TryHackMe: Kenobi Walkthrough.
You can access the room through this link: https://tryhackme.com/room/kenobi
Task 1 :- Deploy the vulnerable machine
Make sure you’re connected to our network and deploy the machine → No answer needed.
Hint :- nmap ip -vvv
Scan the machine with nmap, how many ports are open? → 7
Task 2 :- Enumerating Samba for shares
nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse MACHINE_IP
Using the nmap command above, how many shares have been found? → 3
smbclient //<ip>/anonymous
Once you’re connected, list the files on the share. What is the file can you see? → log.txt
What port is FTP running on? → 21
nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount MACHINE_IP
What mount can we see? → /var
Task 3 :-Gain initial access with ProFtpd
What is the version? → 1.3.5
How many exploits are there for the ProFTPd running? → 3
You should have found an exploit from ProFtpd’s mod_copy module.
mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
What is Kenobi’s user flag (/home/kenobi/user.txt)? → *****************************
Task 4 :- Privilege Escalation with Path Variable Manipulation
find / -perm -u=s -type f 2>/dev/null
What file looks particularly out of the ordinary? → /usr/bin/menu
Run the binary, how many options appear? → 3
We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!
Running the strings command on the /usr/bin/menu binary we can see that this is running without a full path (i.e. not using /usr/bin/curl or /usr/bin/uname):
What is the root flag (/root/root.txt)? → ********************************
Note :- Always terminate the machine you deployed in this room.
Thanks for reading hope you guys like. Post your questions in the comment section below!