Understanding how to Start Hacking with TryHackMe-Kenobi write up

Ploy Thanasornsawan
7 min readMay 10, 2020

--

Scope Target (In company will run mass scan several IP)
Target IP: 10.10.221.255

What if we are pentester, what can we do for check vulnerability on this IP…

In company we will focus on :
- Vulnerability on port running
- How it can be exploited?
- How to remidate?
- CVSS which can identify dangerous level and Is it urgent have to fix immediately?
- Is there some patch from official product website?

Well,if it not has patch from official product website and required to install patch from non-official website.Is it safe? Does it required restart servers and effect to other service on server?

Okays, when we know scope target already. Let’s try service enumeration with nmap scan (Company can use rapid7 scan, Qualys, Nessus, etc.)

nmap -sV 10.10.221.255

-sV is show version service when scan

Now, we got main service is FTP, SSH, HTTP, rpcbind,Samba (smb file share)
From overall service, we can guessing this IP maybe has way to leak important data because has both FTP, SSH and Samba to access file on server

Both FTP and SMB can be enable Anonymous user log in
(If FTP username: anonymous, password: anonymous, SMB username: Anonymous, password: (just enter)) but up to configuration on server.If got username and password for specific user,you will see more files.

SMB : Server Message Block (SMB) is a file sharing protocol that allows Windows systems connected to the same network or domain to share files

We can try check that SMB has any folder that anonymous user can read/write with nmap:

scan on specific port 445 which is smb but if we want to see vulnerability on port like which cve? you can use just script=vuln

From the result, we know that path \tmp in IPC$ and \home\kenobi\share
We can use annonmous access file.We will focus on \home\kenobi\share in case it has some important information in share folder

Okays, we found only log.txt here.Let’s download file with get log.txt

Try cat log.txt we will see important information is key for access ssh

From log, it shows that key was saved in /home/kenobi/.ssh/id_rsa.So, now we know that if we can got id_rsa, we can ssh to server with the username in system not anonymous.We know now user is kenobi …

Let’s gather information more on rpcbind port 111 to see mount path

We found that path /var is mount path.As we are on the same network with target, we can mount this path to our machine but our goal is /home/kenobi/.ssh/id_rsa. Let’s try make folder for mount is mkdir /mnt/kenobi and mount file path /var to see inside that it has id_rsa for us now or not with ls -la

Okays, we almost close our goal.We see path /tmp.Let’s cd to that folder

We choose /tmp because we know that /tmp allow all user to read/write include anonymous user but when ls inside,we found nothing.Let’s information gathering more with searchsploit.

From the begining nmap we found that FTP use ProFTPD 1.3.5 -> Use: searchsploit proftpd

We found that ProFTPD 1.3.5 has 3 way to exploit and one can use with Metasploit.You can copy file from searchsploit by use -m with that id
searchsploit -m 36742

Or try another way by search on Google with keyword: proftpd 1.3.5 exploit

It will show how to exploit

When we take this cve number: 2015–3306 to check on cvedetails website (https://www.cvedetails.com/cve/CVE-2015-3306/) It will show description to understand CPFR and CPTO on exploitdb

ProFTPD 1.3.5 Mod_Copy Command Execution

This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the ‘nobody’ user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.

The best way for mitigation vulnerability is upgrade application to lasted version because this exploit can found only in ProFTPD version 1.3.5

Severity CVSS Score is 10.It means critical and Vulnerability Exploited is mod_copy command Execution in ProFTPD 1.3.5

From the problem above we want /home/kenobi/.ssh/id_rsa on our mounting path is /var/tmp.Let’s use netcat on port 21 to copy file

Let’s verify on our path /var/tmp to see id_rsa

Let’s ssh login to taget with user ‘kenobi’ and id_rsa

After access server, we are non-provilege user(kenobi).If we want to compromise server.We have to elevate ourself from kenobi to be root.

On linux machine,it has multiple way to gain privilege but let’s try SUID privilege by search which file has SUID set

We can use find / -perm /4000 2>/dev/null or find / -perm /u=s 2>/dev/null to see which file allow to run with root user

First of all, there are three default files in bash. stdin which is standard input such as from the keyboard, stdout which is standard output such as the terminal, and stderr which is standard error, which is where errors are ouput. The file descriptors for stdin, stdout, and stderr are 0, 1, and 2

You can read more on: https://www.slashroot.in/suid-and-sgid-linux-explained-examples to see common file system on linux that need to have suid like /usr/bin/passwd because everyone need to can change password. We will see that /usr/bin/menu is odd from common system should have

We can try run menu to see what’s this program

We can try run strings /usr/bin/menu to see binary file inside this program

We will see this menu program have command curl, uname and ifconfig inside but it show us that it not use full path like /usr/bin/curl or /usr/bin/uname which is not security at all because attacker can change command but use same name is curl to run something else and have privilege as root for run curl

We try to change curl command to be bash shell by echo /bin/sh > curl and then allow it to execute by chmod 777 curl and use PATH variable for Linux Privilege Escalation.

We use export PATH=/tmp=$PATH to set path permanent for /tmp.So, whatever user now in which path.User can run this binary path

Now we can call /usr/bin/menu to run shell by Select choice 1 (because from strings command, we know choice 1 is curl -I localhost) and try id to verify now we are root user.

About port 80,web applocation
(I Terminate and deploy machine again.So, IP was changed)

You can go directly to browser,it will show only image file
It can use any tools like Dirbuster, gobuster, wfuzz to see other path

from the search results above, we didn’t found any useful path as login path or upload file path for can be used as webshell backdoor.So, we skipped web server.If we found those path,we can search more on exploitDB about Apache https version vulnerability

About FTP service with anonymous in this machine found that we can access but not have rights to read file.It need user login

That means all possible way to hack is smb and rpcbind to mount path on share directory and then use user kenobi and id_rsa to login with ssh because log.txt was hint to use ssh key

--

--