Kenobi - HackMD

###### tags: `TryHackMe OffensiveSecurity GettingStarted` # Kenobi :::success In this room i learned a new way to exploit a Linux machine. I Enumerated Samba for shares, manipulated a vulnerable version of proftpd and escalate my privileges with path variable manipulation. ::: ## Reconnaissance using nmap :::info In this section of the room, i gather informations about the target machine using **nmap**. ::: I decided to run the command `nmap -sV -sC IP` to gather maximum informations about the target such as the port open, the services running... ![](https://i.imgur.com/NR3SdrE.png) Through the result i observe that : - 7 ports under are open - The presence of a Samba ## Enumarating Samba for shares Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system. Samba is based on the common client/server protocol of Server Message Block (SMB). SMB is developed only for Windows, without Samba, other computer platforms would be isolated from Windows machines, even if they were part of the same network. SMB has two ports, 445 and 139. ![](https://i.imgur.com/CCFsf6M.png) Using nmap we can enumerate a machine for **SMB shares**. Nmap has the ability to automate a wide variety of networking tasks. There is a script to enumerate shares : - `nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse IP` ![](https://i.imgur.com/NoQj0sr.png) Using the nmap command above, we found 3 shares : - IP - anonymous - print I choose to inspect the `anonymous` one. To do it, we can use the `smbclient` command already installed in most of the linux distribution : - `smbclient //<ip>/anonymous` ![](https://i.imgur.com/GbrM6Ix.png) We found the presence of a file called `log.txt`. To have localy the file, we use another SMB command : - `smbget -R smb://<ip>/anonymous` ![](https://i.imgur.com/4WpEjDj.png) I Opened the file on the share and found a few interesting things : - Information generated for Kenobi when generating an SSH key for the user - Information about the ProFTPD server. Earlier, nmap port scan have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve. In our case, port 111 is access to a network file system. Lets use nmap to enumerate this : `nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.74.155` : ![](https://i.imgur.com/idg0cLW.png) We see that the directory mounted is `/var`. ## Gain initial acces with ProFtpd ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions. ![](https://i.imgur.com/vn6KOSw.png) Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port : ``` nc IP 21 ``` ![](https://i.imgur.com/aoAb9bA.png) The version **1.3.5** is used. :::info We can use **searchsploit** to find exploits for a particular software version. Searchsploit is basically just a command line search tool for exploit-db.com. ::: ![](https://i.imgur.com/RpbEHMg.png) I have found an exploit from ProFtpd's mod_copy module. The mod_copy module implements **SITE CPFR** and **SITE CPTO** commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user. We're now going to copy Kenobi's private key using SITE CPFR and SITE CPTO commands : ![](https://i.imgur.com/kudDFwH.png) We knew that the /var directory was a mount we could see. So we've now moved Kenobi's private key to the /var/tmp directory.Lets mount the /var/tmp directory to our machine : ![](https://i.imgur.com/I6EhaTW.png) We now have the private key localy. Let's use it to connect to the machine by ssh : ![](https://i.imgur.com/UPfz9V7.png) ## Privilege escalation with path variable manipulation SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues. To search the a system for these type of files run the following: ``` find / -perm -u=s -type f 2>/dev/null ``` I find one file which looks particularly out of the ordinary : `/usr/bin/menu` : ![](https://i.imgur.com/GaG5SW9.png) I run the binary and 3 options appear. `Strings` is a command on Linux that looks for human readable strings on a binary : ![](https://i.imgur.com/jlaR8Dz.png) This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname). As this file runs as the root users privileges, we can manipulate our path and gain a root shell : ![](https://i.imgur.com/TYPhZbv.png) :::success I HAVE NOW THE ROOT PRIVILEGES. :::