初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は Hack The Box(以下リンク参照) の「Investigation」にチャレンジした際の WriteUp - その1 になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
「WriteUp - その2」については以下です。
Discovery
ポートスキャン
今回はRustScanで高速スキャンしてみた。
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.11.197 --top -u 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.197:22
Open 10.10.11.197:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 02:47 EST
Initiating Ping Scan at 02:47
Scanning 10.10.11.197 [4 ports]
Completed Ping Scan at 02:47, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:47
Completed Parallel DNS resolution of 1 host. at 02:47, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 02:47
Scanning 10.10.11.197 [2 ports]
Discovered open port 22/tcp on 10.10.11.197
Discovered open port 80/tcp on 10.10.11.197
Completed SYN Stealth Scan at 02:47, 0.23s elapsed (2 total ports)
Nmap scan report for 10.10.11.197
Host is up, received reset ttl 63 (0.18s latency).
Scanned at 2023-01-28 02:47:30 EST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (128B)
ポート22、80が公開されてそう。
実際に80にアクセスしてみると、「eforenzics.htb」にアクセスできませんと言われるのでDNSの設定を投入していく。
Collection
ドメイン環境設定
今回BOX環境にDNSはないので、自身のkalilinuxで名前解決できるようにする。
/etc/hosts
をいじっていく。
┌──(root💀kali)-[~/work]
└─# vim /etc/hosts
以下を投入。
10.10.11.197 eforenzics.htb
疎通確認を行う。
┌──(root㉿kali)-[~/work]
└─# ping eforenzics.htb
PING eforenzics.htb (10.10.11.197) 56(84) bytes of data.
64 bytes from eforenzics.htb (10.10.11.197): icmp_seq=1 ttl=63 time=178 ms
64 bytes from eforenzics.htb (10.10.11.197): icmp_seq=2 ttl=63 time=179 ms
64 bytes from eforenzics.htb (10.10.11.197): icmp_seq=3 ttl=63 time=179 ms
^C
--- eforenzics.htb ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 177.971/178.371/178.598/0.283 ms
サイト探索
Subdomain探索
以下サイトからサブドメインのリストをダウンロード
┌──(root💀kali)-[~/work]
└─# wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/bitquark-subdomains-top100000.txt
ffuf
で探索。
レスポンスサイズがそれぞれ違うので、実際にアクセスをすると301でリダイレクトされていることがわかった。
なので、301を弾く。
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./bitquark-subdomains-top100000.txt:FUZZ -u http://eforenzics.htb/ -H "HOST: FUZZ.eforenzics.htb" -fc 301 -mc all -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://eforenzics.htb/
:: Wordlist : FUZZ: ./bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.eforenzics.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: all
:: Filter : Response status: 301
________________________________________________
* [Status: 400, Size: 306, Words: 26, Lines: 11, Duration: 930ms]
:: Progress: [100000/100000] :: Job [1/1] :: 57 req/sec :: Duration: [0:08:22] :: Errors: 10 ::
特段いいものが出てこなかった。
ディレクトリ探索
dirsearch
を使用して探索を実施。
┌──(root㉿kali)-[~/work]
└─# dirsearch -u http://eforenzics.htb/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/eforenzics.htb/-_23-01-28_02-56-12.txt
Error Log: /root/.dirsearch/logs/errors-23-01-28_02-56-12.log
Target: http://eforenzics.htb/
[02:56:12] Starting:
[02:57:06] 403 - 279B - /.htaccess.bak1
[02:57:06] 403 - 279B - /.htaccess.orig
[02:57:06] 403 - 279B - /.htaccess.save
[02:57:06] 403 - 279B - /.ht_wsr.txt
[02:57:06] 403 - 279B - /.htaccess.sample
[02:57:06] 403 - 279B - /.htaccess_extra
[02:57:07] 403 - 279B - /.html
[02:57:07] 403 - 279B - /.htaccessBAK
[02:57:07] 403 - 279B - /.htaccessOLD2
[02:57:08] 403 - 279B - /.httr-oauth
[02:57:08] 403 - 279B - /.htaccess_sc
[02:57:10] 403 - 279B - /.htpasswd_test
[02:57:11] 403 - 279B - /.htaccessOLD
[02:57:11] 403 - 279B - /.htaccess_orig
[02:57:11] 403 - 279B - /.htpasswds
[02:57:36] 403 - 279B - /.php
[02:59:47] 403 - 279B - /assets/
[02:59:47] 301 - 317B - /assets -> http://eforenzics.htb/assets/
[03:01:17] 200 - 11KB - /index.html
[03:03:07] 403 - 279B - /server-status
[03:03:07] 403 - 279B - /server-status/
[03:03:38] 200 - 4KB - /upload.php
/asset/
階層とupload.php
がいるのがわかった。ffuf
でもさっと調べてみる。
サブドメインリストを引っ張ってきたサイトからWebコンテンツリストを持ってくる。
┌──(root💀kali)-[~/work]
└─# wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-small.txt
まずはディレクトリ階層から。
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/FUZZ -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://eforenzics.htb/FUZZ
:: Wordlist : FUZZ: ./directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
# Copyright 2007 James Fisher [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 303ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 310ms]
# directory-list-2.3-small.txt [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 312ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 320ms]
[Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 321ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 328ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 356ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 358ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 354ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 355ms]
# on at least 3 different hosts [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 355ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 355ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 330ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 601ms]
assets [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 196ms]
[Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 265ms]
:: Progress: [87664/87664] :: Job [1/1] :: 344 req/sec :: Duration: [0:08:41] :: Errors: 13 ::
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/assets/FUZZ -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://eforenzics.htb/assets/FUZZ
:: Wordlist : FUZZ: ./directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
# Copyright 2007 James Fisher [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 204ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1524ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1525ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2745ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 209ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 209ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 209ms]
# on at least 3 different hosts [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 186ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 210ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 188ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 745ms]
# This work is licensed under the Creative Commons [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 229ms]
# directory-list-2.3-small.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 1697ms]
css [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 247ms]
js [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 290ms]
imgs [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 2430ms]
vendors [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 234ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 961ms]
:: Progress: [87664/87664] :: Job [1/1] :: 137 req/sec :: Duration: [0:08:10] :: Errors: 3 ::
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/assets/vendors/FUZZ -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://eforenzics.htb/assets/vendors/FUZZ
:: Wordlist : FUZZ: ./directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 226ms]
# Copyright 2007 James Fisher [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 226ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 231ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 231ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 232ms]
# on at least 3 different hosts [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 232ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 234ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
# directory-list-2.3-small.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 228ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 373ms]
# This work is licensed under the Creative Commons [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 374ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 374ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 375ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 246ms]
bootstrap [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 256ms]
jquery [Status: 301, Size: 332, Words: 20, Lines: 10, Duration: 238ms]
:: Progress: [87664/87664] :: Job [1/1] :: 287 req/sec :: Duration: [0:04:44] :: Errors: 0 ::
まぁあまり真新しいものは出てこなかった。php
でも引っかけてみる
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/FUZZ.php -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://eforenzics.htb/FUZZ.php
:: Wordlist : FUZZ: ./directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 215ms]
# directory-list-2.3-small.txt [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 214ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 226ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 204ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 205ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 229ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 230ms]
# [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 231ms]
# Copyright 2007 James Fisher [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 233ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 232ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 222ms]
# on at least 3 different hosts [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 223ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 10957, Words: 3937, Lines: 209, Duration: 228ms]
upload [Status: 200, Size: 3773, Words: 949, Lines: 83, Duration: 749ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 2110ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 246ms]
:: Progress: [87664/87664] :: Job [1/1] :: 236 req/sec :: Duration: [0:08:26] :: Errors: 15 ::
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory-list-2.3-small.txt:FUZZ -u http://eforenzics.htb/assets/FUZZ.php -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://eforenzics.htb/assets/FUZZ.php
:: Wordlist : FUZZ: ./directory-list-2.3-small.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
# directory-list-2.3-small.txt [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 190ms]
# Copyright 2007 James Fisher [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 193ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 193ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 196ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 197ms]
# on at least 3 different hosts [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 198ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 199ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 200ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 200ms]
# This work is licensed under the Creative Commons [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 201ms]
# [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 198ms]
[Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 273ms]
:: Progress: [87664/87664] :: Job [1/1] :: 218 req/sec :: Duration: [0:04:50] :: Errors: 0 ::
そんな新しいものは出てこなかったのでここらへんで探索を終了しておく。
Initial Access
upload機能調査
発見したupload.php
はservice.html
からPictureをアップロードできる設定みたいだ。
適当にテキストファイルでもアップロードしてみる。
画像じゃないとダメと言われた。
それじゃ適当にそこら辺にあった「summer.jpg」の画像を注入してみる。
何かフォレンジックの結果のようなものが出てくる・・・「here」ボタンを押してみる。
あ、Ver. 12.37
の文字が....というわけで脆弱性を調べてみた。
CVE-2022-23935
ExifToolの脆弱性を調べてみると、以下のものが見つかった。
というわけで、このExploitを試してみる。
まず、filename
でのフィルタリングがかかっているか調査する。
大丈夫そうである。
続いて、ping-c 3
コマンドでコマンドが通っているのか調査する。
以下コマンドで自身のIPを確認しておきます。
※この場合はtun0
┌──(root💀kali)-[~/work]
└─# ip a 1 ⨯
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
...
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet 10.10.14.70/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::101a/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::cf43:caa1:e355:737d/64 scope link stable-privacy
valid_lft forever preferred_lft forever
更に、icmpパケットが到達したか確認するために以下のコマンドを打っておく。
┌──(root💀kali)-[~/work]
└─# tcpdump icmp -i tun0
ではfilename
にping -c 3 10.10.14.70
を叩き込む。
Pingが来たので成功したようである。
じゃあリバースシェル叩き込みますか。
Persistence
Reverse Shell
いつもの以下のサイトを利用する。
シェルを待ち受けルために以下のコマンドを打っておきます。
┌──(root💀kali)-[~/work]
└─# nc -lvnp 4444
じゃ、レッツリバースシェル!!!
来ました。まぁユーザ名からなんとなくこれでUser権限は取れてない気がする。
interactive shell
とりあえずリバースシェル確立は出来たので、探索のしやすさのためにインタラクティブシェルを確立しとく。
※このままだとTabでの補完が効かなかったり、矢印キーが効かなかったりするので。
Ctrl
+Z
で接続をバックグラウンドにし、以下のコマンドを実行する。
www-data@investigation:/home$ ^Z
zsh: suspended nc -lvnp 4444
┌──(root㉿kali)-[~/work]
└─# stty raw -echo; fg
[1] + continued nc -lvnp 4444
export TERM=xterm-256col
www-data@investigation:/home$ export SHELL=bash
これで足場は完成である。
だが一般User権限は奪取できていない。
まとめ
userフラグ取れてないけれど、シェルの奪取は出来た。
次回はwww-dataで見えるところの調査フェーズに入っていく。
乞うご期待!!
今回もセキュリティエンジニアの皆さんの助けになればなと思います。