ChillHack
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
Enumeration
Port 21: FTP
We see in the nmap scan that Anonymous FTP login is allowed, so lets login
Listing the files we see that there is a note.txt
file so lets transfer this file to our machine.
Lets read note.txt
We have two usernames, Anurodh
and Apaar
, lets add this to our notes.
We also see that there is some filtering on strings being put in the command, which we might encounter while enumerating this machine further.
Port 80: HTTP
Lets visit the site.
Looks like a very well made website, lets run gobuster to find hidden directories while we explore the webpage.
I looked through the website and found nothing interesting in the source code too, after a while I got the results for the gobuster scan
Lets visit this /secre
t directory.
Looks like we can execute commands, lets try executing a basic command. When I tried executing ls
it gave me this.
Now looking back at the note.txt
, it mentioned that there was filtering on the commands, so to bypass that I remembered there was a way we could bypass filtering, we can do this by using backslashes in the command. We are no escaping any special characters so then the word will be interpreted the same way by bash. Lets try l\s
.
And it worked so now lets check the index.php page which will tell us what characters and words are being filtered.
After executing the look at the source code.
We have a list of words that have been blacklisted which means that we cannot use them on the system, also we can see the function that allows command injection. Lets now try to get a reverse shell on the machine.
Exploitation
First we create a bash reverse shell
Second we transfer it to the victim machine by starting a http server on our machine and using the curl command
Finally once the file is downloaded we can start a netcat listener and execute the file we transferred to get a reverse shell on the machine.
First we create a bash reverse shell called shell.sh
Now we start a http server
Lets also start a netcat listener.
Now we download the file on the victim machine using curl and then execute is using bash in the same command. We are using a backslash in bash as it has been blacklisted.
After executing the command, we get a reverse shell.
Lets now stabilize the shell.
Privilege Escalation
Looking at the files in the system, we did not have permissions to read most of them, so lets run a automatic enumeration script called linpeas
, you can find this google, once you download it we have to transfer to this machine.
We already have a http server running, if you switched it off, start is up again.
Now we have to go the /tmp
directory as we are not allowed to download files in other directories and usually /tmp
always gives us permissions to download files into its directory.
Before this lets run sudo -l
to see what we can run as other users.
Looks like we can run a script file, lets read it.
Looking at the script, it looks like it is vulnerable to command injection as there are no filters. And this file is owned by Apaar, we can try running it and execute a bash shell and get a bash instance as the user Apaar.
Lets first run the file and then type /bin/bash
to get a shell as Apaar and then stabilize the shell.
We are now the user Apaar. We can read the User flag now in Apaar's
home directory.
Now I tried running linpeas but It did not work so I had to find another way to privilege escalate and that is when I found an interesting files in /var/www/files
.
Lets read these files
hacker.php
This looks like it is displaying a image file and there is a message which is telling that there might be something in the image file . Lets download this file, before that lets explore the other files.
account.php
account.php
This looks like a login page.
index.php
index.php
In this file we see the credentials for the SQL database running on this machine.
Lets now download the image file we found in hacker.php, first lets go to the directory in which the file is present.
Lets start a http server on this machine.
Now lets download the file onto our machine
Now lets look at the file
Lets use steghide to look for hidden information in the file. (Click enter for the password)
We see a zip file, lets extract it using steghide
.
Lets unzip this zip file that we got.
Looks like we need a password, we can use zip2john
and then john the ripper
to find the password.
Now use john to crack the password
Now show the password
We have the password. Lets unzip the zip the file
Lets read the source_code.php
file
Looking through we find the base64 text that is the password for the user Anurodh
. Lets decode the string.
We the password, lets now login through ssh.
We are now logged in. I was looking through and did not see anything of interest until I ran the command id
.
Anurodh is part of the docker group. We can find the command to become root on GTFOBins.
Lets run this command
We are now root.
Last updated