【TryHackMe】Probe：Walkthrough

概要

TryHackMe「Probe」のWalkthroughです。

Task1

Q1.What is the version of the Apache server?

nmapでポートスキャンを実行します。

$ nmap -Pn -sC -A -T4 -sV -p- 10.10.204.48
PORT      STATE    SERVICE                 VERSION
22/tcp    open     ssh                     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fc:24:1e:72:bb:59:c6:da:0a:be:1e:45:ab:2e:3f:e4 (RSA)
|   256 98:a6:b2:82:44:25:12:a8:97:a5:5a:24:32:a8:22:1d (ECDSA)
|_  256 93:dc:e8:46:91:f9:29:f7:67:f0:04:bf:0a:02:4e:f8 (ED25519)
80/tcp    open     http                    lighttpd 1.4.55
|_http-server-header: lighttpd/1.4.55
|_http-title: 403 Forbidden
443/tcp   open     ssl/http                Apache httpd 2.4.41
| ssl-cert: Subject: commonName=dev.probe.thm/organizationName=Tester/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2023-07-18T10:57:05
|_Not valid after:  2024-07-17T10:57:05
|_ssl-date: TLS randomness does not represent time
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.41 (Ubuntu)
| tls-alpn: 
|_  http/1.1
1338/tcp  open     ftp                     vsftpd 2.0.8 or later
1443/tcp  open     ssl/http                Apache httpd 2.4.41 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
|_http-title: PHP 7.4.3-4ubuntu2.19 - phpinfo()
| tls-alpn: 
|_  http/1.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
| ssl-cert: Subject: commonName=dev.probe.thm/organizationName=Tester/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2023-07-18T10:57:05
|_Not valid after:  2024-07-17T10:57:05
1883/tcp  open     mosquitto version 1.6.9
| mqtt-subscribe: 
|   Topics and their most recent payloads: 
|     $SYS/broker/heap/maximum: 52808
|     $SYS/broker/load/bytes/sent/15min: 0.27
|     $SYS/broker/uptime: 1936 seconds
|     $SYS/broker/bytes/sent: 4
|     $SYS/broker/load/messages/sent/15min: 0.07
|     $SYS/broker/load/sockets/15min: 0.11
|     $SYS/broker/messages/sent: 1
|     $SYS/broker/load/connections/15min: 0.07
|     $SYS/broker/load/connections/5min: 0.20
|     $SYS/broker/load/messages/received/5min: 0.20
|     $SYS/broker/bytes/received: 18
|     $SYS/broker/load/messages/received/1min: 0.53
|     $SYS/broker/load/messages/received/15min: 0.07
|     $SYS/broker/version: mosquitto version 1.6.9
|     $SYS/broker/load/sockets/5min: 0.24
|     $SYS/broker/load/messages/sent/1min: 0.53
|     $SYS/broker/load/messages/sent/5min: 0.20
|     $SYS/broker/load/bytes/sent/5min: 0.70
|     $SYS/broker/load/bytes/received/1min: 9.49
|     $SYS/broker/store/messages/bytes: 181
|     $SYS/broker/messages/received: 1
|     $SYS/broker/load/sockets/1min: 0.53
|     $SYS/broker/load/connections/1min: 0.53
|     $SYS/broker/load/bytes/received/5min: 3.17
|     $SYS/broker/load/bytes/sent/1min: 2.11
|_    $SYS/broker/load/bytes/received/15min: 1.15
8000/tcp  open     http                    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.41 (Ubuntu)
9007/tcp  open     http                    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 400 Bad Request
27361/tcp filtered unknown
Service Info: Hosts: ip-10-10-204-48.eu-west-1.compute.internal, myblog.thm; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Apacheのバージョンがわかりました。

443/tcp  open  ssl/http Apache httpd 2.4.41
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.41 (Ubuntu)
| ssl-cert: Subject: commonName=dev.probe.thm/organizationName=Tester/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2023-07-18T10:57:05
|_Not valid after:  2024-07-17T10:57:05

A.2.4.41

Q2.What is the port number of the FTP service?

FTPのポートとバージョンがわかりました。

1338/tcp  open     ftp                     vsftpd 2.0.8 or later

A.1338

Q3.What is the FQDN for the website hosted using a self-signed certificate and contains critical server information as the homepage?

ポートスキャンの結果からcommonNameがわかりました。

443/tcp  open  ssl/http Apache httpd 2.4.41
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.41 (Ubuntu)
| ssl-cert: Subject: commonName=dev.probe.thm/organizationName=Tester/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2023-07-18T10:57:05
|_Not valid after:  2024-07-17T10:57:05

A.dev.probe.thm

Q4.What is the email address associated with the SSL certificate used to sign the website mentioned in Q3?

1443ポートにアクセスし、証明書の内容を確認することでEmailアドレスがわかりました。

A.probe@￰probe.thm

Q5.What is the value of the PHP Extension Build on the server?

1443ポートへアクセスするとphpinfo()の内容が表示されるので確認します。

A.API20190902,NTS

Q6.What is the banner for the FTP service?

ftpコマンドで1338ポートへ接続するとバナーが表示されました。

$ ftp -P 1338 10.10.204.48
Connected to 10.10.204.48.
220 THM{WELCOME_101113}

A.THM{WELCOME_101113}

Q7.What software is used for managing the database on the server?

niktoでアプリケーションをスキャンすると/phpmyadminを発見しました。

$ nikto -host https://myblog.thm:9007/

(省略)

+ /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.

A.phpmyadmin

Q8.What is the Content Management System (CMS) hosted on the server?

9007ポートへアクセスし、HTMLヘッダーを確認するとwp-などがあるのでWordpressだとわかりました。

A.Wordpress

Q9.What is the version number of the CMS hosted on the server?

HTMLヘッダーからバージョンがわかりました。

A.6.2.2

Q10.What is the username for the admin panel of the CMS?

wpscanでユーザー名を列挙できました。

$ sudo wpscan --url https://myblog.thm:9007 --enumerate u --disable-tls-checks

(省略)

[i] User(s) Identified:

[+] joomla
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

A.joomla

Q11.During vulnerability scanning, OSVDB-3092 detects a file that may be used to identify the blogging site software. What is the name of the file?

9007ポートへのniktoスキャン結果からファイルの名前が判明しました。

$ nikto -h https://10.10.31.114:9007 -ssl -C all

(省略)

+ OSVDB-3092: /license.txt: License file found may identify site software.

A.license.txt

Q12.What is the name of the software being used on the standard HTTP port?

80ポートのスキャン結果からソフトウェア情報がわかりました。

80/tcp    open     http                    lighttpd 1.4.55
|_http-server-header: lighttpd/1.4.55
|_http-title: 403 Forbidden

A.lighttpd

Q13.What is the flag value associated with the web page hosted on port 8000?

8000ポート宛てにディレクトリスキャンを行います。

$ dirsearch -u http://10.10.204.48:8000/
[13:01:03] 301 -  323B  - /contactus  ->  http://10.10.204.48:8000/contactus/
[13:01:22] 301 -  324B  - /javascript  ->  http://10.10.204.48:8000/javascript/
[13:01:39] 301 -  324B  - /phpmyadmin  ->  http://10.10.204.48:8000/phpmyadmin/
[13:01:41] 200 -    3KB - /phpmyadmin/doc/html/index.html
[13:01:41] 200 -    3KB - /phpmyadmin/
[13:01:41] 200 -    3KB - /phpmyadmin/index.php

/contactusへアクセスするとフラグを入手できます。

A.THM{CONTACT_US_1100}