THM: Kenobi Writeup
TryHackMe (THM) Kenobi is a basic CTF to learn how to enumerate Samba shares, ProFTPd, and privilege escalation in Ubuntu. I will be completing this THM room as part of “30 days of TryHackMe” where I will try and complete 30 rooms in 30 days. Kenobi is the room for Day 2. So let's begin.
Disclaimer: The tools used in this tutorial are powerful. Please use them on systems you can legally tamper with. These tutorials are for educational purposes only.
Connect to TryHackMe via OpenVPN
You can learn how to do so here.
As always we will begin with basic discovery Nmap scans to scan all open ports and services with a command like:
sudo nmap -sV <MACHINE IP>
This will check for running services on the machine, -sC can also be used in parallel to run popular nse scripts. The output should look something like this:
You should see services like SMB, ProFTPd, ssh, and others running in your output.
We can start off by enumerating any of the services but we will begin with SMB. To enumerate SMB we can either start by using the scripts in Nmap’s Scripting Engine as shown by the room information or by using tools like enum4linux. I prefer enum4linux as it's sure to work on other instances too. The commands is as follows:
sudo enum4linux <MACHINE IP>
or take the NSE script route:
sudo nmap -p <MACHINE SERVICE PORT> --script=smb-enum-shares.nse,smb-enum-users.nse <MACHINE IP>
Be patient and wait for the final output from the tool. The output that matters should look something like this:
This shows via an smb client, we can access this share without a password. Most of the modern OSs come with some version of SMB clients already installed. We use the default smbclient tool to connect using this command:
just hit enter for the password and you should be in the share. Now use the ls command to list all the files. We can see there is a log.txt file.
We would like to know what is in the logs. To download the files recursively, we use the smbget tool as follows:
smbget -R smb://<MACHINE IP>/anonymous
Now cat into log.txt file and read its contents. We see there is information on the ssh keys being generated for a user named kenobi and ProFTPd installation information. Good Stuff!
We now need to start looking for more ways to enter the system with her privileges. We look back to service scan and assess what can be worked upon next. The nmap service scan shows ssh and nfs running. We can probably start off with using hydra and a Wordlist with the use of Kenobi to hammer SSH, but that is sure to take time. An easier target right now would be to enumerate the NFS service.
Here too we can use the scripts shown by the Kenobi room which is the mob scripting engine and the first enumeration script. I have a feeling the scripts will run slower the better option is to use the following command to show the mountable disks on the target IP:
showmount -e 10.10.214.230
BOOYAH! We see a folder named var show up:
We create a directory to mount the remote filesystem as follows and look into the files:
Doesn’t look like anything will help us move forward. Time to check out ProFTPd. Our namp service scan gave us a version number of the ProFTPd instance running. We can use exploitDB or searchsploit to search exploits for this version. Turns out there are a couple of them:
After some research online we can see that this version has a bug in the mod_copy model which implements the SITE CPFR and SITE CPTO commands. This bug can be used to copy files too and from without any authentication. We leverage this vulnerability and use the following commands to copy the ID_RSA file generated for the user Kenobi to the war folder which is accessible via the NFS service. This gives us direct access to the id_rsa file of the Kenobi user.
We move the id_rsa file from the network storage to our local machine and change the permissions to get it ready for ssh connection as follows:
We now ssh into the target machine and search for files and also find the flag for this room as follows:
We are still not root on the machine. We need to start looking for ways to escalate our privileges.
The room information suggests we look for files with the wrong permissions. This is a real problem and is common to find. There are tools to enumerate such information using the LinPEAS or use the command given below to locate/find files with permission errors:
find / -perm -u=s -type f 2>/dev/null
We see a lot of files there. One stands out, can you guess which one? It's the menu binary. After running this binary, we see the binary is being run as root and the files being called are not using full absolute path but just searching for the tool by name. This is a HUGE problem. This is our point of entry.
We move to the /tmp directory. Echo the shell binary as curl and change its permissions. We now just alter the path and run the ‘menu’ binary as follows:
We now run the ‘menu’ binary and select the first option and it should give us root. Lets check:
BullsEYE! we are now root and hence compromised the system. Now move to the root directory and submit the flag. Congratulations fellas, we hacked our way in. We will continue the third day of “30 days of TryHackMe” with the “Steel Mountain” room tomorrow. Good Bye!
Man must rise above the Earth — to the top of the atmosphere and beyond — for only thus will he fully understand the world in which he lives.”