THM: Chill Hack
Chill the Hack out of the Machine.
Intermediate level CTF. Capture the flags and have fun!
This is Chill Hack from TryHackMe. It’s medium rated.
We’ve got FTP, SSH and HTTP on port 80.
Anonymous login is permitted, and there is a note.txt that gives some message about filtering or something; not very interesting. It’s relevant to the next bit but adds nothing important.
On the website there is a directory called /secret which you could easily find with gobuster or whatever; I actually just guessed that it existed. It has a box in which commands can be entered and these are executed by the server, but most of the common linux commands are disallowed; eg ls, cat etc.
When I completed this box there were no writeups, but after some were released I went and looked at them and found a fascinating array of ways in which people got around this. Basically the underlying filter was a string comparison of the entered text with a set of disallowed commands.
So people defeated this is a range of ways including:
- bash is not the same as /bin/bash from a string comparison perspective, so a fully quoted binary path defeats the filter
- b\ash is not the same as bash even though the escape character is ignored, because the string comparison happens first
- find is allowed, and can be used to execute other commands with the -exec switch
Anyway I found that all very interesting. What I did was different. There are a variety of shells available on a typical linux box which may include sh, bash, zsh, dash and potentially others. We had no sh, bash or zsh but we did have dash. How could we use this? What I found was this pattern:
So we will echo a base64 encoded command (cat /etc/passwd, a reverse shell or whatever), pipe it to base64 to decode, and then pipe it to dash. This was how I got a shell as www-data.
On the box
In /var/www there are two subdirectories - files and html. This will be relevant. But first we run sudo -l
This shell script (which I failed to make a copy of) allowed you to run commands, even though it wasn’t particularly obvious that was what was happening. You responded to a prompt twice - what you entered an the second prompt was a command or would be run as one. I just used this to launch bash as apaar.
Apaar has an authorized_keys file, so we can add our SSH public key and then SSH in as apaar:
We can see something is running on port 9001 (thanks linpeas), so we’ll set up an SSH port forward:
root@kali:~# ssh -L 9999:127.0.0.1:9001 email@example.com
And visit localhost:9999 in the browser. We get the website from the /var/www/files directory I mentioned earlier, which has a login page. We can send that to sqlmap and extract two easily cracked hashes:
Which ultimately turn out to be useless. If we log in with one of these and the username aurick (I think it was, I’m going from memory because I didn’t write this down), we get served a different page with a picture of a spooky hacker and a message about searching in the dark or something. We already had access to this stuff earlier, so … yeah. Didn’t really gain anything from that.
In the dark
Up until this point I’d been enjoying this box. Now comes the stego - arrrragh.
Download the hacker picture thing, run steghide (no password), get password protected zip file, crack that with john, read base64 encoded creds. Here’s what my bash history looked like:
191 steghide extract -sf hacker-with-laptop_23-2147985341.jpg
192 file backup.zip
194 unzip backup.zip
195 locate zip2john
196 zip2john backup.zip > backup.john
197 john backup.john -w=/usr/share/wordlists/rockyou.txt
198 unzip backup.zip
199 cat source_code.php
I’m skipping over this a bit because it gave me the shits. I hate stego.
Anyway our new user is in the docker group:
Yay I guess. This could have been a good challenge but ultimately it fell a bit short for mine. The SSH port forward was a nice touch but ultimately it was unnecessary. The box was supposed to be ‘real life’ like but then - surprise! - stego. I think I’m going to make my own box soon, I have some ideas.