TryHackMe — Kenobi Writeup
TL;DR Kenobi is a Linux box with a vulnerable version of ProFTPd. This coupled with a little manipulation with the NFS shares grants us initial access into the box. Following which we can exploit the SUID binary menu to manipulate the PATH variable to gain access as root.
Scanning :
I started an all ports scan using Nmap.
#Command - nmap -A -p- -T4 10.10.255.67 | tee nmap_full
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-04 19:20 IST
Nmap scan report for 10.10.255.67
Host is up (0.15s latency).
Not shown: 65521 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 33487/tcp mountd
| 100005 1,2,3 49129/tcp6 mountd
| 100005 1,2,3 52175/udp mountd
| 100005 1,2,3 54877/udp6 mountd
| 100021 1,3,4 40857/tcp nlockmgr
| 100021 1,3,4 42799/udp nlockmgr
| 100021 1,3,4 44943/tcp6 nlockmgr
| 100021 1,3,4 54296/udp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
5608/tcp filtered unknown
28529/tcp filtered unknown
33487/tcp open mountd 1-3 (RPC #100005)
40857/tcp open nlockmgr 1-4 (RPC #100021)
49919/tcp open mountd 1-3 (RPC #100005)
51727/tcp open mountd 1-3 (RPC #100005)
63361/tcp filtered unknown
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h40m05s, deviation: 2h53m12s, median: 5s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2021-07-04T09:04:54-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-04T14:04:54
|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 852.71 seconds
So the scan shows up 7 interesting ports,
- Port 21 — FTP
- Port 22 — SSH
- Port 80 — Apache Webserver
- Port 111 — RPCbind
- Port 139 — Samba
- Port 445 — Samba
- Port 2049 — NFS
Reconnaissance:
Port 21 : FTP
I checked FTP for anonymous login, but a weird password policy wouldn’t allow me to get in.
But this version of ProFTPD is vulnerable (CVE-2015–3306), it allows a user to copy and paste files using the CPFR and CPTO commands. You can read about this vulnerability here,
Port 80 — Apache Webserver
Visiting this page we an artwork of a battle between Obi-Wan Kenobi and Anakin Skywalker.
The source also didnt have anything interesting, so I started a scan using dirsearch to find any interesting endpoints.
So, first I checked robots.txt,
And then /admin.html
Well, I got trolled xD.
Port 111 — RPCbind
To see what services are running, I used rpcinfo.
So NFS is running.
Port 139, 445 — Samba
Let’s see what shares are accessible to us.
Let’s access this anonymous share,
Let’s download this file and check its contents.
So the file has some configuration information, but most importantly it exposes the location of kenobi’s SSH key.
Port 2049 — NFS
We can see the list of shared directories using showmount.
So we can mount /var to a local directory and check its contents.
So nothing intersting here, but this coupled with the ProFTPd vulnerability can pose a serious threat.
Exploitation:
Plan of attack:
The vulnerable ProFTPd allows us to copy files. And we know the location of kenobi’s ssh key. We also have access to /var on the machine using NFS. So, we could use ProFTPd to copy kenobi’s key to /var/tmp and access it using our local mount point. Then we can login as kenobi on the machine.
Execution:
We can copy the key by connecting to ftp via nc and executing the CPFR and CPTO commands.
And now, we can access from our local mount,
Now we can save this key and login as kenobi.
Privilege Escalation:
Running linpeas on the box reveals an interesting suid binary, menu located in /usr/bin.
Running file on this,
So its a binary, let’s run strings on this to find human readable strings in this file.
I see some commands are being run by this binary. Let’s also execute this to confirm how it behaves.
So running the binary and choosing option 1 runs the curl -I localhost command. But since curl’s absolute path is not used, we can manipulate the path variable to run our malicious code.
Creating the malicious file:
We create a bash reverse shell file in /tmp.
Manipulating PATH:
Popping Root:
So now we setup a listener on our machine,
And we run menu and select option 1.
And we receive the root shell.
And that was Kenobi guys, thanks for reading my write-up. If you have any suggestions or think I missed something, please do let me know in the comments. If you have any other suggestions or questions, feel free to message me.
If you want to reach me,
Twitter: @MathewSeelan