TryHackMe: Chill Hack

Initial foothold

  1. Port scan

There’re 3 open ports: 21, 22 and 80.

2. OS and service scan

The OS is Ubuntu.

There’re 3 services:

  • 21/tcp open ftp vsftpd 3.0.3 w/ anonymous login
  • 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
  • 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

3. Vuln scan

There’re discovered directotories on HTTP service:

Service Enumeration

  1. FTP on port 21 w/ anonymous login

Connect and download the file.

Read the file

There’re possible username, save them as users.txt. Another thing is, in some service, there may be some implemented filter.

2. SSH on port 22

Test the connection

I can connect successfully.

3. HTTP on port 80

nikto scan

There’re discovered directory as same as vuln scan result.

Directory scan w/ gobuster

Access the site

I accessed every pages untial I came across this directory, /secret .

Exploitation

  1. Test the Comand function
  • Ping command

At the attacker machince

At the target machine, test the ping command\

Back to the attacker machine. The command injection worked as expected.

  • Reverse shell

Create listener on port 443

Inject the reverse shell command

I will use this command.

I encountered w/ the filter as hinted in note.txt from FTP service.

Bypass the filter, I will use ‘\’ as the starting charactor.

Back to listener, now I got the shell

Privilege Escalation

  1. Get TTY shell

The machine doesn't have python command.

Maybe this machine has python3

Now I have TTY shell and current directory is /var/www/html/secret.

2. Explore directories

I came across another HTTP site’s directories in “/var/www”

I think it’s a hidden HTTP site and can be accessible by only this machine.

I got MySQL credential.

Try to login as root, in case there’s re-using password.

Failed!!!

3. Verify sudo

Use command

Failed!!!

Use command as apaar

Trying to get shell by supplying /bin/bash

Now I escalated to be apaar.

Verify sudo again

It’s the same command as www-data. If I supply /bin/bash as www-data, I still be apaar anyway.

Read user.txt

Now I got the first flag.

4. Login to mysql

There’s webportal schema.

Get webportal’s tables.

I got credential of anurodh and apaar,

Crack hashes w/ crackstation

Try re-using password

All failed!!!

5. Searching for hidden port and service

Since there’s hidden website stored in /var/www/files/. My suspicion is this machine may have hidden port.

Verify port

As suspected, there’s port no.9001.

HTTP can be configured to use different port instead of 80. The configuration is located in:

Verify

6. Port-forwarding

Back to attacker machine, start ssh service

At the target machine, forward the port

Access the site via attack machine

Login w/ cracked credential from MySQL

As hinted, I downloaded the image.

7. Steganography

Read file metadata

Not much revealed

Extract hidden file w/ steghide

I have backup.zip

Unzip

I need password.

Find the password w/ fcrackzip

Unzip again and supply the password. Now I got source_code.php

There’s base64 string.

Decode w/ cyberchef

Try to login as anurodh

Verify user

I’m part of docker.

Exploit docker

Now I’m root.