Kenobi - TryHackMe
7 min read
Published at: Jan 5, 2024
![Obiwan wallpaper](https://hailstormsec.com/content/images/2023/12/kenobi-kenobi-poster.jpg)
Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.
Metadata
Meta
- Room name: Kenobi
- URL: https://tryhackme.com/room/kenobi
Goal
Be comfortable accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.
Cheat Sheet
Before we begin, as always there is a generic Cheat Sheet for this room which could be integrated in your own notes. You find it at at the bottom of this write-up. You can also find all of my notes at https://hailstormsec.com/posts/categories/notes.
Tasks
Task 1 - Deploy the vulnerable machine
Questions(s)
Scan the machine with nmap, how many ports are open?
If you've read my previous write-ups, e.g. Blue, you will know I start by performing a wider scan followed by a more detailed one:
Initial port scan:
sudo nmap -p- -v
Add -Pn
if windows machine
![Initial scan result](https://hailstormsec.com/content/images/2023/12/kenobi-first-scan.png)
Secondary scan: ```shell sudo nmap -v -A -sC --script vuln -p PORTS ```
Answers(s)
7
Task 2 - Enumerating Samba for shares
Question(s)
- Using the nmap command above, how many shares have been found?
- Once you're connected, list the files on the share. What is the file can you see?
- What port is FTP running on?
- What mount can we see?
To see all available nmap-scripts you can use locate *.nse
. So when working with samba services we can see all all available scripts like this:
![List all nmap scripts with](https://hailstormsec.com/content/images/2023/12/kenobi-smb.png)
Similar we could run all of them with nmap --scipt=smb*
. You can then get more information about each script by reading the file.
High traffic count and runtime
When running so many scripts however:
- The runtime will be very long
- The risk of being caught, blocked, etc. is very likely
- It may even risk DoS:ing the service instead
So for this task we will follow the instructions given:
![SMB-shares found](https://hailstormsec.com/content/images/2023/12/kenobi-smbshares.png)
An 'anonymous' share will share will always be interesting so we attempt to connect (no password):
![We have smb access with no password](https://hailstormsec.com/content/images/2023/12/kenobi-smb-access.png)
Great! Now we download the files:
![Read log.txt on smb-share](https://hailstormsec.com/content/images/2023/12/kenobi-log.png)
This log is containing information about the setup of the FTP server, which you hopefully saw on the secondary scan. With that secondary scan we also saw something called 'rpcbind' on port 111.
What is RPC?
If you do not know what RPC is - I recommend watching the following video: https://www.youtube.com/watch?v=MdaGuP6-bKs
From secondary scan:
![NFS entries in nmap result](https://hailstormsec.com/content/images/2023/12/kenobi-rpcbind.png)
Network File System
is, we can use the nmap scripts to get more information about the NFS:
![NFS nmap scan](https://hailstormsec.com/content/images/2023/12/kenobi-nfsscan.png)
Answer(s)
- 3
- log.txt
- 21
- /var
Task 3 - Gain initial access with ProFtpd
Question(s)
- Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?
- How many exploits are there for the ProFTPd running?
- What is Kenobi's user flag (/home/kenobi/user.txt)?
Once again looking back at our secondary scan - we can see that this ftp server looks pretty rough...
![Vulnerable ftp ProFTPD 1.3.5](https://hailstormsec.com/content/images/2023/12/kenobi-ftp.png)
Another way to look for vulnerabilities in software is searchsploit which queries the https://exploit-db.com database. You can also combine this with nmaps output to automatically search for vulnerabilities:
![Searchsploit manual](https://hailstormsec.com/content/images/2023/12/kenobi-nmap-pipe.png)
So if we perform a simple version scan again of the target nmap -sV -oX kenobi.xml MACHINE_IP
(oX
will give us XML output) and then use searchsploit we will see everything it could find:
![mod_copy.png](https://hailstormsec.com/content/images/2023/12/kenobi-mod_copy.png)
Metasploit module
You cannot use the metasploit module in this instance due to how you need a writeable webserver file path. Which we do not unfortuenatly.
If you remember from the log-file, there was an ssh-key created to Kenobi:s account under his home directory. We could use the mod-copy exploit we found to copy his file over to the /var
directory which we can read via rpcbind:
![Mod-copy exploit](https://hailstormsec.com/content/images/2023/12/kenobi-copy.png)
![Mount the file system](https://hailstormsec.com/content/images/2023/12/kenobi-access.png)
Now that we can read what's stored under the /var
directory - we can get the private ssh key!! cp /mnt/kenobiNFS/tmp/id_rsa .
will copy it to our current location. Now we just have to apply "execute" privilege to the file and we are in:
![SSH into the server, we are in!](https://hailstormsec.com/content/images/2023/12/kenobi-foothold.png)
Answer(s)
- 1.3.5
- 4
- d0b0f3f53b6caa532a83915e19224899
Task 4 - Privilege Escalation with Path Variable Manipulation
![SUID bit explanation](https://hailstormsec.com/content/images/2023/12/kenobi-suid-etc.png)
Permission | On Files | On Directories |
---|---|---|
SUID Bit | User executes the file with permissions of the file owner | - |
SGID Bit | User executes the file with the permission of the group owner. | File created in directory gets the same group owner. |
Sticky Bit | No meaning | Users are prevented from deleting files from other users. |
Question(s)
- What file looks particularly out of the ordinary?
- Run the binary, how many options appear?
- What is the root flag (/root/root.txt)?
If you have either completed the Vulnversity room, or have read my writeup on it - you will recognise these steps to privilege escalation. Either way - having a SUID bit set on a file owned by root, allows any user to execute that file with root privilege. Which in some cases could be very dangerous... as we will see.
Check SUID bits:
find / -perm /4000 2>/dev/null
/
- start looking recursivly from the root directory-perm
- specify file permission we are looking for/4000
- list all files with the SUID bit active2>/dev/nul
- remove all errors from STDOUT (screen)
![All applications with SUID-bit using our command](https://hailstormsec.com/content/images/2023/12/kenobi-menu.png)
The menu command is one at least I am not used to - so I investigate further. When running the command you get a couple of options, one of them being "ifconfig" - we can confirm this by running `strings /usr/bin/menu`. This will display all human readable text from that file.
![Menu binary on execution showing 3 options](https://hailstormsec.com/content/images/2023/12/kenobi-menu-binary.png)
Strings reveal:
![Strings on the file](https://hailstormsec.com/content/images/2023/12/kenobi-strings.png)
However - what it also confirms is that none of the commands are run with a direct path, but only using the `$PATH` variable. This means that if we name a malicious file with the same name as one of the commands, we can get root to execute it by writing over the `$PATH` variable:
![Manipulating the menu-program by replacing the ifconfig command with a shell](https://hailstormsec.com/content/images/2023/12/kenobi-root.png)
Answer(s)
- /urs/bin/menu
- 3
- 177b3cd8562289f37382721c28381f02
Cheat Sheet
Nmap
Initial port scan:
sudo nmap -p- -v
Add -Pn
if windows machine
Secondary scan:
sudo nmap -v -A -sC --script vuln -p PORTS
Nmap to searchsploit:
sudo nmap -sV -p PORTS -oX searchsploit.xml MACHINE_IP && searchsploit --nmap searchsploit.xml
Scripts
--script scriptname
: run scriptslocate *.nse
: list all scripts
Good scripts:
Script name | Functionality |
---|---|
dns-brute | Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. |
http-enum | Enumerates directories used by popular web applications and servers. |
http-title | Shows the title of the default page of a web server. |
nfs* | Enumerates network file shares. |
smb-os-discovery | Attempts to determine the operating system, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). |
smb-brute | Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. |
smb-enum-shares | Tries to enumerate shares. |
smb-enum-users | Tries to enumerate users of the shares. |
SUID-, SGID-, Sticky-bits
![suid-etc.png](https://hailstormsec.com/content/images/2023/12/kenobi-suid-etc.png)
Permission | On Files | On Directories |
---|---|---|
SUID Bit | User executes the file with permissions of the file owner | - |
SGID Bit | User executes the file with the permission of the group owner. | File created in directory gets the same group owner. |
Sticky Bit | No meaning | Users are prevented from deleting files from other users. |
Check SUID bits:
find / -perm /4000 2>/dev/null
/
- start looking recursivly from the root directory-perm
- specify file permission we are looking for/4000
- list all files with the SUID bit active2>/dev/nul
- remove all errors from STDOUT (screen)
Abuse binaries without full-path
Example
Let's say a binary with SUID-bit active (root owner) runs ifconfig
and not /usr/sbin/ifconfig
.
Replace ifconfig with bash in $PATH:
echo /bin/bash > ifconfig
chmod 777 ifconfig
export PATH=<this-path>/:$PATH
Support me
Thank you so much for reading and I hope you found it inspirational or helpful! You can best support me by doing any of the following bellow!
- Turn off Adblocker: A simple yet impactful way to support me for free.
- Sign Up: If you haven't already, consider signing up to get access to more content and receive optional newsletters.
- Buy Premium: Explore the Premium option for additional perks and exclusive content.
- Give a Tip: Your generosity is always very appreciated.
You can read more about the perks of being a Member or Subscriber here.
Additionally, you can stay updated and engage with me on social media: