THM Series #5 Kenobi

To maintain the streak of continuous presence on TryHackMe, I tried my hands on another easy level machine. I am trying to cover easy machines and have the write up updated before scaling to medium difficulty. I selected Kenobi which is described as this room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access, and escalate your privileges to root via n SUID binary.

As the first step, launched nmap scan with -A switch to pull detailed information about the asset. The nmap report indicated 7 ports as opened. Port 21/FTP, 22/SSH,111/NFS, 445/SMB, etc. were detected as opened. I used xsltproc utility to generate html file from the nmap output[xml] file. xsltproc 10.10.134.245.xml -o 10.10.134.245.html

NMAP Output
NMAP HTML Formatted Output

The second task section indicated it to be focusing on SMB enumeration. I used enum4linux to find the shares as well using the nmap script option. Both of the methods indicated that the sever is having 3 shares.

NMAP script enumeration
enum4linux SMB enumeration

Upon enumerating anonymous share, log.txt file is found. A Lot of configuration information is available. I used smbmap to fetch the file for further reference. The file did mention an interesting thing and it was the path of ssh keys and there is a user named kenobi.

SMB Share enumeration

Since I had the first clue with me to look for a way to get the private key of user kenobi. The task section mentioned using NFS. Since the nmap report indicated that port 111 is running with NFS. showmount -e 10.10.134.245 to identify the mountable share.

Mountable Share

The task took the focus on enumerating ProFTPd and using the vulnerability to create a way to get a private key.

FTP Banner

The FTP banner indicated it is running a ProFTPD 1.3.5 server. Upon further investigation, found 3 vulnerabilities via searchsploit. I looked up here and found SITE CPFR and SITE CPTO can be executed. These commands can be used to copy the file from .ssh to /var/tmp which is mountable.

Searchsploit

FTP Exploitation

Since the file has been copied to /var/tmp which is writable by everyone. Now the focus was to mount the share and fetch the private key for authenticating.

Mounting and Copying Private key

After fetching the RSA key, it was now a matter of time to login using kenobi account. Upon successful authentication, I was able to find the user flag.

User flag

Upon looking for the files which support SUID bit, found /usr/bin/menu utility. After inspecting strings, found that for checking the Status, it is using the curl command. To invoke the shell using this menu, we can try to overwrite curl with the sh utility tool and then loading the path from where we are going to execute the menu utility.

Root flag

This room was good at giving practice on how to exploit NFS services and then using some inbuilt utility tools like string to inspect the content of an executable or any file.

Keep learning and sharing !!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: