Kenobi
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Linux | Easy | 20 Abril 2020 | TryHackme |
Reconocimiento
Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.
Enumeración inicial
Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.155.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 11:38 -03
Initiating SYN Stealth Scan at 11:38
Scanning 10.10.155.146 [65535 ports]
Discovered open port 22/tcp on 10.10.155.146
Discovered open port 80/tcp on 10.10.155.146
Discovered open port 139/tcp on 10.10.155.146
Discovered open port 111/tcp on 10.10.155.146
Discovered open port 21/tcp on 10.10.155.146
Discovered open port 445/tcp on 10.10.155.146
Discovered open port 57821/tcp on 10.10.155.146
Discovered open port 45377/tcp on 10.10.155.146
Discovered open port 33925/tcp on 10.10.155.146
Discovered open port 48255/tcp on 10.10.155.146
Discovered open port 2049/tcp on 10.10.155.146
Completed SYN Stealth Scan at 11:39, 19.60s elapsed (65535 total ports)
Nmap scan report for 10.10.155.146
Host is up, received user-set (0.29s latency).
Scanned at 2025-03-26 11:38:43 -03 for 20s
Not shown: 59484 closed tcp ports (reset), 6040 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
111/tcp open rpcbind syn-ack ttl 63
139/tcp open netbios-ssn syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63
2049/tcp open nfs syn-ack ttl 63
33925/tcp open unknown syn-ack ttl 63
45377/tcp open unknown syn-ack ttl 63
48255/tcp open unknown syn-ack ttl 63
57821/tcp open unknown syn-ack ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.72 seconds
Raw packets sent: 95225 (4.190MB) | Rcvd: 63962 (2.595MB)
Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.
nmap -sCV -p21,22,80,111,139,445,2049,33925,45377,48255,57821 -oN servicesScan 10.10.155.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 11:39 -03
Nmap scan report for 10.10.155.146 (10.10.155.146)
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_ 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/admin.html
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 39454/udp6 mountd
| 100005 1,2,3 42155/tcp6 mountd
| 100005 1,2,3 48255/tcp mountd
| 100005 1,2,3 48623/udp mountd
| 100021 1,3,4 33925/tcp nlockmgr
| 100021 1,3,4 45787/tcp6 nlockmgr
| 100021 1,3,4 50657/udp6 nlockmgr
| 100021 1,3,4 58126/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs 2-4 (RPC #100003)
33925/tcp open nlockmgr 1-4 (RPC #100021)
45377/tcp open mountd 1-3 (RPC #100005)
48255/tcp open mountd 1-3 (RPC #100005)
57821/tcp open mountd 1-3 (RPC #100005)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2025-03-26T09:41:35-05:00
| smb2-time:
| date: 2025-03-26T14:41:35
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 1h42m05s, deviation: 2h53m12s, median: 2m04s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.90 seconds
Explotación inicial
HTTP (80)
Samba (445)
RPC (111)
ProFTPd 1.3.5 (21)
El módulo mod_copy implementa los comandos SITE CPFR y SITE CPTO , que permiten copiar archivos/directorios de un lugar a otro en el servidor. Cualquier cliente no autenticado puede usar estos comandos para copiar archivos desde cualquier parte del sistema de archivos a un destino seleccionado.
Sabemos que el servicio FTP se está ejecutando como el usuario Kenobi (desde el archivo en el recurso compartido) y se genera una clave ssh para ese usuario.
Montemos el directorio /var/tmp en nuestra máquina
mkdir /mnt/kenobiNFS
mount 10.10.155.146:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
Elevación de privilegios
Procedimiento para la elevación de privilegios y el vector de escalada.
Post Explotación
Leemos la flag de root.
