{"id":25,"date":"2023-01-24T08:27:25","date_gmt":"2023-01-24T08:27:25","guid":{"rendered":"https:\/\/victorcoil.tech\/?page_id=25"},"modified":"2023-06-15T18:26:36","modified_gmt":"2023-06-15T18:26:36","slug":"kenobi","status":"publish","type":"page","link":"https:\/\/victorcoil.tech\/?page_id=25","title":{"rendered":"Kenobi"},"content":{"rendered":"\n

Kenobi Report by Zekken, TryHackMe, 11\/12\/2022<\/p>\n\n\n\n

Tags: Nmap Scan, SMB enum, FTP exploit, SSH, SUID escalation<\/p>\n\n\n\n

<\/p>\n\n\n\n

Vulnerability: CVE-2015-3306<\/a> “mod_copy module”<\/p>\n\n\n\n

System: Kenobi 10.10.89.151 (changed to 10.10.200.244)<\/p>\n\n\n\n

Exploit: This exploit allows attackers to read\/write to files, and exfiltrate files without authentication.<\/p>\n\n\n\n

Privilege escalation Vulnerability: Obtained by exploiting a SUID binary with an empty path, allowing us to insert our own path.<\/p>\n\n\n\n

Remediations: Many Intrusion prevention systems have a signature to pick up and prevent when an unauthorized remote file uploads or when 1.3.5 “mod_copy” occurs. Another way to fix this is to remove the service if it’s not in use. As for the privileges escalation, it can be remediated by making sure SUIDs have a path and are not left empty.<\/p>\n\n\n\n

Severity: Critical<\/mark><\/p>\n\n\n\n

<\/p>\n\n\n\n

Reconnaissance:<\/strong><\/mark><\/p>\n\n\n\n

root@ip-10-10-183-208:~# nmap 10.10.89.151 -vvv<\/mark>\n\nStarting Nmap 7.60 ( https:\/\/nmap.org ) at 2022-11-12 22:37 GMT\nInitiating ARP Ping Scan at 22:37\nScanning 10.10.89.151 [1 port]\nCompleted ARP Ping Scan at 22:37, 0.22s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 22:37\nCompleted Parallel DNS resolution of 1 host. at 22:37, 0.00s elapsed\nDNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating SYN Stealth Scan at 22:37\nScanning ip-10-10-89-151.eu-west-1.compute.internal (10.10.89.151) [1000 ports]\nDiscovered open port 21\/tcp on 10.10.89.151\nDiscovered open port 139\/tcp on 10.10.89.151\nDiscovered open port 22\/tcp on 10.10.89.151\nDiscovered open port 80\/tcp on 10.10.89.151\nDiscovered open port 445\/tcp on 10.10.89.151\nDiscovered open port 111\/tcp on 10.10.89.151\nDiscovered open port 2049\/tcp on 10.10.89.151\nCompleted SYN Stealth Scan at 22:37, 1.25s elapsed (1000 total ports)\nNmap scan report for ip-10-10-89-151.eu-west-1.compute.internal (10.10.89.151)\nHost is up, received arp-response (0.0013s latency).\nScanned at 2022-11-12 22:37:26 GMT for 1s\nNot shown: 993 closed ports\nReason: 993 resets\nPORT     STATE SERVICE      REASON\n21\/tcp   open  ftp          syn-ack ttl 64\n22\/tcp   open  ssh          syn-ack ttl 64\n80\/tcp   open  http         syn-ack ttl 64\n111\/tcp  open  rpcbind      syn-ack ttl 64\n139\/tcp  open  netbios-ssn  syn-ack ttl 64\n445\/tcp  open  microsoft-ds syn-ack ttl 64\n2049\/tcp open  nfs          syn-ack ttl 64\nMAC Address: 02:19:5C:94:FE:95 (Unknown)\n\nRead data files from: \/usr\/bin\/..\/share\/nmap\nNmap done: 1 IP address (1 host up) scanned in 1.69 seconds\n           Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.096KB)\n<\/code><\/pre>\n\n\n\n
\n
Task 1: Scan the machine with Nmap, how many ports are open?<\/mark><\/p>\n\n\n\n
 7<\/mark><\/p>\n\n\n\n
root@ip-10-10-183-208:~# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse<\/mark> 10.10.89.151\n\nStarting Nmap 7.60 ( https:\/\/nmap.org ) at 2022-11-12 22:40 GMT\nNmap scan report for ip-10-10-89-151.eu-west-1.compute.internal (10.10.89.151)\nHost is up (0.00027s latency).\n\nPORT    STATE SERVICE\n445\/tcp open  microsoft-ds\nMAC Address: 02:19:5C:94:FE:95 (Unknown)\n\nHost script results:\n| smb-enum-shares: \n|   account_used: guest\n|   \\\\10.10.89.151\\IPC$: \n|     Type: STYPE_IPC_HIDDEN\n|     Comment: IPC Service (kenobi server (Samba, Ubuntu))\n|     Users: 2\n|     Max Users: <unlimited>\n|     Path: C:\\tmp\n|     Anonymous access: READ\/WRITE\n|     Current user access: READ\/WRITE\n|   \\\\10.10.89.151\\anonymous: \n|     Type: STYPE_DISKTREE\n|     Comment: \n|     Users: 0\n|     Max Users: <unlimited>\n|     Path: C:\\home\\kenobi\\share\n|     Anonymous access: READ\/WRITE\n|     Current user access: READ\/WRITE\n|   \\\\10.10.89.151\\print$: \n|     Type: STYPE_DISKTREE\n|     Comment: Printer Drivers\n|     Users: 0\n|     Max Users: <unlimited>\n|     Path: C:\\var\\lib\\samba\\printers\n|     Anonymous access: <none>\n|_    Current user access: <none>\n\nNmap done: 1 IP address (1 host up) scanned in 1.32 seconds\n<\/code><\/pre>\n\n\n\n
Initial scans show that the Samba service was active on Port 445. We were able to log into the anonymous account without a password. Once inside, we could see a “log.txt” file that was available with read and write privileges.<\/p>\n<\/div>\n\n\n\n
\"\"<\/figure>\n\n\n\n
We can also back out and run “smbget -R smb:\/\/<ip>\/anonymous<\/mark>” to copy all files on that share into our own computer. We then can “cat” out that log.txt file. Once done, we managed to find an SSH key attached to an FTP configuration page.<\/p>\n\n\n\n
Assuming that the key can be used for FTP, we can run the Nmap command below to look for mounts.<\/p>\n\n\n\n
root@ip-10-10-183-208:~# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.89.151<\/mark>\n\nStarting Nmap 7.60 ( https:\/\/nmap.org ) at 2022-11-12 22:53 GMT\nNmap scan report for ip-10-10-89-151.eu-west-1.compute.internal (10.10.89.151)\nHost is up (0.00022s latency).\n\nPORT    STATE SERVICE\n111\/tcp open  rpcbind\n| nfs-ls: Volume \/var\n|   access: Read Lookup NoModify NoExtend NoDelete NoExecute\n| PERMISSION  UID  GID  SIZE  TIME                 FILENAME\n| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  .\n| rwxr-xr-x   0    0    4096  2019-09-04T12:27:33  ..\n| rwxr-xr-x   0    0    4096  2019-09-04T12:09:49  backups\n| rwxr-xr-x   0    0    4096  2019-09-04T10:37:44  cache\n| rwxrwxrwt   0    0    4096  2019-09-04T08:43:56  crash\n| rwxrwsr-x   0    50   4096  2016-04-12T20:14:23  local\n| rwxrwxrwx   0    0    9     2019-09-04T08:41:33  lock\n| rwxrwxr-x   0    108  4096  2019-09-04T10:37:44  log\n| rwxr-xr-x   0    0    4096  2019-01-29T23:27:41  snap\n| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  www\n|_\n| nfs-showmount: \n|_  \/var *\n| nfs-statfs: \n|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink\n|_  \/var        9204224.0  1836520.0  6877108.0  22%   16.0T        32000\nMAC Address: 02:19:5C:94:FE:95 (Unknown)\n\nNmap done: 1 IP address (1 host up) scanned in 0.83 seconds\n\n\n\n<\/code><\/pre>\n\n\n\n
Task 2<\/strong>: Using the Nmap command above, how many shares have been found?<\/mark><\/p>\n\n\n\n
3<\/mark><\/p>\n\n\n\n
Once you’re connected, list the files on the share. What is the file that you can see?<\/mark><\/p>\n\n\n\n
log.txt<\/mark><\/p>\n\n\n\n
What port is FTP running on?<\/mark><\/p>\n\n\n\n
21<\/mark><\/p>\n\n\n\n
What mount can we see?<\/mark><\/p>\n\n\n\n
\/var<\/mark><\/p>\n\n\n\n
 <\/p>\n\n\n\n
Initial Access:<\/mark><\/strong><\/p>\n\n\n\n
Attempted to connect to FTP and was successful. upon login, we were able to see the Version that FTP was running on. After receiving this information, we can run the command “searchsploit proftpd 1.3.5<\/mark>” to see if there are any exploitations for this version. After searching, there were 3 exploits available. One being the “CPFR and CPTO mod_copy” module, which is the one we will use. <\/p>\n\n\n\n
We copied the .ssh\/id_rsa file from the kenobi home directory and moved it to their \/var\/tmp directory as seen below.<\/p>\n\n\n\n
\"\"
Login to FTP revealing version information and exploitation of CPFR and CPTO<\/figcaption><\/figure>\n\n\n\n
On the attacking machine, we can now set up a directory and copy the var share over.<\/p>\n\n\n\n
\"\"
Successful mount of \/var to \/mnt\/kenobiNFS<\/figcaption><\/figure>\n\n\n\n
We can now change the permissions of the file and use it for SSH login.<\/p>\n\n\n\n
\"\"
Permission change and SSH login<\/figcaption><\/figure>\n\n\n\n
Initial access to the machine, and access to the initial flag.<\/p>\n\n\n\n
\"\"
Initial Access and First Flag<\/figcaption><\/figure>\n\n\n\n
Task 3<\/strong>: What is the version?<\/mark><\/p>\n\n\n\n
1.3.5<\/mark><\/p>\n\n\n\n
How many exploits are there for the ProFTPd running?<\/mark><\/p>\n\n\n\n
3\u00a0<\/mark><\/p>\n\n\n\n
What is Kenobi’s user flag (\/home\/kenobi\/user.txt)?<\/mark><\/p>\n\n\n\n
d0b0f3f53b6caa532a83915e19224899<\/mark><\/p>\n\n\n\n
 <\/p>\n\n\n\n
Privilage Escalation:<\/strong><\/mark><\/p>\n\n\n\n
For privilege escalation, we can look at SUIDs.<\/p>\n\n\n\n
\"\"
SUIDs search<\/figcaption><\/figure>\n\n\n\n
What sticks out here is \/usr\/bin\/menu<\/mark>.<\/p>\n\n\n\n
After running \u201cstrings \/usr\/bin\/menu<\/mark>\u201d and scrolling up a bit, we can see this<\/p>\n\n\n\n
\"\"
strings \/usr\/bin\/menu output<\/figcaption><\/figure>\n\n\n\n
This tells us that there is no full path set. It is running without a path and we can use this to manipulate the path to get a root shell. Below are the commands used to manipulate the path and the root flag and proof.<\/p>\n\n\n\n
\"\"
Privilege escalation exploited and Root Flag<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"
Kenobi Report by Zekken, TryHackMe, 11\/12\/2022 Tags: Nmap Scan, SMB enum, FTP exploit, SSH, SUID escalation Vulnerability: CVE-2015-3306 “mod_copy module” System: Kenobi 10.10.89.151 (changed to 10.10.200.244) Exploit: This exploit allows attackers to read\/write to files, and exfiltrate files without authentication. Privilege escalation Vulnerability: Obtained by exploiting a SUID binary with an empty path, allowing us to insert our own path. Remediations: Many Intrusion prevention systems have a signature to pick up and prevent when an unauthorized remote file uploads or when 1.3.5 “mod_copy” occurs. Another way to fix this is to remove the service if it’s not in use. As for<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-25","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/25","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25"}],"version-history":[{"count":11,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/25\/revisions"}],"predecessor-version":[{"id":176,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/25\/revisions\/176"}],"wp:attachment":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}