> For the complete documentation index, see [llms.txt](https://snowyowls-organization.gitbook.io/snowyowl644-hacklog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://snowyowls-organization.gitbook.io/snowyowl644-hacklog/vulnlab/trusted/10.10.158.86.md).

# 10.10.158.86

![](https://i.imgur.com/Ivzy4ge.png)

* URL :
* \#easy
* OS : #Linux #Windows
* Machine Author(s):
* Hack Date: 2025-10-16,20:22

## Enumeration

Principle

1. **目に見えるものだけがすべてではない。** あらゆる視点を考慮しろ
2. 見えていることと、見えていないことを区別しろ
3. **常に情報を得る手段は存在する。** 対象をしっかり理解しろ

### Nmap

| **ポート**   | **サービス**     | **バージョン**                                              | **その他**                                              |
| --------- | ------------ | ------------------------------------------------------ | ---------------------------------------------------- |
| 53/tcp    | **DNS**      | Simple DNS Plus                                        |                                                      |
| 80/tcp    | **HTTP**     | Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6) | http-title: Welcome to XAMPP / dashboard             |
| 88/tcp    | **kerberos** | Microsoft Windows Kerberos                             | server time: 2025-10-16 11:23:25Z                    |
| 135/tcp   | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 139/tcp   | netbios-ssn  | Microsoft Windows netbios-ssn                          |                                                      |
| 389/tcp   | **ldap**     | Microsoft Windows Active Directory LDAP                | Domain: trusted.vl0., Site: Default-First-Site-Name  |
| 443/tcp   | **HTTPS**    | Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6) | CN=localhost, 1024bit, 有効期限切れ(2019)                  |
| 445/tcp   | **SMB**      | 不明                                                     |                                                      |
| 464/tcp   | kpasswd5?    | 不明                                                     |                                                      |
| 593/tcp   | ncacn\_http  | Microsoft Windows RPC over HTTP 1.0                    |                                                      |
| 636/tcp   | **LDAPS**    | 不明                                                     |                                                      |
| 3268/tcp  | ldap         | Microsoft Windows Active Directory LDAP                | Domain: trusted.vl0., Site: Default-First-Site-Name  |
| 3269/tcp  | tcpwrapped   | 不明                                                     |                                                      |
| 3306/tcp  | **MySQL**    | MariaDB 5.5.5-10.4.24                                  | Auth Plugin: mysql\_native\_password                 |
| 3389/tcp  | **RDP**      | Microsoft Terminal Services                            | RDP情報あり（CN=labdc.lab.trusted.vl, OS Ver: 10.0.20348） |
| 5985/tcp  | **WinRM**    | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                | http-title: Not Found                                |
| 9389/tcp  | mc-nmf       | .NET Message Framing                                   |                                                      |
| 47001/tcp | http         | Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                | http-title: Not Found                                |
| 49664/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49665/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49666/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49667/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49669/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49674/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49675/tcp | ncacn\_http  | Microsoft Windows RPC over HTTP 1.0                    |                                                      |
| 49676/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49687/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 49690/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 50912/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |
| 52334/tcp | msrpc        | Microsoft Windows RPC                                  |                                                      |

```sh
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.184.214/dashboard/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-10-16 11:23:25Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack ttl 127 Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-title: Welcome to XAMPP
|_Requested resource was https://10.10.184.214/dashboard/
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3306/tcp  open  mysql         syn-ack ttl 127 MariaDB 5.5.5-10.4.24
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.4.24-MariaDB
|   Thread ID: 9
|   Capabilities flags: 63486
|   Some Capabilities: DontAllowDatabaseTableColumn, Support41Auth, FoundRows, ConnectWithDatabase, SupportsCompression, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, LongColumnFlag, IgnoreSigpipes, SupportsTransactions, InteractiveClient, ODBCClient, Speaks41ProtocolNew, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: -DPDCfUV38^R`jv4<o<|
|_  Auth Plugin Name: mysql_native_password
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Issuer: commonName=labdc.lab.trusted.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-15T10:26:14
| Not valid after:  2026-04-16T10:26:14
| MD5:   d431:68f5:1d05:06ac:6291:5105:073e:cc51
| SHA-1: 07de:706e:d12e:ce50:e302:d171:96ad:e734:aa17:a432
| -----BEGIN CERTIFICATE-----
| MIIC7DCCAdSgAwIBAgIQHEglJhetSZdIHALrAyuM0TANBgkqhkiG9w0BAQsFADAf
| MR0wGwYDVQQDExRsYWJkYy5sYWIudHJ1c3RlZC52bDAeFw0yNTEwMTUxMDI2MTRa
| Fw0yNjA0MTYxMDI2MTRaMB8xHTAbBgNVBAMTFGxhYmRjLmxhYi50cnVzdGVkLnZs
| MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dVnHe3+tsUGUBivZJIj
| PpgzECE5XyFxlWaiCk9VUa9sE06XssaW5UuPrv44kVVhn+1T1tF3xF4CPyFFsZar
| OLAWQl6WgAyvEm88IIDN8WTmVj7Ut/hSE8J0//Ml1v0hfQKK/jlffTY8fTYDDM3g
| VQOOQteZYBMYI8chPMtFML4LZ64VBlHUPGky78qXZdq2oXCs6qPGm0KdJNlxhp1o
| uw1llUf4/3IQPYicJ8OuGOsPWPoP1Mh+85af9z9eqWK/9eoB9sSRZZSMbOY+Xjw4
| eWl37lFyn/bVAXvngAor0NhKRUKOwcyniXqvQU9DlrHl3rOdM9V1w8rqIjFxBBRK
| YQIDAQABoyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJ
| KoZIhvcNAQELBQADggEBADHwh5LrdSSfEWk3NXyvObkaclYay+AYwktKqiPuaVOU
| wvFvEFzhIx0a8KZJyOodq/cUyYgn5nEyMctFkwUuWJXAV32N/06/uXsQxKPN2+Co
| HXhkqLXwsT4BHUZVPp8QZJO4rzBOGy1Iv/mAh/2gT+xsF99aH0k9u2MrCI7Zo1bN
| fyikJn4RF7O1tEr3mqx32m6o0CfRQNI84skcls/e8HfshjnIhj8NyaDWEvrxDqBz
| htkaRdFSUhPk6R1am0LF3TjWn2U9qDdub7E6ahFtWT/0CnJLBvXRsMV+T7ZiMi3A
| S4U7/vSLr+QBfpbGAYVdIztz2zdGgyR1Jgg0Ak83JYc=
|_-----END CERTIFICATE-----
| rdp-ntlm-info: 
|   Target_Name: LAB
|   NetBIOS_Domain_Name: LAB
|   NetBIOS_Computer_Name: LABDC
|   DNS_Domain_Name: lab.trusted.vl
|   DNS_Computer_Name: labdc.lab.trusted.vl
|   DNS_Tree_Name: trusted.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-10-16T11:24:35+00:00
|_ssl-date: 2025-10-16T11:24:46+00:00; 0s from scanner time.
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49687/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
50912/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
52334/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2022 (96%), Windows Server 2019 (95%), Microsoft Windows 10 1703 (93%), Microsoft Windows 10 1703 or Windows 11 21H2 (93%), Windows Server 2022 (93%), Microsoft Windows Server 2016 or Server 2019 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2016 (93%), Microsoft Windows Server 2019 (93%)
No exact OS matches for host (test conditions non-ideal).

```

mysql : 5.5.5-10.4.24-MariaDB ドメイン : lab.trusted.vl・labdc.lab.trusted.vl 最初の方針

* サイトはなにが書いてある？
  * niktoとferoxbuster回してみる
* mysqlも気になる
  * バージョン
    * MariaDB 5.5.5-10.4.24
  * プラグイン
    * Auth Plugin: mysql\_native\_password
      * mysql\_native\_password は、MySQL の認証プラグインの一つで、以前はデフォルトでしたが、現在は非推奨の認証方式です。パスワードハッシュにSHA-1を使用し、クライアントとサーバー間でチャレンジ・レスポンス認証を行う
      * なんか怪しそうか
* 匿名ログイン行ける？
  * SMB
  * LDAP

### 匿名ログイン試行

#### SMB

匿名ログイン

```sh
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Trusted]
└─$ nxc smb 10.10.211.230 -u 'guest' -p '' --shares                                                                                                              
SMB         10.10.211.230   445    LABDC            [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False) 
SMB         10.10.211.230   445    LABDC            [-] lab.trusted.vl\guest: STATUS_ACCOUNT_DISABLED 
```

できない

#### LDAP

匿名ログイン

```sh
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Trusted]
└─$ nxc ldap lab.trusted.vl -u 'guest' -p '' --users
LDAP        10.10.211.230   389    LABDC            [*] Windows Server 2022 Build 20348 (name:LABDC) (domain:lab.trusted.vl)
LDAP        10.10.211.230   389    LABDC            [-] lab.trusted.vl\guest: STATUS_ACCOUNT_DISABLED

```

できない

### Webサイト

* <http://lab.trusted.vl/dashboard/> ![](https://i.imgur.com/1ajwBdv.png) Windows 8.1.6って古くない？ 調べたら、RCEの脆弱性ありそうだけど、PoCが見つからない
* <https://www.cvedetails.com/version/787864/Apachefriends-Xampp-8.1.6.html>
* <http://lab.trusted.vl/dashboard/phpinfo.php>
  * mysqlnd 8.1.6 ![](https://i.imgur.com/jjSNmGp.png) Windowsのバージョンはわかった

### nikto

```bash
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Trusted]
└─$ nikto -h http://lab.trusted.vl/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.130.6
+ Target Hostname:    lab.trusted.vl
+ Target Port:        80
+ Start Time:         2025-10-18 08:33:49 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
+ /: Retrieved x-powered-by header: PHP/8.1.6.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://lab.trusted.vl/dashboard/
+ Apache/2.4.53 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/1.1.1n appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /dev/: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /dev/: This might be interesting.
+ /img/: Directory indexing found.
+ /img/: This might be interesting.
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8853 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2025-10-18 09:19:18 (GMT0) (2729 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (PHP/8.1.6) are not in
      the Nikto 2.5.0 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? y

+ ERROR:  -> http://lab.trusted.vl/dashboard/
+ ERROR: Update failed, please notify sullo@cirt.net of the previous line.

```

### Feroxbuster

とりあえず、feroxbusterを回す

```bash
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Trusted]
└─$ feroxbuster -u http://lab.trusted.vl/ -C 404 -C 500 
                                                                                                                                                                                             
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://lab.trusted.vl/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 💢  Status Code Filters   │ [404, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       30w      303c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       33w      300c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c http://lab.trusted.vl/ => http://lab.trusted.vl/dashboard/
301      GET        9l       30w      338c http://lab.trusted.vl/img => http://lab.trusted.vl/img/
200      GET        5l        9w      694c http://lab.trusted.vl/img/module_table_top.png
301      GET        9l       30w      338c http://lab.trusted.vl/dev => http://lab.trusted.vl/dev/
200      GET        3l       16w     1549c http://lab.trusted.vl/img/module_table_bottom.png
301      GET        9l       30w      345c http://lab.trusted.vl/dev/images => http://lab.trusted.vl/dev/images/
301      GET        9l       30w      342c http://lab.trusted.vl/dev/css => http://lab.trusted.vl/dev/css/
<SNIP>
```

なんか、/devとか言うフォルダがあって気になるな アクセスしてみると、こんな感じの古臭そうなサイトに飛ぶ ![](https://i.imgur.com/JGsQ6V3.png) しかし、特になにも情報は得られないが、以下のサイトから(<info@trusted.vl>)のメールアドレスを発見した ![](https://i.imgur.com/0Goi49C.png)

#### AS-REP Roasting

なんか、(<info@trusted.vl>)で、AS-REP Roastingとかできるかな ためしてみる

```sh
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Trusted]
└─$ impacket-GetNPUsers lab.trusted.vl/ -dc-ip 10.10.130.6 -no-pass -usersfile valid_ad_users -format hashcat -outputfile asrep_hashes.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
```

特になさそう

### MySQL

なんか、Auth Plugin: mysql\_native\_passwordが割と怪しいなと思っている

* mysql\_native\_password は、MySQL の認証プラグインの一つで、以前はデフォルトでしたが、現在は非推奨の認証方式です。パスワードハッシュにSHA-1を使用し、クライアントとサーバー間でチャレンジ・レスポンス認証を行う
  * なんか怪しそうか と思って調べていると、こんなものを見つけた
* <https://github.com/cyrus-and/mysql-unsha1>
  * 「この PoC は、セキュア パスワード認証認証プラグイン (別名mysql\_native\_password、デフォルトの方法) を使用すると、クリアテキスト パスワードを知らなくても、特定の状況下で MySQL サーバーに対して認証できる」(引用 : <https://github.com/cyrus-and/mysql-unsha1)らしい> 前提条件は、いくつかあるが外から側では調べられないので、とりあえず実行してみる そもそもスクリプトがVPNをサポートしておらず、うまくいかない

#### MariaDB 5.5.5-10.4.24

* 5.5.5-10.4.24 - バージョン情報
  * これは少し特殊で、MariaDBが互換性のために5.5.5を先頭に付けている
  * 実際のバージョンは**10.4.24**
* でも、特にすぐに使えるPoCなどは公開されていなそう

### LFI

* <http://lab.trusted.vl/dev/index.html?view=contact.html>
  * ここの古臭いサイトのviewに、LFIの脆弱性がないかを調べる
  * テストとして、`C:\Windows\System32\drivers\etc\hosts`を入れる ![](https://i.imgur.com/4lj1GF8.png) LFIの脆弱性があることがわかった

LFIの辞書攻撃する

```sh
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Trusted]
└─$ sudo gobuster dir -u https://10.10.130.6/dev/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php -k                                   
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.130.6/dev/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 301]
/.htaccess.php        (Status: 403) [Size: 301]
/.hta.php             (Status: 403) [Size: 301]
/.hta                 (Status: 403) [Size: 301]
/.htpasswd.php        (Status: 403) [Size: 301]
/.htpasswd            (Status: 403) [Size: 301]
/DB.php               (Status: 200) [Size: 22]
/Images               (Status: 301) [Size: 341] [--> https://10.10.130.6/dev/Images/]
/aux                  (Status: 403) [Size: 301]
/aux.php              (Status: 403) [Size: 301]
/com2.php             (Status: 403) [Size: 301]
/com4                 (Status: 403) [Size: 301]
/com3.php             (Status: 403) [Size: 301]
/com3                 (Status: 403) [Size: 301]
/com1.php             (Status: 403) [Size: 301]
/com2                 (Status: 403) [Size: 301]
/com4.php             (Status: 403) [Size: 301]
/com1                 (Status: 403) [Size: 301]
/con.php              (Status: 403) [Size: 301]
/con                  (Status: 403) [Size: 301]
/css                  (Status: 301) [Size: 338] [--> https://10.10.130.6/dev/css/]
/db.php               (Status: 200) [Size: 22]
/images               (Status: 301) [Size: 341] [--> https://10.10.130.6/dev/images/]
/index.html           (Status: 200) [Size: 2311]
/lpt1                 (Status: 403) [Size: 301]
/lpt1.php             (Status: 403) [Size: 301]
/lpt2                 (Status: 403) [Size: 301]
/lpt2.php             (Status: 403) [Size: 301]
/nul.php              (Status: 403) [Size: 301]
/nul                  (Status: 403) [Size: 301]
/prn                  (Status: 403) [Size: 301]
/prn.php              (Status: 403) [Size: 301]
/render?url=https://www.google.com (Status: 403) [Size: 301]
/render?url=https://www.google.com.php (Status: 403) [Size: 301]
/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB (Status: 403) [Size: 301]
/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB.php (Status: 403) [Size: 301]
/dns-query?name=google.com&type=A.php (Status: 403) [Size: 301]
/dns-query?name=google.com&type=A (Status: 403) [Size: 301]
Progress: 9492 / 9492 (100.00%)
===============================================================
Finished
===============================================================   
```

/DB.phpが見つかった。

アクセスすると、このような物が見つかる ![](https://i.imgur.com/jYWHYVc.png) これだと、何もわからないので、phpを読みにいく

phpフィルターを使ってphpのコードを取得する ![](https://i.imgur.com/88Gvr26.png)

curlで取得して、DB.phpをCyberChefでBase64デコードする

```sh
<?php 
$servername = "localhost";
$username = "root";
$password = "SuperSecureMySQLPassw0rd1337.";

$conn = mysqli_connect($servername, $username, $password);

if (!$conn) {
  die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>
```

おお！mysqlのusernameとpasswordを取得できた！！

#### Mysqlの認証情報

root : SuperSecureMySQLPassw0rd1337.

### MySql

mysqlにログインする このあとは、mysql内のシェルが実行できるか、ユーザーのパスワードを取得できるのかな

```sh
mysql -u root -pSuperSecureMySQLPassw0rd1337. -h 10.10.130.6 --ssl-mode=PREFERRED
```

DB内を散策する

```sh
MariaDB [phpmyadmin]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| column_stats              |
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |
| global_priv               |
| gtid_slave_pos            |
| help_category             |
| help_keyword              |
| help_relation             |
| help_topic                |
| index_stats               |
| innodb_index_stats        |
| innodb_table_stats        |
| plugin                    |
| proc                      |
| procs_priv                |
| proxies_priv              |
| roles_mapping             |
| servers                   |
| slow_log                  |
| table_stats               |
| tables_priv               |
| time_zone                 |
| time_zone_leap_second     |
| time_zone_name            |
| time_zone_transition      |
| time_zone_transition_type |
| transaction_registry      |
| user                      |
+---------------------------+
31 rows in set (0.283 sec)

MariaDB [mysql]> select * from user;
```

と、以下の認証情報が見つかった。user内の情報を整理したもの

| **Host**                                                          | **User** | **Password / authentication**              | **Plugin**              |
| ----------------------------------------------------------------- | -------- | ------------------------------------------ | ----------------------- |
| localhost                                                         | root     | \*665C8B0E1F0044B6A95EF22E82B93B3350F38A01 | mysql\_native\_password |
| %                                                                 | root     | \*665C8B0E1F0044B6A95EF22E82B93B3350F38A01 | mysql\_native\_password |
| 127.0.0.1                                                         | root     | (空)                                        | (空)                     |
| ::1                                                               | root     | (空)                                        | (空)                     |
| localhost                                                         | pma      | (空)                                        | mysql\_native\_password |
| mysql\_native\_passwordが使われてるから、パスワードハッシュは、SHA-1を使って、ハッシュ化されてるのかな |          |                                            |                         |

ハッシュをクラックしてみる

```sh
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Trusted/lab]
└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt --force -m 100
hashcat (v6.2.6) starting

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 1435/2935 MB (512 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Approaching final keyspace - workload adjusted.           

Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 100 (SHA1)
Hash.Target......: 665c8b0e1f0044b6a95ef22e82b93b3350f38a01
Time.Started.....: Sat Oct 18 12:26:26 2025, (6 secs)
Time.Estimated...: Sat Oct 18 12:26:32 2025, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2475.4 kH/s (0.13ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]

Started: Sat Oct 18 12:26:18 2025
Stopped: Sat Oct 18 12:26:34 2025
```

rockyou.txtで、ハッシュがクラックできない

### Dirsearch

```bash
```

### FFUF

```bash
```

### WebSite

*
*
*

### WebSite Screenshot

## Foothold

```bash
```

```bash
```

```bash
```

```bash
```

```bash
```

## Lateral Movement

<横方向の動きに関する説明をここに書いてください>

```bash
```

```bash
```

```bash
```

```bash
```

```bash
```

## Privilege Escalation

```bash
```

```bash
```

```bash
```

```bash
```

```bash
```

```bash
```

```bash
```

### Notes

<このWriteupで特に重要な点や学んだことを追加で記載するセクション>
