TryHackMe — Kenobi Walkthrough

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

Image for post
Image for post

NMAP Scan:

sudo nmap -A -T4 [IP Address]

Image for post
Image for post

[Task 1] Deploy the vulnerable machine

  1. Scan the machine with nmap, how many ports are open?
    Answer: 7

[Task 2] Enumerating Samba for shares

Image for post
Image for post
  1. Using the nmap command above, how many shares have been found?
    Answer: 3

sudo nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse 10.10.119.18

Image for post
Image for post

Alternatively, we can use “smbclient” to list shares of the target machine.
smbclient -L \\\\10.10.119.18\\

Image for post
Image for post

2. Once you’re connected, list the files on the share. What is the file can you see?
Answer: log.txt

smbclient //10.10.119.18/anonymous OR
smbclient -R //10.10.119.18/anonymous
-R = recursive

Image for post
Image for post

3. What port is FTP running on?
Answer: 21

4. What mount can we see?
Answer: /var

sudo nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount 10.10.119.18

Image for post
Image for post

[Task 3] Gain initial access with ProFtpd

Image for post
Image for post
  1. Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.
    What is the version?
    Answeer: 1.3.5

nc 10.10.119.18 21

Image for post
Image for post

Alternatively, this can be checked also in NMAP version scan.

sudo nmap -sV -p21 10.10.119.18

Image for post
Image for post

2. We can use searchsploit to find exploits for a particular software version.
Searchsploit is basically just a command line search tool for exploit-db.com.
How many exploits are there for the ProFTPd running?
Answer: 3

searchsploit proftpd 1.3.5

Image for post
Image for post

3. You should have found an exploit from ProFtpd’s mod_copy module.

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

4. We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.

Image for post
Image for post

We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.

5. Lets mount the /var/tmp directory to our machine

mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

Image for post
Image for post

We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi’s account.

Image for post
Image for post

6. What is Kenobi’s user flag (/home/kenobi/user.txt)?

Image for post
Image for post

[Task 4] Privilege Escalation with Path Variable Manipulation

Image for post
Image for post
  1. SUID bits can be dangerous, some binaries such as passwd need to be run with elevated privileges (as its resetting your password on the system), however other custom files could that have the SUID bit can lead to all sorts of issues.
    To search the a system for these type of files run the following:
    find / -perm -u=s -type f 2>/dev/null
    What file looks particularly out of the ordinary?
    Answer: /usr/bin/menu
Image for post
Image for post

2. Run the binary, how many options appear?
Answer: 3

/usr/bin/menu

Image for post
Image for post

3. Strings is a command on Linux that looks for human readable strings on a binary.
This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).
As this file runs as the root users privileges, we can manipulate our path gain a root shell.

Image for post
Image for post
Image for post
Image for post

4. What is the root flag (/root/root.txt)?

References:

https://tryhackme.com/room/kenobi

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store