Understanding how to Start Hacking with TryHackMe-Kenobi write up
Scope Target (In company will run mass scan several IP)
Target IP: 10.10.221.255
What if we are pentester, what can we do for check vulnerability on this IP…
In company we will focus on :
- Vulnerability on port running
- How it can be exploited?
- How to remidate?
- CVSS which can identify dangerous level and Is it urgent have to fix immediately?
- Is there some patch from official product website?
Well,if it not has patch from official product website and required to install patch from non-official website.Is it safe? Does it required restart servers and effect to other service on server?
Okays, when we know scope target already. Let’s try service enumeration with nmap scan (Company can use rapid7 scan, Qualys, Nessus, etc.)
nmap -sV 10.10.221.255
-sV is show version service when scan
Now, we got main service is FTP, SSH, HTTP, rpcbind,Samba (smb file share)
From overall service, we can guessing this IP maybe has way to leak important data because has both FTP, SSH and Samba to access file on server
Both FTP and SMB can be enable Anonymous user log in
(If FTP username: anonymous, password: anonymous, SMB username: Anonymous, password: (just enter)) but up to configuration on server.If got username and password for specific user,you will see more files.
SMB : Server Message Block (SMB) is a file sharing protocol that allows Windows systems connected to the same network or domain to share files
We can try check that SMB has any folder that anonymous user can read/write with nmap:
scan on specific port 445 which is smb but if we want to see vulnerability on port like which cve? you can use just script=vuln
From the result, we know that path \tmp in IPC$ and \home\kenobi\share
We can use annonmous access file.We will focus on \home\kenobi\share in case it has some important information in share folder
Okays, we found only log.txt here.Let’s download file with get log.txt
Try cat log.txt we will see important information is key for access ssh
From log, it shows that key was saved in /home/kenobi/.ssh/id_rsa.So, now we know that if we can got id_rsa, we can ssh to server with the username in system not anonymous.We know now user is kenobi …
Let’s gather information more on rpcbind port 111 to see mount path
We found that path /var is mount path.As we are on the same network with target, we can mount this path to our machine but our goal is /home/kenobi/.ssh/id_rsa. Let’s try make folder for mount is mkdir /mnt/kenobi and mount file path /var to see inside that it has id_rsa for us now or not with ls -la
Okays, we almost close our goal.We see path /tmp.Let’s cd to that folder
We choose /tmp because we know that /tmp allow all user to read/write include anonymous user but when ls inside,we found nothing.Let’s information gathering more with searchsploit.
From the begining nmap we found that FTP use ProFTPD 1.3.5 -> Use: searchsploit proftpd
We found that ProFTPD 1.3.5 has 3 way to exploit and one can use with Metasploit.You can copy file from searchsploit by use -m with that id
searchsploit -m 36742
Or try another way by search on Google with keyword: proftpd 1.3.5 exploit
It will show how to exploit
When we take this cve number: 2015–3306 to check on cvedetails website (https://www.cvedetails.com/cve/CVE-2015-3306/) It will show description to understand CPFR and CPTO on exploitdb
ProFTPD 1.3.5 Mod_Copy Command Execution
This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the ‘nobody’ user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.
The best way for mitigation vulnerability is upgrade application to lasted version because this exploit can found only in ProFTPD version 1.3.5
Severity CVSS Score is 10.It means critical and Vulnerability Exploited is mod_copy command Execution in ProFTPD 1.3.5
From the problem above we want /home/kenobi/.ssh/id_rsa on our mounting path is /var/tmp.Let’s use netcat on port 21 to copy file
Let’s verify on our path /var/tmp to see id_rsa
Let’s ssh login to taget with user ‘kenobi’ and id_rsa
After access server, we are non-provilege user(kenobi).If we want to compromise server.We have to elevate ourself from kenobi to be root.
On linux machine,it has multiple way to gain privilege but let’s try SUID privilege by search which file has SUID set
We can use find / -perm /4000 2>/dev/null or find / -perm /u=s 2>/dev/null to see which file allow to run with root user
First of all, there are three default files in bash. stdin which is standard input such as from the keyboard, stdout which is standard output such as the terminal, and stderr which is standard error, which is where errors are ouput. The file descriptors for stdin, stdout, and stderr are 0, 1, and 2
You can read more on: https://www.slashroot.in/suid-and-sgid-linux-explained-examples to see common file system on linux that need to have suid like /usr/bin/passwd because everyone need to can change password. We will see that /usr/bin/menu is odd from common system should have
We can try run menu to see what’s this program
We can try run strings /usr/bin/menu to see binary file inside this program
We will see this menu program have command curl, uname and ifconfig inside but it show us that it not use full path like /usr/bin/curl or /usr/bin/uname which is not security at all because attacker can change command but use same name is curl to run something else and have privilege as root for run curl
We try to change curl command to be bash shell by echo /bin/sh > curl and then allow it to execute by chmod 777 curl and use PATH variable for Linux Privilege Escalation.
We use export PATH=/tmp=$PATH to set path permanent for /tmp.So, whatever user now in which path.User can run this binary path
Now we can call /usr/bin/menu to run shell by Select choice 1 (because from strings command, we know choice 1 is curl -I localhost) and try id to verify now we are root user.
About port 80,web applocation
(I Terminate and deploy machine again.So, IP was changed)
You can go directly to browser,it will show only image file
It can use any tools like Dirbuster, gobuster, wfuzz to see other path
from the search results above, we didn’t found any useful path as login path or upload file path for can be used as webshell backdoor.So, we skipped web server.If we found those path,we can search more on exploitDB about Apache https version vulnerability
About FTP service with anonymous in this machine found that we can access but not have rights to read file.It need user login
That means all possible way to hack is smb and rpcbind to mount path on share directory and then use user kenobi and id_rsa to login with ssh because log.txt was hint to use ssh key