Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd, and escalate your privileges with path variable manipulation.
. . .
Introduction
This is the third machine on Offensive Pentesting Path on TryHackMe, link to the machine- https://tryhackme.com/room/kenobi
As soon as we deploy, we get the IP to the machine i.e. 10.10.105.158
We also see the following image which tells us what type of room this is going to be.
This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.
. . .
Scanning & Enumeration
Nmap Scan
root@fs0ci3ty:~# nmap -sV -A 10.10.105.158
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-01 00:11 IST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 4.01 seconds
root@fs0ci3ty:~# nmap -sV -A 10.10.105.158
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-01 00:12 IST
Nmap scan report for 10.10.105.158
Host is up (0.52s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 40027/udp6 mountd
| 100005 1,2,3 41540/udp mountd
| 100005 1,2,3 42637/tcp mountd
| 100005 1,2,3 58615/tcp6 mountd
| 100021 1,3,4 36163/tcp nlockmgr
| 100021 1,3,4 36378/udp6 nlockmgr
| 100021 1,3,4 39161/tcp6 nlockmgr
| 100021 1,3,4 56424/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/1%OT=21%CT=1%CU=38245%PV=Y%DS=4%DC=T%G=Y%TM=5F246670
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11
OS:NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(
OS:R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 4 hops
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m05s, deviation: 2h53m13s, median: 4s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2020-07-31T13:43:50-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-07-31T18:43:50
|_ start_date: N/A
TRACEROUTE (using port 1025/tcp)
We encounter the following services:
1. Ftp
2. Ssh (Usually not vulnerable)
3. Http
4. Samba
5. RPC Bind stuff (I usually skip this)
Update: This changes soon, later on, we will enumerate this as well
Version Enumeration
From the Nmap scan, we can quickly fill up the version enumeration table
Version Enumeration Table
My method says that if there is an HTTP Server, check the website first :P
HTTP Enumeration
We view the website like any normal user would ( The Happy Path :P )
Landing Web Page
We see that it is just this image in the source code, but wait, didn’t we see one disallowed entry in our Nmap scan? Let’s check that out 🔎
Robots.txt file has the disallowed entry - admin.html
admin.html
Well, this is a dead-end 🚫 , unless the version of apache is itself vulnerable
Now we are left with FTP and Samba enumeration.
FTP Enumeration
Here we try to connect to the FTP as an anonymous user and see if we have any access.
Interacting with FTP
1. We can confirm the version of the FTP used.
2. Anonymous login is allowed but we need to send a complete email address as the password.
SMB Enumeration
Using nmap to enumerate
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.105.158
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-01 02:05 IST
Nmap scan report for 10.10.105.158
Host is up (0.59s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.105.158\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.105.158\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.105.158\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 83.48 seconds
We notice that we have the following shares:
— IPC Service
— Anonymous and
— Print
Anonymous looks juicy 🍹 - smbclient \\<IP>\\anonymous
private key in log.txt
We observe that a private key has been generated for the user Kenobi
RPC Enumeration
We earlier saw rpcbind service running on 111.
This is just a server that converts remote procedure call (RPC) program numbers into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number it’s prepared to serve.
In our case, port 111 is access to a network file system. Let’s use Nmap to enumerate this.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.105.158
Nmap scan report for 10.10.105.158
Host is up (0.68s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836540.0 6877088.0 22% 16.0T 32000
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds
We see that a volume : ‘var’ has been mounted
. . .
Vulnerability Analysis
- HTTP
We find a lot of Vulnerabilities on https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-199589/Apache-Http-Server-2.4.18.html
- Samba
samba version with vulnerability score of 10
A vulnerability with a score of 10. We will need to see this as well.
On exploitDB we find a Metasploit exploit for this: https://www.exploit-db.com/exploits/42084
- FTP
Exploit DB — https://www.exploit-db.com/exploits/36742
This suggests that an unauthenticated user can execute commands on the server. We can definitely try and use this.
Using searchsploit we find additional exploits :
. . .
From our enumeration we have the following info :
We can use ‘mod_copy’ to copy any files to any location on the server even with an unauthenticated client. We know that the ssh private key exists on the server(from the log.txt).
We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.
I know it was dumb to try to copy the root.txt, as the FTP server was started by the user Kenobi, but then I think it doesn’t hurt to try :P
Now that we have successfully copied the file to the ‘/var’ volume we can now mount it.
Even I had no idea that this was possible, I was following TryHackMe and hence I was able to figure this one out. Great learning point :D
Once we have the ‘id_rsa’ we can use this to log in as user Kenobi on the target machine.
Shell with User Privileges
Thus we get our initial foothold on the machine
. . .
Privilege Escalation
We have already noticed that our user is in the sudo group, but we still do not have the password to his account.
Let’s enumerate
Usually, we run LinEnum.sh. But I feel before running so many tests we should first manually look for basic stuff like files with suid set.
find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
Once I find something, I try to see if there is an entry for it on GTFO site
( Link: https://gtfobins.github.io/ )
But this time I did not find any, taking a closer look ( also the nudge from TryHackMe, to look for something out of ordinary ) I figured out that ‘usr/bin/menu’ looks something out of ordinary.
We now know that ifconfig is being run by the server.
Let us follow some steps:
1. Check the current PATH, ( We are going to modify this, and later reset it)
2. Copy ‘/bin/bash’ to the current directory, and rename it to ‘ifconfig’
3. Run ‘menu’ using absolute path ‘/usr/bin/menu’ and choose ‘ifconfig’
4. Bam, we have root shell. Try executing ‘id’. It fails. This is because of the PATH variable. Let us restore it. Now we can run all commands.
5. Run id confirms that we are root, and finally get the root flag.
shell with root privileges
. . .
Final Words
I found that Samba was vulnerable as well, if someone reading this can help me out, it will be of great help.
Alternatively, when I find out how to exploit it, I will update this blog.
