To maintain the streak of continuous presence on TryHackMe, I tried my hands on another easy level machine. I am trying to cover easy machines and have the write up updated before scaling to medium difficulty. I selected Kenobi which is described as this room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access, and escalate your privileges to root via n SUID binary.
As the first step, launched nmap scan with -A switch to pull detailed information about the asset. The nmap report indicated 7 ports as opened. Port 21/FTP, 22/SSH,111/NFS, 445/SMB, etc. were detected as opened. I used xsltproc utility to generate html file from the nmap output[xml] file. xsltproc 10.10.134.245.xml -o 10.10.134.245.html
The second task section indicated it to be focusing on SMB enumeration. I used enum4linux to find the shares as well using the nmap script option. Both of the methods indicated that the sever is having 3 shares.
Upon enumerating anonymous share, log.txt file is found. A Lot of configuration information is available. I used smbmap to fetch the file for further reference. The file did mention an interesting thing and it was the path of ssh keys and there is a user named kenobi.
Since I had the first clue with me to look for a way to get the private key of user kenobi. The task section mentioned using NFS. Since the nmap report indicated that port 111 is running with NFS. showmount -e 10.10.134.245 to identify the mountable share.
The task took the focus on enumerating ProFTPd and using the vulnerability to create a way to get a private key.
The FTP banner indicated it is running a ProFTPD 1.3.5 server. Upon further investigation, found 3 vulnerabilities via searchsploit. I looked up here and found SITE CPFR and SITE CPTO can be executed. These commands can be used to copy the file from .ssh to /var/tmp which is mountable.
Since the file has been copied to /var/tmp which is writable by everyone. Now the focus was to mount the share and fetch the private key for authenticating.
After fetching the RSA key, it was now a matter of time to login using kenobi account. Upon successful authentication, I was able to find the user flag.
Upon looking for the files which support SUID bit, found /usr/bin/menu utility. After inspecting strings, found that for checking the Status, it is using the curl command. To invoke the shell using this menu, we can try to overwrite curl with the sh utility tool and then loading the path from where we are going to execute the menu utility.
This room was good at giving practice on how to exploit NFS services and then using some inbuilt utility tools like string to inspect the content of an executable or any file.
Keep learning and sharing !!
Leave a Reply