“Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.”
Posted by www.tryhackme.com
Scan target machine using nmap -sV -sC Target_IP
- -sV will probe open ports to determine service/version info.
- -sC will scan with default NSE (Nmap Scripting Engine) scripts.
[Discovered Ports and Services]
- Port 21/tcp (FTP) ProFTPD 1.3.5
- Port 22/tcp (SSH) OpenSSH 7.2p2
- Port 80/tcp (HTTP) Apache httpd 2.4.18
- Port 111/tcp (RPC) rpcbind
- Port 139/tcp (Samba) smbd 3.x — 4.x
- Port 445/tcp (Samba) smbd 4.3.11
- Port 2049 (NFS) nfs_acl
Enumeration: The following script will be used to enumerate SMB shares.
- nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse Target_IP
Why enumerate shares? As stated on www.nmap.org, “Finding open shares is useful to a penetration tester because there may be private files shared, or, if it’s writable, it could be a good place to drop a Trojan or to infect a file that’s already there”.
Connect and Concatenate: Connecting the anonymous share can be done using smbclient //Target_IP/anonymous
- Enables communication to an SMB/CIFS server.
- Enter command dir for the directory of the share then enter cat log.txt to see the contents of the file.
- The smb share can also be recursively downloaded with smbget -R smb://Target_IP/anonymous
Port 111 is seen to include access to a NFS (network file system) and can be enumerated using nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount Target_IP
ProFtpd 1.3.5 was found to be vulnerable by entering searchsploit ProFtpd 1.3.5
‘mod_copy’ Command Execution will be performed to copy file/directories of the target machine.
- A connection is made to the host with netcat using nc Target_IP 21
- Using the commands SITE CPFR (source-path) and SITE CPTO (destination-path), the private SSH key for user Kenobi can be copied to the /var/tmp directory.
- It is known that the FTP service is running as Kenobi and an SSH key has been generated for this user from previously concatenating the log.txt file.
A mkdir (make directory) is used to create a directory on the host for the /var directory to be mounted on. It has been named /mnt/kenobiNFS and when shifting directories with cd (change directory), the command ls -la can be used to view hidden files in long form.
[SSH into Kenobi]
The private key is copied from the mounted /tmp directory and assigned write and read privileges with chmod. Access to Kenobi via SSH can now be performed with ssh -i id_rsa kenobi@Target_IP
- The command -i will remove the filter for upper or lowercase characters
User.txt can be concatenated with command cat.
Files with a SUID bit will allow non-owners of the file to execute the file with the owner’s permissions. These files can be discovered by entering the command find / -perm -u=s -type f 2>/dev/null
- The command 2>/dev/null will remove permission denied and other errors from the output.
After using the strings command with /usr/bin/menu binary, it is discovered that the binary is running without a full path.
With this file running root privileges, the path can be exploited to create a root shell. The /bin/sh is copied to a file named curl and permissions are assigned with chmod 777, giving the file full rwx privileges to any user.
From this point, the file curl can be added to the system path with export PATH=/tmp:$PATH
In other words, when the /usr/bin/menu binary is run, the path variable is called to find the curl binary which happens to carry the /usr/sh shell.
Root access is gained and flag is captured.
The Kenobi challenge was primarily exploitable due to the targets vulnerable SSH service which allowed for command execution. Enumerating the SMB shares provided context but was not essential to gaining access to the Kenobi user. Likewise, it was convenient that the target OS was running Linux, as most Windows machines block access to binary files, such as the DLL. If this were the case, some form of lateral movement would need to be performed for privilege escalation, among other TTPs (Tactics, Techniques, and Procedures) such as uploading malicious payloads. It will remain questionable if the misconfigured binary (usr/bin/menu) could only be discovered by examining each of the 24 binary files. The 2>dev/null command helped remove permission denied errors and it would be possible to use grep in conjunction with strings and output all binaries to a text file. However, the results in the text file would require the same effort of investigation and uploading a vulnerability scanner could be blocked or alert the target host system.