The third room in TryHackMe’s OSCP path. Make sure to check out TryHackMe!
[Task 1] Deploy the vulnerable machine
First, we run an
nmap scan. Here’s the output of
nmap -sV -sC -A <IP>:
The scan found 7 open ports.
Question: Scan the machine with nmap, how many ports are open?
[Task 2] Enumerating Samba for shares
We can use the command
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip> to count how many shares Samba has. Running the command shows us that there are 3 SMB shares.
Connecting to the anonymous SMB share using
smbclient //<ip>/anonymous, we see a file named
get log.txt downloads the file so we can open it on our own system. Examining the file reveals that it is actually a ProFTPD config file, with an FTP server running on port 21.
From the earlier
nmap scan, we saw port 111, which mounted a network file system. Running the command
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP> reveals that it mounts
Question: Using the nmap command above, how many shares have been found?
Question: Once you’re connected, list the files on the share. What is the file can you see?
Question: What port is FTP running on?
Question: What mount can we see?
[Task 3] Gain initial access with ProFtpd
Now, we will use netcat to connect to the ProFTPD server. The command
nc <ip> 21 outputs:
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.169.149] From this, we can see the version of ProFTPD.
Now that we know the version of ProFTPD, we can search for any exploits that target that version. Run the command
searchsploit proftpd 2.3.5 to see all of the exploits for our version of ProFTPD.
We see an exploit from ProFTPD’s mod_copy module, which will let us use the
SITE CPFR and
SITE CPTO commands to copy anything we want. We want to gain access to the box, so we will attempt to copy
kenobi's SSH keys so that we can access the box as him.
/var/tmp because we know that we have access to
/var, and can mount it onto our system. Mount
/var using the following commands:
mkdir /mnt/kenobi mount <IP>:/var /mnt/kenobi
We now have a new folder on our system,
/mnt/kenobi, which is
/var on the target system! We can now connect to Kenobi’s account using his private keys using
ssh -i /mnt/kenobi/tmp/id_rsa [email protected]<IP>. From there, we can read his user flag.
Question: What is the version?
Question: How many exploits are there for the ProFTPd running?
Question: What is Kenobi’s user flag (/home/kenobi/user.txt)?
[Task 4] Privilege Escalation with Path Variable Manipulation
Now that we’ve logged into Kenobi’s account, we want to read the root flag. However, we don’t know his password, which means we can’t use
sudo. We need to find another way to privesc.
We use the command
find / -perm -u=s -type f 2>/dev/null to list all SUID binaries (check out Vulnversity) to see if there are any we can exploit. Checking this list out,
/usr/bin/menu immediately strikes as odd - there’s no
menu program on most systems.
Running the program, we get a menu with three options:
We can run any of these three commands to see some info about the system. One basic recon move you should do to any new binary is to run
strings on the binary, we see
curl -I localhost,
uname -r, and
ifconfig in plaintext. From this we can assume that the binary runs these commands for each of the menu options. However, the lack of absolute paths means that we can place any binary with the same name in that folder, and get it to run any code we want.
To get the exploit to work, we need to have our own binary appear in our PATH before the actual location of the binary. Running
echo $PATH shows us that
/home/kenobi/bin appears first in our PATH. So, we create a folder in our home directory named
bin. Now, any program named
ifconfig placed in that folder will run instead.
ifconfig runs without any arguments, we will use that to privesc. We copy
/home/kenobi/bin/ifconfig, and then run the
menu binary and choose option 3. Doing this pops a shell, letting us do
cat /root/root.txt and grab the root flag.
Question: What file looks particularly out of the ordinary?
Question: Run the binary, how many options appear?
Question: What is the root flag (/root/root.txt)?