# [[Kenobi]] --- ## Port Scanning and Enumeration (Nmap, SMB, FTP) --- ``` nmap -sV -oN nmap/init -sC -vv $IP ``` ![58597e24fb080e3528b99cd79a32ead2.png](0b048f9ff32b4954bfd5347d985a056a.png) ![d25343d50a701fb95d33ba646c920db8.png](e0ceb90440d34b4faedefb0a3b619ea5.png). ``` nmap -p 445 --script=smb-enum-shares.nse,smb-enum-user.nse #IP -oN nmap/smb ``` ![01776e3ba381c5b83ca2ce1b2511ab07.png](266c7a2019da4727922a51f4846e69f2.png) using `smbclient` ``` smbclient // ``` ![ef1613dc458c742573fdac08e4d20424.png](633982717f1c44d0ba20a3bd9043ca25.png) the `log.txt` file shows an ssh key pair being created and the basic `ProFTPD` configuration file Using nmap again to enumrate that port 111, we notice a mounted share `nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount` ![b21e672db6633606da85b40d8610ef89.png](3ad39d6597324568929eb9d4f7f29d7e.png) connecting to the FTP server on port 21 `nc 21` ![8701e4ef4c0ed25e70d20b9267e7248e.png](fbd97e7cf41b47bab51c9d489489edc0.png) ## Foothold (Metasploit, Mount) --- searchsploit for exploits ![70243c5f3857125a9f6970afcbcfa793.png](fcc9f33b37c74367946710baf8ef2360.png) ![771805a87f1f15e01d1cb3a178d68843.png](0417b1c6f7744176aad80733c749f4c1.png) SITE CPFR = copy from, SITE COPYTO = copy to. This allows us to move files around on the system. In the log file it said that there was a ssh keypair created and gave it's location. Let's copy that key to a location in the `/var` directory since we have access to that mount ![b69ae81492ff52847e70e4575e1b8b8f.png](5238d2ce5aa44a0f8f871d20b8a3e030.png) `mkdir /mnt/kenobiNFS` `mount /mnt/kenobiNFS` ![7e198cfb39bf4f02197e671257d2393e.png](d74e5671d1b94f40a04084aabbca0f09.png) We now have access to the `tmp` folder where we copied the key to. we can now log in as kenobi ![44b4d904ea815d40d130d3f0e37328c0.png](ad32ca8ddb2847768b2227c1df571f5c.png) ## Privilege Escalation (SUID) --- Now that we have access we want to get root. Let's do a search for SUID binaries ![5495e49f75fb0cc3e16c7ec14bd87d85.png](1c8d1bf1610d4974b0ad0313d34c8718.png) `find / -perm -u=s -type f 2>/dev/null` ![4f89a4cc3d3233a32e8fa47ff8337dc4.png](bd2e01dd02e74a638d3e2189ef19a14d.png) The odd one out is `/usr/bin/menu` ![876983616782adbf5a76accc41965df4.png](d1bb78dee9cc4369844860195f89be6d.png) let's use `strings` on it and see what it has the interesting part is: ![1db3096e7cb58b67e091a350df1d45bb.png](ffbb2052bc464d58ab86de44b595500c.png) Since it's not calling `curl` using the full path, maybe we can hijack it ![ee689c09ab026f7be01e621be66f4c8f.png](eefab14aec2340e4bafc74a149dad133.png) by creating our own `'curl'` and adding it to the `PATH` we can use the `/usr/bin/menu` binary to call *our* `curl`. Since the `/usr/bin/menu` binary is running with elevated privs, we are able to get root Switching the `PATH` back to the default `source /etc/environment` we can now cat the root flag --- Back to [[TryHackMe Index|TryHackMe Index]] Tags: #thm #tryhackme #box_writeups #smbclient #smb #nfs #ssh #suid Related: