TryHackMe — Kenobi Writeup

Mathew Seelan
6 min readJul 4, 2021
Kenobi

TL;DR Kenobi is a Linux box with a vulnerable version of ProFTPd. This coupled with a little manipulation with the NFS shares grants us initial access into the box. Following which we can exploit the SUID binary menu to manipulate the PATH variable to gain access as root.

Scanning :

I started an all ports scan using Nmap.

#Command - nmap -A -p- -T4 10.10.255.67 | tee nmap_full
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 19:20 IST
Nmap scan report for 10.10.255.67
Host is up (0.15s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 33487/tcp mountd
| 100005 1,2,3 49129/tcp6 mountd
| 100005 1,2,3 52175/udp mountd
| 100005 1,2,3 54877/udp6 mountd
| 100021 1,3,4 40857/tcp nlockmgr
| 100021 1,3,4 42799/udp nlockmgr
| 100021 1,3,4 44943/tcp6 nlockmgr
| 100021 1,3,4 54296/udp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
5608/tcp filtered unknown
28529/tcp filtered unknown
33487/tcp open mountd 1-3 (RPC #100005)
40857/tcp open nlockmgr 1-4 (RPC #100021)
49919/tcp open mountd 1-3 (RPC #100005)
51727/tcp open mountd 1-3 (RPC #100005)
63361/tcp filtered unknown
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m05s, deviation: 2h53m12s, median: 5s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2021-07-04T09:04:54-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-04T14:04:54
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 852.71 seconds

So the scan shows up 7 interesting ports,

  1. Port 21 — FTP
  2. Port 22 — SSH
  3. Port 80 — Apache Webserver
  4. Port 111 — RPCbind
  5. Port 139 — Samba
  6. Port 445 — Samba
  7. Port 2049 — NFS

Reconnaissance:

Port 21 : FTP

I checked FTP for anonymous login, but a weird password policy wouldn’t allow me to get in.

But this version of ProFTPD is vulnerable (CVE-2015–3306), it allows a user to copy and paste files using the CPFR and CPTO commands. You can read about this vulnerability here,

Port 80 — Apache Webserver

Visiting this page we an artwork of a battle between Obi-Wan Kenobi and Anakin Skywalker.

Obi-Wan Kenobi vs Anakin Skywalker

The source also didnt have anything interesting, so I started a scan using dirsearch to find any interesting endpoints.

Dirsearch scan

So, first I checked robots.txt,

robots.txt

And then /admin.html

/admin.html

Well, I got trolled xD.

Port 111 — RPCbind

To see what services are running, I used rpcinfo.

RPCinfo results

So NFS is running.

Port 139, 445 — Samba

Let’s see what shares are accessible to us.

Smbmap results

Let’s access this anonymous share,

Contents of the anonymous share.

Let’s download this file and check its contents.

log.txt

So the file has some configuration information, but most importantly it exposes the location of kenobi’s SSH key.

Port 2049 — NFS

We can see the list of shared directories using showmount.

NFS shares

So we can mount /var to a local directory and check its contents.

/var’s contents

So nothing intersting here, but this coupled with the ProFTPd vulnerability can pose a serious threat.

Exploitation:

Plan of attack:

The vulnerable ProFTPd allows us to copy files. And we know the location of kenobi’s ssh key. We also have access to /var on the machine using NFS. So, we could use ProFTPd to copy kenobi’s key to /var/tmp and access it using our local mount point. Then we can login as kenobi on the machine.

Execution:

We can copy the key by connecting to ftp via nc and executing the CPFR and CPTO commands.

Exploiting ProFTPd

And now, we can access from our local mount,

Kenobi’s key

Now we can save this key and login as kenobi.

Access as kenobi

Privilege Escalation:

Running linpeas on the box reveals an interesting suid binary, menu located in /usr/bin.

Running file on this,

So its a binary, let’s run strings on this to find human readable strings in this file.

strings output

I see some commands are being run by this binary. Let’s also execute this to confirm how it behaves.

menu

So running the binary and choosing option 1 runs the curl -I localhost command. But since curl’s absolute path is not used, we can manipulate the path variable to run our malicious code.

Creating the malicious file:

We create a bash reverse shell file in /tmp.

Malicious curl

Manipulating PATH:

New PATH

Popping Root:

So now we setup a listener on our machine,

Listener

And we run menu and select option 1.

Running the exploit

And we receive the root shell.

Gaining access as root

And that was Kenobi guys, thanks for reading my write-up. If you have any suggestions or think I missed something, please do let me know in the comments. If you have any other suggestions or questions, feel free to message me.

If you want to reach me,

Twitter: @MathewSeelan

--

--

Mathew Seelan

Im a Cybersecurity enthusiast, a novice hacker who wants to learn. I’ve taken up writing on medium to help fellow newbies understand the hacking mentality.