Kenobi- TryHackMe

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

— — — — — — — — — — — — — — — — — — — — — — — — — —

What is Samba?

Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system.

Samba is based on the common client/server protocol of Server Message Block (SMB). SMB is developed only for Windows, without Samba, other computer platforms would be isolated from Windows machines, even if they were part of the same network.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Starting out with reconassaince with nmap scan

nmap -Pn -sT -sV -oN nmap/initials 10.x.x.x which means to start the nmap scan on 10.x.x.x and save my scans results in directory initials.

• Pn describes to skip host discovery and treat all hosts as online.
• -sT describes TCP connect port scan
  (Default without root privilege)
• -oN describes to output my scan, here specifically to output the scan results in initials.

SMB has two ports i.e 445 and 139

Port 139: SMB originally ran on top of NETBIOS using port 139. NETBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.

Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack.Using TCP allows SMB to work over the internet.

Using nmap I can enumerate a machine for SMB shares.Nmap has the ability to run to automate a wide variety of networking tasks. There is a script to enumerate shares!

nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse -oN nmap/scriptenum 10.x.x.x

These scripts are default within nmap.The above command describes to enumerate port 445 with script smb-enum-shares.nse,smb-enum-users.nse on 10.x.x.x and save the output in scriptenum

On most distributions of Linux smbclient is already installed. Lets inspect one of the shares.

smbclient is samba client with an “ftp like” interface. It is a useful tool to test connectivity to a Windows share. It can be used to transfer files, or to look at share names. In addition, it has a nifty ability to ‘tar’ (backup) and restore files from a server to a client and visa versa.

smbclient //10.x.x.x/anonymous

You can recursively download the SMB share too. Submit the username and password as nothing.

smbget -R smb://10.x.x.x/anonymous

smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line.

The files should be in the smb-URL standard, e.g. use smb://host/share/file for the UNC path \\\\HOST\\SHARE\\file.

Open the file on the share. There is a few interesting things found.

Information generated for Kenobi when generating an SSH key for the user
Information about the ProFTPD server.

Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

In our case, port 111 is access to a network file system. Lets use nmap to enumerate this.

nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount 10.x.x.x

Gain initial access with ProFtpd

ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.I can use searchsploit to find exploits for a particular software version.It is basically just a command line search tool for exploit-db.com.

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

As we know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

I’m now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.

Lets mount the /var/tmp directory to our machine

mkdir /mnt/kenobiNFS
mount 10.x.x.x:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

We now have a network mount on our deployed machine! I can go to /var/tmp and get the private key then login to Kenobi’s account.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Privilege Escalation with Path Variable Manipulation

SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.

To search the a system for these type of files run the following:

find / -perm -u=s -type f 2>/dev/null

which means to find a file in the system having SUID permission and

• 2> part means “redirect file channel number 2” — which maps to stderr, standard error file channel, which is where programs often write their errors to
• /dev/null is a special character device that just allows writing anything to it ; when reading it, it does not return anything

So 2>/dev/null tells your shell to redirect standard error from your running program to /dev/null, effectively ignoring it.

I copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

That’s all for now!,

Until next time,

Stay COOOL!