TryHackMe! KENOBI - Linux Pentest: Samba Shares

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Hello There

👍︎︎ 9 👤︎︎ u/nertaxos 📅︎︎ Apr 24 2020 🗫︎ replies

[removed]

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Apr 25 2020 🗫︎ replies

This was super cool to watch. I need more of this in my life. I’m just about done with a bs cyber security degree and feel I don’t know enough yet to even do stuff like this let alone be in the field.

👍︎︎ 1 👤︎︎ u/kheyno 📅︎︎ Apr 25 2020 🗫︎ replies

Captions

hello everyone my name is John Hammond it's been a little while since I posted a video so I wanted to get back on the saddle today I'm gonna be looking at the Kenobi room from try Hackney so I will hop over to my screen here so you can see the good stuff and Here I am I'm joined in this room I believe Kenobi is a subscriber only room but it says walkthrough on exploiting a Linux machine at numerate samba4 shares manipulate a vulnerable version of pro of TB and escalate your privileges with path variable manipulation so let's go ahead and spin up this instance I'll have to deploy button it says make sure you're connected so I will have to go do that and try hack me and I will sudo Open VPN my VPN I think in a typo there it's hard to see my keyboard when there's a microphone in my way I could use my headset but I feel like I just look kind of stupid and dorky let's make a youtube Kenobi folder and move in there I'm gonna start a readme so I can keep track of everything that I particularly do because I think that is good practice I'll also go ahead and specify that this room will have the IP address if I export an IP here this guy so I will go ahead and grab that and slap it in there now go ahead and ping that IP address and looks like he's up okay so what we need to do make sure you're connected to our network and deploy the Machine yep did that scan the machine with nmap how many ports are open all right so let's head back to our terminal and make a directory nmap and I will nmap taxi sv so save scripts or default scripts numerate versions I like to use tack o n so I can save the nmap directory I will do this all on my P address and I'll take a trick from optionals book I'll use tack t5 and I think it's Mac's retries yeah yeah 2500 so this should make it a little bit faster hopefully we'll see maybe it just ruins everything okay so now our end map results are back let me explain that though that is a t5 so the type or the kind of intensity is insane let's actually check out those arguments cuz I didn't do a good job of explaining really what those did template so fine-grain time controls discussed the previous second I wasn't effective some people confusing so you can choose the appropriate values at these different levels insane is the crazy crazy fast one does it disgust e5 yeah I would always recommend using tea for some people love tea five though it's too aggressive for my taste so it's just banging on doors man and Max retries sets the maximum TCP scandal 8 - that many seconds let's check out what max retries is tactic max retries caps number of ports can probe retransmissions ok so if it dies or if it can't get anything results and back to it it'll just kind of cap it out at that many retries anyway we have our end map results so let's go see we've got here we've got FTP open with seemingly an old version of Pro FTP D SSH is open 80 so it has a website Oh little robots.txt their admin HTML we can go check that out or PC bind on one one one NetBIOS o samba yep 1097 that's interesting 20:49 so that's one two three four five six seven eight that seems odd to me maybe that came out because we use those funky options there so let's rerun that script and I'll finagle with that when we're submitting our answers how many ports are open so we saw eight from our speed scan but I believe the correct answer is seven because that other one I think came out of the blue 1097 so that hopefully showcases both the syntax of using those speed scans in nmap and how you might be kind of gambling as to what you might find we saw that the port was filtered so that was kind of cool it kind of gave us a little inclination that maybe that's not right it's not particularly open and I guess that is what it's asking for so seven ports are in fact open I hadn't seen that before when I had scan this previously there we go nope no more 1097 ok let's go on to task 2 just for our notes I'll do a task 1 let's do a no answer needed for him - how many ports are open I just like to document and that probably takes away some time from the video but I do want to emphasize hey that's super duper important take notes and that way you'll have that ready for you in the future alright using that map we can enumerate machine for SMB shares and map usability to do this with a wide variety of networking tasks there is a script to enumerate shares so this is awesome because it's getting it into a little bit of NSC or the nmap scripting engine looks like we're going to specify that port 4 or 4 or 5 where we would typically see the information for SMB later versions of SMB after Windows 2000 began to use port 445 on top of TCP stack using TCP allows that to work alright and we can use tack tack script to specify an NSC script and again I think I've showed it before you could run locate or try and track down the file extensions that have a dot NSE files that have a dot NSE file extension let me just specify our port here so let's go ahead and do that I will end map this guy I'll also save that output to and map SMB scan and since we saved our variable as an or IP address as in Barbaro we can go ahead and run that so this is going to be great because it's going to enumerate all of the SMB shares or the kind of file directories that are accessible to us on the network that it is publicly sharing we could also try and enumerate users I like to typically use a.m. for Linux or that tool opt UNAM for Linux to do this as well I stored in my op directory it's not actually called you know for Linux but we could supply the host or the IP address and that is in here looks like he actually has that a ok so what did i just type you know I'm for Linux and the IP address so that could spin off as well and we can look for what it will track down for shares or users so this got some results here let's go ahead and take a look at this we have an account with guest looks like a hidden share you can note it's hidden or it's kind of intended to be hidden with the dollar sign at the end there has an anonymous share we have access to read write in it and it looks like it puts us in home Kenobi share on the filesystem so that's kind of interesting rent is in there that's pretty common so you'll often see IPC and print those are normal or can be normal anonymous looks peculiar so let's go ahead and take a look at that how many shares were found we found three in total Oh we'll just grab that and save it in our notes wow I took the entire paragraph I hate highlighting with my mouse one we found total of three all right what else do we have to do in here most distributions of Linux carry SMB clients so let's use that to inspect one of the shares so we can use the syntax SMB client in the end whack-whack or two forward slashes on the IP address and specifying the share with another forward slash and anonymous being the show that we want to access using your Camino Connect the network's machine using your machine and we'll connect the machines Network share once you're connected list the files in the share what is the file you can see let's go check it out how did he know in for Linux do he's still going okey he found the exact same shares anonymous print etc very very cool it looks like he's got a brute-forcing IDs and stuff like that we didn't even worry about that let's go ahead and run SMB clients I do have that readily available to you I don't know if it is installed you might need to sudo app install at some beat client or some Samba tools or stuff like that let's go ahead and run that command though SMB client with the IP address and I'll use the anonymous shear it's going to want to know my password because I didn't specify a username so it's gonna use mine and ask for mine by default that doesn't matter because we're just gonna kind of use an auto miss access so if I just whack enter it will let me login I'm not specifying a password the user is in particularly matter we have anonymous access on this so I'll type in LS to list some files out and we can see there is a log dot txt file here on that share let's go ahead and supply that I'll give that as our answer here for number two good good you can recursively download the SMB share to submit the username and password as nothing just as we did SMB get that's kind of cool I haven't actually used this tool before so this is kind of some new learning for me and that's what it's all about right SMB using kind of a schema here to preface our IP and the shear so let's go ahead and do that I will actually break out of this guy and I'll make directory Samba so I can put those all in a specific place and its SMB get tack capital R if you want to check out the other arguments and parameters you can pass to SMB yet again you've got the man pages W get like utility for downloading files over SMB so that tack capital R is recursive a little download just about everything let's do it let's use this and B get tack capital R SMB as our schema IP address anonymous and again gonna ask for a password just whack enter it should be able to pull some stuff down might be a little bit let's find out oh he got it you got log text okay sweet what is in that log dot text whoa a lot of seemingly interesting stuff okay are generating a public and private RSA key pair generating a file and okay created a directory home Canobie SSH oh so they're making an SSH key seemingly no password maybe we don't need there we don't know if that's their input in there so they've saved their private key and their public key oh we also have Pro of TBD we did see that as a service okay looks looks like the config file for it default port oh it's running as kenobe which is kind of interesting because maybe we could potentially reach that SSH key default Ruby's commented out so they're in a jailed thing normally want files to be available on override anonymous puts us in there although service is running as Kenobi so we probably have access to what Kenobi can access we also have SMB or our Samba share a lot of information in that a lot of comments here this is kind of hard to scroll through we could very well write to that directory though it's worth a try yeah read-only doesn't seem to be particularly concerned anonymous browsable yes read-only yes guest okay yes huh is it really read-only oh maybe for the person accessing the sphere but not on the actual file system it's just gonna show that location so if we were to use some other technique to move the ssh private key into the share we could still access it as a user reading and reaching into the share so maybe we'll have to use some other technique here they ask us okay what port is FTP running on well we already found that from our nmap scan let's go ahead and submit that that's number two I'm sorry that's number three here what port is FTP on did I just copy that text yeah I did yeah 21 just good to keep notes and they're going to mount some information our earlier IMAP scan provided that one one one is running our PC bind our pcs prepared it tells our PC by the address which is listening and the RPC program numbers prepared to serve in this case it can access a network file system so we have some Network shares now I typically see this on like port 20 49 right because NFS but I guess those are kind of paralleled and pulled together let's hop out of this directory and go see what that has what I do typically for this is because it's using show mount oh is that the right IP address I think so yeah yeah whatever I'll just change that and it shows me that there is a var file or folder there I would do that with show mount so show mount tak e and then the IP address which I need to go ahead and add in here show mount a key Takei P or dollar sign IP and that will tell me the exact same information so far is a folder we could go ahead and access and mount so that's what they were asking for here let's go ahead and submit that what Mount can we see let's go slap that into our notes I literally just copied and pasted this and why am i typing now I've done this like out of habit for the last couple videos and or like things that I've been doing for my own recording just for me to go through some try hacking me stuff it's just habit hand jamming everything in because copying and pasting is so frustrating Pro FD PD okay so now we're look taking a look at that FTP server pro se PD is a free and open source FTP server compatible with Windows and Windows Linux and windows whoa it's been a while since I made a video it's also vulnerable and some passed software version okay we get the version of our product TPD let's use net cat to go check that out so you could do a simple banner grab with net cut we could just connect cat to that IP address on port 21 and it'll tell me hey that's the version we also saw that in our results between our nmap scan so that's kind of pretty easy and handy to find out one what is the version 1.3 point five we can use search floyd to find exploits for a particular software versions search boyd is basically just a command line search tool for exploit tv.com it's pretty awesome how many exploits are there for pro ftp d roaming so if you haven't heard a surge exploit before I do want to showcase this because it's fantastic if you go check out offensive Security's exploit DB github they do have a like a github local locally available copy of their entire exploit database that you'd normally navigate through online they also offer a command line tool search Boyd that lets you go ahead and look through all of those entries in the database so if you can grab just the software name or the software version number you could pretty easily okay let's see what does the public already know about this is it vulnerable is there anything I can exploit so there's some really cool stuff and let's normally what I would do is I would get cloned this so in my op directory because that's where I tend to store a lot of my tools I have my exploit DB directory and search Boyd is in there so I would just create this as a prompt I'd modify my prompt to allow myself to just run search Boyd from anywhere I'd like to be so I was in try hack me YouTube Kenobi and I could just run search Boyd and there we go now I have all the arguments but normally search blade is pretty easy to use because you could just specify what it is that you're looking for as search terms like literally just arguments following that and it'll find stuff for you so let's check this out if I were on search Boyd on Pro FTP D version one point three point five now we've got some results so it looks like it's asking for how many we found and we found three let's go check that out taking good notes you probably hate me for it but I just want to showcase you should have found an exploit from Pro FTP DS mod copy module the mod copy module implements site C PFR and site CP two commands which can be used to copy files and directories from one place to another on the server any authenticated client can leverage these on the on authenticated client so we don't need to know any credentials we don't need to know Kenobi's password we don't know know any other users credentials to log into that FTP service we can just do it via netcat which is kind of cool copy files from any part of the filesystem to a chosen directory so we know that the FTP service is running as the Canobie user from the file on the share we saw that that log text file in an SSH key was generated for that user so we could potentially pull that SSH key into a location that we can read and access and then pull it in and then use it and then SSH as that user kenobi so let's go ahead and do that if you want to take a look at some of these I'll use search floyd-- I'll actually just grab this text file because it'll go and explain it you can use tac-x with search boy to examine an entry given in the path there so you can just copy and paste that in and this will kind of talk about hey what syntax is really kind of being in place for this sort of attack and that he's going to use these sites EPF are commands you say this is the file that I want to copy this is where I want to copy it to and they're actually using a really cool technique here because they're using PHP perhaps on the website so they could potentially create some PHP code into port 80 or what's being served on the webpage and then because that page will be rendered with PHP you could potentially get remote code execution and execute code in commands maybe we could do this too I don't think I'm gonna go into that in this video but I when I when I used to teach and I taught the cyber threat emulation course this is something that I actually baked into the course was this exact exploit Pro FTP D one point three point five showcasing the mod copy technique and showing that we could gain code execution and the Metasploit module actually does that so if you want to go check out the source code of the Metasploit module like checking this out this is pretty neat you can see here's the description that you would normally see within Metasploit you could scroll through and see what arguments parameters and options they set and it'll walk through the actual exploit in Ruby which is very very cool they use some interesting techniques because they use proc self command-line which allow you to include the PHP payload to get the remote code execution I used this in the classroom because it was kind of cool in that there were only three exploits but they showcased different ways of doing the same technique the text file just explained it showcase some syntax the Metasploit module showcase really really well but I was trying to say hey not all the time can we use Metasploit we don't always want to do that we kind of want to understand the exploit and see how we can weaponize it and write it ourselves and we were doing that in the class typically within Python because pythons like my golden sword right I love that thing so we would take a look at this Python code that someone has an exploit written in for but it's kind of weird and that okay it's old Python - it's kind of hard to read it really pretty difficult to look at but you can see what they're doing for including commands they include it just as an argument and then that's a static command you can't modify that or change that with like a get variable or post variable and the way that they use that proc SEL file descriptor is kind of just a guess on what socket or what file descriptor is actually open for that so using the proc self command line as their copy from is a much better technique because it'll ensure that your PHP code is actually visible and can be copied for writing to the file server writing the web server being able to see that PHP page and have it be executed as you access it so anyway sorry tangent just some tinkering thoughts of teaching and showcasing this exploit and what you can do with it anyway we know that it will allow us to copy one file to another location in the filesystem unauthenticated and because the ftp server is running as the kenobi user we could access Kenobi's files his SSH key and potentially put it maybe in the Samba share so we could access it so try Hackney includes a pretty nice picture just to showcase this neck getting to the IP address using the site CPF are commands and sites ep2 you should be able to see these kind of partial responses from the ftp server so let's go ahead and do that let's go do our netcat IP address port 21 so let's use our site CPF are so copy from home kenobi ssh ID RSA because that's his private key and we know the location of this NFS share as well it's also in VAR temp or just /var right that's what it's sharing for us and we could just create a directory in there temp and copy our is a file over there so let's do that let's use site CP 2/4 let's make a temp directory and ID RSA and that successfully copy it so if I were to go use SMB client one more time or I went over to that IP address on the anonymous share empty password now we can go ahead and check out LS we seemingly do not have that temp directory TT temp nope is it just not there let's try that netcat syntax again site CPR can I put it in just bar IDR si nope okay so I need to have a directory there how do they do this oh maybe it's just not showing it as we've read it we need to mount that temp directory to our machine or as far the share that it's sharing but not the actual file system because if we look at temp hmmm we could check out that log text file and see what it's really sharing we have that in Samba a little bit of learning for me okay anonymous puts it in home Kenobi share and that's all oh the mount the amount is different I was going the wrong thing I was using the NFS I was connecting to the SMB share when I should have been connecting to the VAR that is an NFS share sorry I got confused let's go ahead and make a directory that we can go ahead and copy this to so let's make directory let's call NFS and they're going to use mount with the machine IP address : the VAR and that's going to understand okay this is an NFS share we're going to connect it to and I'll put it in the NFS directory so let's do that let's use mount it's our IP for the box var at - NFS the directory that we just created looks like I need to be route so let me sudo that takes a second because it's probably a lot to put in there okay yep so let's now move into that NFS directory that we just made and let's see what we have seemingly the filesystem okay so because we put it in temp now we have an ID RSA file in there so that's going to actually be Kenobi's ssh key let's go ahead and copy that out up up up and because that's all we needed I'm actually going to sudo you mount NFS so when I disconnect from the VPN it doesn't get all messy and make that folder every single time there we go let's say that we've done that and we need to now use that ID RSA key to SSH into the canova user so let me go ahead I will make that ID RSA permissions 600 with chmod so only I can read it and it's a safe and secure SSH key that SSH will be willing to use and I'll specify Canobie at our IP address and I need to specify the dollar sign IP address because it will resolve the variable yes I'm totally cool to connect to it and there we go we're in we are logged in as Kenobi so what do we have in here we have our user dot text flag which we need to go ahead and submit for that answer here we hadn't been taking notes my bad who cares don't actually have that mentality we gain initial access why is that still wrong okay we need to mark some of these things as completed sorry now we're moving on to the task for privilege escalation with path venerable path variable and emulation okay so we're talking about some set UID binaries let's first understand what s @u ID s GID and sticky bits are su ID bit allows the user that executing the file having the permission of the owner of the file so if I executed something as kenobi and that file were owned by root if we were a set UID but I would still be operating everything that that binary or that program would do or that file would do as the root user so that's awesome because that's potentially a proven esque s GID sticky bit su ID bits can be dangerous yep potentially a prove esque some binary is such as password like the command pass it would need to be ran with elevated privileges as it's resetting your password in the system however other custom files that have this su ID bit can lead to all sorts of issues to search the system for these files run the following ok so they give us a good fine command to use here let's go ahead and run that so this will look for the permissions that have a sticky or sorry that s representing a set UID bit and looking for files and all the standard error is being redirected to nowhere so looking through this there are a few of you that kind of look normal and I guess the understanding and exposure of what looks normal is just kind of from experienced from just doing this a little bit more or you could use your own host system as a baseline so I'm connected to Kenobi down here on my bottom and I'll actually change the color here so you can see that that is the target and this down here is my host if I ran that same command we could see all the weird binaries on my system that are set UID I don't happen to have some of the ones that they have but I see su I see ping mount the others etc you mount is in their sudo is in their I don't see user bin menu so user bin menu kind of sticks out to me as odd and strange and weird maybe that's something custom so let's copy that and submit that as our answer for this guy and that's correct now run the binary how many options appear okay so let's go ahead and run here it's a status check kernel version and ifconfig so there are three options and we could try some of these status check okay it looks like it made an HTTP request interesting what does the kernel version do okay that tells us something from your name Zac a potentially oh I have config it's just coming to run that command huh so strings is a command on Linux that looks for human readable strings on a binary so if I were to run strings on that user bin menu we could look for some of the things that maybe that's doing looks like status check okay that's actually going to run curl on our local host kernel version waiting on your name tag or and ifconfig will run potentially ifconfig we don't know for sure because we aren't looking at the source code here we're just looking at the strings in the binary but because these are running commands without kind of a fixed path like without the absolute path it's just curl whatever happens to be in your path first and it's running as a set UID binary let me that LS tak l you can see it's our ws for that set UID you can see it's kind of all in read and noted that hey this is owned by root so set UID binary this command will execute as the context of the root user so we can abuse this because we know okay it's running curl and we could kind of create our own curl binary that's gonna happen or be executed first cuz we can put that higher up in our path and make that executable you can see try Hackney includes a good picture for this let me show you that let's just copy been SH orb in bash I'll do that and I'll make it a curl directory right in here Oracle curl file so I have dot slash curl which is gonna give me another bash shell so I'll exit that and go back to my regular shell but now that we've created this binary name curl and it's gonna have the same name as what this program tries to run if we modify our path to call that binary first because it's executing as the permissions as route with the sent UID binary it should give us a root shell so let's do that we could check out our path variable and we can actually modify our path variable if I say let's export path to our current directory right home Kenobi it actually has been in there as a potential path so we can let's let's use both let's stay home Kenobi let's modify that separate with a colon because that is a delimiter for path variable and let's include the rest of the path variable inside it there so now that we've set that we could go at an echo path and you can see my home directory home Kenobi is just in there just as well so if I run curl by default now it's going to give me a bash shell rather than running the curl command because it's reaching that path first in the path expansion path variable expansion so now if I were to try and run our user bin menu and if I were to go ahead and check our status looks like we don't have chrome localhost that happened because it's executing that binary and not including tacked P that might be how it's done they use a echo command which is interesting to me because I might just be executing that simply as a script potentially making a lot of flops in this video let's let's let's change that up let's RM our curl and let's now make echo bin bash that's kind of just a simple file or a script cat curl it's going to run bin bash now let's run our user bin menu and choose one now it didn't do that whatsoever kind of peculiar maybe we could use our SH so they put it in temp bin Sh maybe SH will keep the permissions rather than bashed so let's just try it in our curl one more time if I were to run curl open just ending the market is executable so that's probably why I didn't run earlier if I were to curl now I have a regular shell if I were to run our menu now I have the root shell there's SH keep its permissions without specifying an argument cuz bash I know you probably need to tack P let's try doing that with bash rather than using echo Wow using echo rather than making a binary let's just have it be kind of a file to execute that is a script and then it will run bash tack P into curl so now when I run curl gives me a shell if I go back to run my menu if I run status check now I'm route okay so Sh excuse me Sh does not need to have that tack P argument to kind of maintain the permissions Bash does so now that i'm route okay let's go ahead into my root directory and i have a root flag in there so we can cat that out and call that box done okay so real box real video real thing obviously I made a couple mistakes in there but hopefully those showcase some learnings just for me but also for you and it's it's cool and peculiar because now maybe we didn't need to even specify our own addition to the path because we saw when we checked out that path variable we also already had home Kenobi bin and we could very well just create that directory we could have made that not having to modify that path variable since it already has some of our own locally writable locations in there okay I'm losing some steam I am gonna call this video done I'm gonna wrap this up and say okay cool we completed Kenobi I hope you guys enjoyed I hope you like this video if you did please do press that like button do the YouTube algorithm things leave a comment say whatever you want say whatever you want subscribe would be great I'd love to see you guys in the discord server patreon PayPal LinkedIn Twitter all these stuff all the internet things alright I'll see you guys later thanks so much for watching take care

Info

Channel: John Hammond

Views: 62,822

Rating: undefined out of 5

Keywords:

Id: 60_g_hBVLbg

Channel Id: undefined

Length: 34min 11sec (2051 seconds)

Published: Thu Apr 23 2020