エンジニアとしての市場価値を測りませんか?PR

企業からあなたに合ったオリジナルのスカウトを受け取って、市場価値を測りましょう

1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

【Hack The Box】Investigation【WriteUp - その1】

Last updated at Posted at 2023-04-23

初めに

どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「Investigation」にチャレンジした際の WriteUp - その1 になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。

※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。

「WriteUp - その2」については以下です。

Discovery

ポートスキャン

今回はRustScanで高速スキャンしてみた。

┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.11.197 --top -u 5000
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.197:22
Open 10.10.11.197:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:47 EST
Initiating Ping Scan at 02:47
Scanning 10.10.11.197 [4 ports]
Completed Ping Scan at 02:47, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:47
Completed Parallel DNS resolution of 1 host. at 02:47, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 02:47
Scanning 10.10.11.197 [2 ports]
Discovered open port 22/tcp on 10.10.11.197
Discovered open port 80/tcp on 10.10.11.197
Completed SYN Stealth Scan at 02:47, 0.23s elapsed (2 total ports)
Nmap scan report for 10.10.11.197
Host is up, received reset ttl 63 (0.18s latency).
Scanned at 2023-01-28 02:47:30 EST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (128B)

ポート22、80が公開されてそう。
実際に80にアクセスしてみると、「eforenzics.htb」にアクセスできませんと言われるのでDNSの設定を投入していく。

Collection

ドメイン環境設定

今回BOX環境にDNSはないので、自身のkalilinuxで名前解決できるようにする。
/etc/hostsをいじっていく。

┌──(root💀kali)-[~/work]
└─# vim /etc/hosts   

以下を投入。

10.10.11.197    eforenzics.htb

疎通確認を行う。

┌──(root㉿kali)-[~/work]
└─# ping eforenzics.htb                                                                        
PING eforenzics.htb (10.10.11.197) 56(84) bytes of data.
64 bytes from eforenzics.htb (10.10.11.197): icmp_seq=1 ttl=63 time=178 ms
64 bytes from eforenzics.htb (10.10.11.197): icmp_seq=2 ttl=63 time=179 ms
64 bytes from eforenzics.htb (10.10.11.197): icmp_seq=3 ttl=63 time=179 ms
^C
--- eforenzics.htb ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 177.971/178.371/178.598/0.283 ms 

サイト探索

Subdomain探索

以下サイトからサブドメインのリストをダウンロード

┌──(root💀kali)-[~/work]
└─# wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/bitquark-subdomains-top100000.txt

ffufで探索。
レスポンスサイズがそれぞれ違うので、実際にアクセスをすると301でリダイレクトされていることがわかった。
なので、301を弾く。

┌──(root㉿kali)-[~/work]
└─# ffuf -w ./bitquark-subdomains-top100000.txt:FUZZ -u http://eforenzics.htb/ -H "HOST: FUZZ.eforenzics.htb" -fc 301 -mc all -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://eforenzics.htb/
 :: Wordlist         : FUZZ: ./bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.eforenzics.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: all
 :: Filter           : Response status: 301
________________________________________________

*                       [Status: 400, Size: 306, Words: 26, Lines: 11, Duration: 930ms]
:: Progress: [100000/100000] :: Job [1/1] :: 57 req/sec :: Duration: [0:08:22] :: Errors: 10 ::

特段いいものが出てこなかった。

ディレクトリ探索

dirsearchを使用して探索を実施。

┌──(root㉿kali)-[~/work]
└─# dirsearch -u http://eforenzics.htb/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/eforenzics.htb/-_23-01-28_02-56-12.txt

Error Log: /root/.dirsearch/logs/errors-23-01-28_02-56-12.log

Target: http://eforenzics.htb/

[02:56:12] Starting: 
[02:57:06] 403 -  279B  - /.htaccess.bak1                                  
[02:57:06] 403 -  279B  - /.htaccess.orig
[02:57:06] 403 -  279B  - /.htaccess.save
[02:57:06] 403 -  279B  - /.ht_wsr.txt                                     
[02:57:06] 403 -  279B  - /.htaccess.sample
[02:57:06] 403 -  279B  - /.htaccess_extra
[02:57:07] 403 -  279B  - /.html                                           
[02:57:07] 403 -  279B  - /.htaccessBAK                                    
[02:57:07] 403 -  279B  - /.htaccessOLD2
[02:57:08] 403 -  279B  - /.httr-oauth                                     
[02:57:08] 403 -  279B  - /.htaccess_sc
[02:57:10] 403 -  279B  - /.htpasswd_test                                  
[02:57:11] 403 -  279B  - /.htaccessOLD                                    
[02:57:11] 403 -  279B  - /.htaccess_orig
[02:57:11] 403 -  279B  - /.htpasswds                                      
[02:57:36] 403 -  279B  - /.php                                             
[02:59:47] 403 -  279B  - /assets/                                           
[02:59:47] 301 -  317B  - /assets  ->  http://eforenzics.htb/assets/         
[03:01:17] 200 -   11KB - /index.html                                        
[03:03:07] 403 -  279B  - /server-status                                     
[03:03:07] 403 -  279B  - /server-status/                                    
[03:03:38] 200 -    4KB - /upload.php      

/asset/階層とupload.phpがいるのがわかった。ffufでもさっと調べてみる。
サブドメインリストを引っ張ってきたサイトからWebコンテンツリストを持ってくる。

┌──(root💀kali)-[~/work]
└─# wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-small.txt

まずはディレクトリ階層から。

┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/FUZZ -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://eforenzics.htb/FUZZ
 :: Wordlist         : FUZZ: ./directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

# Copyright 2007 James Fisher [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 303ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 310ms]
# directory-list-2.3-small.txt [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 312ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 320ms]
                        [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 321ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 328ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 356ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 358ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 354ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 355ms]
# on at least 3 different hosts [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 355ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 355ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 330ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 601ms]
assets                  [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 196ms]
                        [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 265ms]
:: Progress: [87664/87664] :: Job [1/1] :: 344 req/sec :: Duration: [0:08:41] :: Errors: 13 ::



┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/assets/FUZZ -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://eforenzics.htb/assets/FUZZ
 :: Wordlist         : FUZZ: ./directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

# Copyright 2007 James Fisher [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 204ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1524ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1525ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2745ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 209ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 209ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 209ms]
# on at least 3 different hosts [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 186ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 210ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 188ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 745ms]
# This work is licensed under the Creative Commons [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 229ms]
# directory-list-2.3-small.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1697ms]
css                     [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 247ms]
js                      [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 290ms]
imgs                    [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 2430ms]
vendors                 [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 234ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 961ms]
:: Progress: [87664/87664] :: Job [1/1] :: 137 req/sec :: Duration: [0:08:10] :: Errors: 3 ::


┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/assets/vendors/FUZZ -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://eforenzics.htb/assets/vendors/FUZZ
 :: Wordlist         : FUZZ: ./directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 226ms]
# Copyright 2007 James Fisher [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 226ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 231ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 231ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 232ms]
# on at least 3 different hosts [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 232ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 234ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
# directory-list-2.3-small.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 373ms]
# This work is licensed under the Creative Commons [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 374ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 374ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 375ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 246ms]
bootstrap               [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 256ms]
jquery                  [Status: 301, Size: 332, Words: 20, Lines: 10, Duration: 238ms]
:: Progress: [87664/87664] :: Job [1/1] :: 287 req/sec :: Duration: [0:04:44] :: Errors: 0 ::

まぁあまり真新しいものは出てこなかった。phpでも引っかけてみる

┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/FUZZ.php -t 150                                            

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://eforenzics.htb/FUZZ.php
 :: Wordlist         : FUZZ: ./directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 215ms]
# directory-list-2.3-small.txt [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 214ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 226ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 204ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 205ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 229ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 230ms]
#                       [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 231ms]
# Copyright 2007 James Fisher [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 233ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 232ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 222ms]
# on at least 3 different hosts [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 223ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 228ms]
upload                  [Status: 200, Size: 3773, Words: 949, Lines: 83, Duration: 749ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2110ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 246ms]
:: Progress: [87664/87664] :: Job [1/1] :: 236 req/sec :: Duration: [0:08:26] :: Errors: 15 ::


┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/assets/FUZZ.php -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://eforenzics.htb/assets/FUZZ.php
 :: Wordlist         : FUZZ: ./directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

# directory-list-2.3-small.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 190ms]
# Copyright 2007 James Fisher [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 193ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 193ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 196ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 197ms]
# on at least 3 different hosts [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 198ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 200ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 200ms]
# This work is licensed under the Creative Commons [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 201ms]
#                       [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 198ms]
                        [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 273ms]
:: Progress: [87664/87664] :: Job [1/1] :: 218 req/sec :: Duration: [0:04:50] :: Errors: 0 ::

そんな新しいものは出てこなかったのでここらへんで探索を終了しておく。

Initial Access

upload機能調査

発見したupload.phpservice.htmlからPictureをアップロードできる設定みたいだ。
適当にテキストファイルでもアップロードしてみる。
2.png
3.png
画像じゃないとダメと言われた。
それじゃ適当にそこら辺にあった「summer.jpg」の画像を注入してみる。
4.png
何かフォレンジックの結果のようなものが出てくる・・・「here」ボタンを押してみる。
5.png
あ、Ver. 12.37の文字が....というわけで脆弱性を調べてみた。

CVE-2022-23935

ExifToolの脆弱性を調べてみると、以下のものが見つかった。

というわけで、このExploitを試してみる。

まず、filenameでのフィルタリングがかかっているか調査する。
6.png
大丈夫そうである。
続いて、ping-c 3コマンドでコマンドが通っているのか調査する。
以下コマンドで自身のIPを確認しておきます。
※この場合はtun0

┌──(root💀kali)-[~/work]
└─# ip a                                                                                                                                               1 ⨯
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

...
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.10.14.70/23 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 dead:beef:2::101a/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::cf43:caa1:e355:737d/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

更に、icmpパケットが到達したか確認するために以下のコマンドを打っておく。

┌──(root💀kali)-[~/work]
└─# tcpdump icmp -i tun0

ではfilenameping -c 3 10.10.14.70を叩き込む。
7.png
Pingが来たので成功したようである。
じゃあリバースシェル叩き込みますか。

Persistence

Reverse Shell

いつもの以下のサイトを利用する。

8.5.png

シェルを待ち受けルために以下のコマンドを打っておきます。

┌──(root💀kali)-[~/work]
└─# nc -lvnp 4444

じゃ、レッツリバースシェル!!!
8.png
来ました。まぁユーザ名からなんとなくこれでUser権限は取れてない気がする。

interactive shell

とりあえずリバースシェル確立は出来たので、探索のしやすさのためにインタラクティブシェルを確立しとく。
※このままだとTabでの補完が効かなかったり、矢印キーが効かなかったりするので。

Ctrl+Zで接続をバックグラウンドにし、以下のコマンドを実行する。

www-data@investigation:/home$ ^Z        
zsh: suspended  nc -lvnp 4444
                                                                                                                                                            
┌──(root㉿kali)-[~/work]
└─# stty raw -echo; fg 
[1]  + continued  nc -lvnp 4444
                               export TERM=xterm-256col
www-data@investigation:/home$ export SHELL=bash

これで足場は完成である。
だが一般User権限は奪取できていない。

まとめ

userフラグ取れてないけれど、シェルの奪取は出来た。
次回はwww-dataで見えるところの調査フェーズに入っていく。
乞うご期待!!

今回もセキュリティエンジニアの皆さんの助けになればなと思います。

1
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?