've used the following Python script to check our limits:
The result I got was this:
As you could see from the above output we were limited to just 3 users processes... Apparently, I wasn't going to get my shell so easily so I had to think up something else...
It was time to launch a second attack, but this time using
os.execv() instead of
So, I've started my netcat listener again, and then used this script for my reverse shell:
The result this time was this:
This time I managed to get my reserve shell and get access to the system running the groklearning.com Python code.
At this point I stopped and decided it was time to let the Security Team at groklearning.com know about the security issue.
Soon after I managed to get shell access to the system I mailed the Security Team at groklearning.com about this issue.
After sending the mail soon enough one of the guys from Security Team at groklearning.com contacted me and we had a conversation about the issue in order to further identify the root cause. A bit later the security issue was fixed and creating a reverse shell was no longer possible.
Now, we can all be a bit happier that groklearning.com is a bit safer than before with patching that security issue and continues to serve it's mission to educate people! :)