A complete write-up for Kenobi room, available on TryHackMe platform.

Difficulty : Easy

Info : In this room actually exploiting on Linux machine.Enumeration of samba for shares,manipulate a vulnerable version of proftpd and escalate privileges with path variable manipulation.

Link: https://tryhackme.com/room/kenobi

Information Gathering:

After deploy a machine will get ip address of that machine:

Target ip : 10.10.1.212

Scanning

Firstly scan with our king of scanner NMAP

We can see following ports and services:

Port 21/tcp — FTP — (ProFTPD 1.3.5)

Port 22/tcp — SSH — (OpenSSH 7.2p2)

Port 80/tcp — HTTP — (Apache httpd 2.4.18)

Port 111/tcp — RPC — (rpcbind)

Port 139/tcp — Samba

Port 445/tcp — Samba

Port 2049/tcp — nfs_acl

Enumeration:

Now time for enumeration for SMB shares from NSE on port no. 445

Check anonymous share from smbclient utility

Access and download log.txt.

The anonymous share can also recursively download with following command:

Inspecting the log.txt file reveals information for Kenobi when generating an SSH key for the user and information about ProFTPD server.

Port 111 is running the rpcbind service.This is a server that converts the remote procedure call program number into universal addresses.When an RPC service is started,it tells rpcbind the address at which it is listening and the RPC program number it is prepared to serve.

Here port 111 is access to anetwork file system,which can be enumerate with nmap to show the mounted volume.

Gaining Access:

In our initial nmap scan we found ProFTPD 1.3.5 running on port 21.It can also be determined by connecting to the target machine on the FTP port using netcat.

Searchsploit is a command-line tool for exploit-db.com, which we can use to find exploit for a particular software version.

The output shows an exploit mod_copy module. This module allow us to use SITE CPFR and SITE CPTO command to cpy file/directories from one place to another on the server.

We know from log.txt that the ftp service is running as the Kenobi user and ssh key is generated for that user. We also know that we have access to the /var directory,which we can mount on our system.

Kenobi’s private key can be copy to the /var/tmp directory.

The /var directory now mounted to our system.

Now we have network mount on our machine we can obtain the private key which can be used to login to Kenobi account.

Try to login ssh with id_rsa and cheers

Collect user flag

Privilege escalation:

All that remains is to escalate our privilege and become the root user!!!!!!!!!!!!!

SUID (Set owner User ID upon execution) is a special type of file permission given to a file.SUID bits can be extreamly dangerous.Some binaries such as passwd nedd to be run with elevated privileges(as it is resetting your password on the system).Other custom files that have the SUID bit can lead to sorts of issues.

We can search the system to look for files with a misconfigured SUID bit in order to elevate our privileges:

We got a interesting things like /usr/bin/menu

String is a command on Linux that finds and prints text strings embedded in binary files.

Running the strings command on /usr/bin/menu binary we can see that this running without a full path (i.e not using /usr/bin/curl or /usr/bin/uname)

This file runs with root users privileges the path can be manipulated to gain root shell.

We can copy the /bin/sh shell into a file name curl ,then change the permission of file.

Finally , we can add the location of our curl file containing the shell to the system path.

This means that when /usr/bin/menu binary is run,it will be using our path variable to find curl binary we have created(which is actually a version of the /usr/sh shell) and run this as root.

And we have a root access!!!!!!!!!!!!!!!!!!

Thank you so much I hope you will find this write-up helpful.

Penetration Tester@⠎⠓⠁⠗⠍⠊⠞⠁⠝⠍⠁⠽