type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Retired
Due date
Jan 16, 2024 05:30 AM
Status
Belong in
Progress
Enumerate
Scan the machine with nmap, how many ports are open?
7
Enumerating Samba for shares
search the nmap script about enumerate the samba shares
Once you're connected, list the files on the share. What is the file can you see?
log.txt,ProFTP 的 config檔以及金鑰位置
What port is FTP running on?
21
Enumerating NFS service
search the nmap script about the nfs share
What mount can we see?
/var
Initial Access
Gain initial access with ProFtpd
Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?
1.3.5
Search the exploit How many exploits are there for the ProFTPd running?
4
Using the proftpd_modcopy_exec exploit to get the foothold
mod_copy allows these commands to be used by *unauthenticated clients*:
根據前面可以知道private key跟public key的路徑
connect to ftp & use the SITE CPFR/SITE CPTO commands to get the file
mount the diretory
user Flag
Privilege Escalation
Privilege Escalation via SUID binary with Path Variable Manipulation
What file looks particularly out of the ordinary?
/usr/bin/menu
Run the binary, how many options appear?
3
使用strings查看binary file,可以看到該code使用三個工具分別是
curl
、uname
、ifconfig
呈上,可以看到不是呼叫絕對位置,故可以藉由改變檔案路徑來取得權限
root Flag
Reference
- 作者:ji3g4gp
- 連結:https://gpblog.vercel.app//article/Try-Hack-Me-Kenobi
- 著作權:本文採用 CC BY-NC-SA 4.0 許可協議,轉載請註明出處。