TryHackMe - Kenobi

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

Intro

The third room in TryHackMe’s OSCP path. Make sure to check out TryHackMe!


Kenobi Writeup

[Task 1] Deploy the vulnerable machine

First, we run an nmap scan. Here’s the output of nmap -sV -sC -A <IP>: nmap The scan found 7 open ports.

Question: Scan the machine with nmap, how many ports are open?

Answer: 7

[Task 2] Enumerating Samba for shares

We can use the command nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip> to count how many shares Samba has. Running the command shows us that there are 3 SMB shares.

Connecting to the anonymous SMB share using smbclient //<ip>/anonymous, we see a file named log.txt. Running get log.txt downloads the file so we can open it on our own system. Examining the file reveals that it is actually a ProFTPD config file, with an FTP server running on port 21.

From the earlier nmap scan, we saw port 111, which mounted a network file system. Running the command nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP> reveals that it mounts /var.

Question: Using the nmap command above, how many shares have been found?

Answer: 3

Question: Once you’re connected, list the files on the share. What is the file can you see?

Answer: log.txt

Question: What port is FTP running on?

Answer: 21

Question: What mount can we see?

Answer: /var

[Task 3] Gain initial access with ProFtpd

Now, we will use netcat to connect to the ProFTPD server. The command nc <ip> 21 outputs:

220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.169.149] From this, we can see the version of ProFTPD.

Now that we know the version of ProFTPD, we can search for any exploits that target that version. Run the command searchsploit proftpd 2.3.5 to see all of the exploits for our version of ProFTPD. searchsploit

We see an exploit from ProFTPD’s mod_copy module, which will let us use the SITE CPFR and SITE CPTO commands to copy anything we want. We want to gain access to the box, so we will attempt to copy kenobi's SSH keys so that we can access the box as him. id_rsa

We copied id_rsa to /var/tmp because we know that we have access to /var, and can mount it onto our system. Mount /var using the following commands:

mkdir /mnt/kenobi
mount <IP>:/var /mnt/kenobi

We now have a new folder on our system, /mnt/kenobi, which is /var on the target system! We can now connect to Kenobi’s account using his private keys using ssh -i /mnt/kenobi/tmp/id_rsa [email protected]<IP>. From there, we can read his user flag.

Question: What is the version?

Answer: 1.3.5

Question: How many exploits are there for the ProFTPd running?

Answer: 3

Question: What is Kenobi’s user flag (/home/kenobi/user.txt)?

Answer: d0b...

[Task 4] Privilege Escalation with Path Variable Manipulation

Now that we’ve logged into Kenobi’s account, we want to read the root flag. However, we don’t know his password, which means we can’t use sudo. We need to find another way to privesc.

We use the command find / -perm -u=s -type f 2>/dev/null to list all SUID binaries (check out Vulnversity) to see if there are any we can exploit. Checking this list out, /usr/bin/menu immediately strikes as odd - there’s no menu program on most systems.

Running the program, we get a menu with three options: menu

We can run any of these three commands to see some info about the system. One basic recon move you should do to any new binary is to run strings. Running strings on the binary, we see curl -I localhost, uname -r, and ifconfig in plaintext. From this we can assume that the binary runs these commands for each of the menu options. However, the lack of absolute paths means that we can place any binary with the same name in that folder, and get it to run any code we want.

To get the exploit to work, we need to have our own binary appear in our PATH before the actual location of the binary. Running echo $PATH shows us that /home/kenobi/bin appears first in our PATH. So, we create a folder in our home directory named bin. Now, any program named curl, uname, or ifconfig placed in that folder will run instead.

Since ifconfig runs without any arguments, we will use that to privesc. We copy /bin/sh to /home/kenobi/bin/ifconfig, and then run the menu binary and choose option 3. Doing this pops a shell, letting us do cat /root/root.txt and grab the root flag.

Question: What file looks particularly out of the ordinary?

Answer: /usr/bin/menu

Question: Run the binary, how many options appear?

Answer: 3

Question: What is the root flag (/root/root.txt)?

Answer: 177...



comments powered by Disqus